internet/community.crypto
3
0
Fork 0
mirror of https://github.com/ansible-collections/community.crypto.git synced 2026-05-07 13:53:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: internet:3.0.5
Branches Tags
internet:main internet:gh-pages internet:stable-2 internet:stable-1
internet:3.2.0 internet:3.1.1 internet:2.26.7 internet:3.1.0 internet:3.0.5 internet:2.26.6 internet:3.0.4 internet:3.0.3 internet:2.26.5 internet:3.0.2 internet:2.26.4 internet:3.0.1 internet:3.0.0 internet:3.0.0-rc1 internet:2.26.3 internet:3.0.0-a2 internet:2.26.2 internet:3.0.0-a1 internet:2.26.1 internet:2.26.0 internet:2.25.0 internet:2.24.0 internet:2.23.0 internet:2.22.3 internet:2.22.2 internet:2.22.1 internet:2.22.0 internet:1.9.26 internet:2.21.1 internet:2.21.0 internet:1.9.25 internet:2.20.0 internet:2.19.1 internet:2.19.0 internet:2.18.0 internet:2.17.1 internet:1.9.24 internet:2.17.0 internet:2.16.2 internet:2.16.1 internet:2.16.0 internet:1.9.23 internet:2.15.1 internet:2.15.0 internet:2.14.1 internet:1.9.22 internet:2.14.0 internet:2.13.1 internet:2.13.0 internet:2.12.0 internet:1.9.21 internet:2.11.1 internet:2.11.0 internet:2.10.0 internet:1.9.20 internet:2.9.0 internet:2.8.1 internet:2.8.0 internet:1.9.19 internet:2.7.1 internet:2.7.0 internet:2.6.0 internet:2.5.0 internet:2.4.0 internet:1.9.18 internet:2.3.4 internet:1.9.17 internet:2.3.2 internet:1.9.16 internet:2.3.1 internet:1.9.15 internet:2.3.0 internet:1.9.14 internet:2.2.4 internet:2.2.3 internet:1.9.13 internet:2.2.2 internet:1.9.12 internet:2.2.1 internet:1.9.11 internet:2.2.0 internet:1.9.10 internet:1.9.9 internet:2.1.0 internet:2.0.2 internet:1.9.8 internet:2.0.1 internet:1.9.7 internet:2.0.0 internet:1.9.6 internet:1.9.5 internet:1.9.4 internet:1.9.3 internet:1.9.2 internet:1.9.0 internet:1.9.1 internet:1.8.0 internet:1.7.1 internet:1.7.0 internet:1.6.2 internet:1.6.1 internet:1.6.0 internet:1.5.0 internet:1.4.0 internet:1.3.0 internet:1.2.0 internet:1.1.1 internet:1.1.0 internet:1.0.0 internet:0.1.0
...
compare: internet:2.26.7
Branches Tags
internet:gh-pages internet:main internet:stable-2 internet:stable-1
internet:3.2.0 internet:3.1.1 internet:2.26.7 internet:3.1.0 internet:3.0.5 internet:2.26.6 internet:3.0.4 internet:3.0.3 internet:2.26.5 internet:3.0.2 internet:2.26.4 internet:3.0.1 internet:3.0.0 internet:3.0.0-rc1 internet:2.26.3 internet:3.0.0-a2 internet:2.26.2 internet:3.0.0-a1 internet:2.26.1 internet:2.26.0 internet:2.25.0 internet:2.24.0 internet:2.23.0 internet:2.22.3 internet:2.22.2 internet:2.22.1 internet:2.22.0 internet:1.9.26 internet:2.21.1 internet:2.21.0 internet:1.9.25 internet:2.20.0 internet:2.19.1 internet:2.19.0 internet:2.18.0 internet:2.17.1 internet:1.9.24 internet:2.17.0 internet:2.16.2 internet:2.16.1 internet:2.16.0 internet:1.9.23 internet:2.15.1 internet:2.15.0 internet:2.14.1 internet:1.9.22 internet:2.14.0 internet:2.13.1 internet:2.13.0 internet:2.12.0 internet:1.9.21 internet:2.11.1 internet:2.11.0 internet:2.10.0 internet:1.9.20 internet:2.9.0 internet:2.8.1 internet:2.8.0 internet:1.9.19 internet:2.7.1 internet:2.7.0 internet:2.6.0 internet:2.5.0 internet:2.4.0 internet:1.9.18 internet:2.3.4 internet:1.9.17 internet:2.3.2 internet:1.9.16 internet:2.3.1 internet:1.9.15 internet:2.3.0 internet:1.9.14 internet:2.2.4 internet:2.2.3 internet:1.9.13 internet:2.2.2 internet:1.9.12 internet:2.2.1 internet:1.9.11 internet:2.2.0 internet:1.9.10 internet:1.9.9 internet:2.1.0 internet:2.0.2 internet:1.9.8 internet:2.0.1 internet:1.9.7 internet:2.0.0 internet:1.9.6 internet:1.9.5 internet:1.9.4 internet:1.9.3 internet:1.9.2 internet:1.9.0 internet:1.9.1 internet:1.8.0 internet:1.7.1 internet:1.7.0 internet:1.6.2 internet:1.6.1 internet:1.6.0 internet:1.5.0 internet:1.4.0 internet:1.3.0 internet:1.2.0 internet:1.1.1 internet:1.1.0 internet:1.0.0 internet:0.1.0

55 Commits
3.0.5 ... 2.26.7

Author SHA1 Message Date
Felix Fontein
cea0f7639c Release 2.26.7. 2026-02-12 06:51:29 +01:00
Felix Fontein
edfb82772c Fix EC detection. (#981) (#982) 
(cherry picked from commit 911ed33c2e)
 2026-02-11 22:11:21 +01:00
Felix Fontein
3091b2f997 Prepare 2.26.7. 2026-02-11 21:51:51 +01:00
Felix Fontein
3bfebd8805 CI: Install c.g from git. 
(cherry picked from commit e91f8ec520)
 2026-01-25 13:22:12 +01:00
patchback[bot]
9750cd1187 [PR #978/9b497ddd backport][stable-2] CI: Arch Linux switched to Python 3.14 / remove Arch from CI matrix (#979) 
* Arch Linux switched to Python 3.14. (#978)

(cherry picked from commit 9b497dddbc)

* Remove Arch Linux from CI matrix.

---------

Co-authored-by: Felix Fontein <felix@fontein.de>
 2026-01-11 12:44:37 +01:00
Felix Fontein
578a79d968 Replace RHEL 10.0 with 10.1. (#977) 2026-01-08 08:51:13 +01:00
Felix Fontein
4331ebfa2e Update RHEL 9.x to 9.7 in CI. (#975) 
(cherry picked from commit 8049b0f013)
 2026-01-06 17:02:56 +01:00
patchback[bot]
b596625374 Bump actions/checkout from 5 to 6 in the ci group (#970) (#971) 
Bumps the ci group with 1 update: [actions/checkout](https://github.com/actions/checkout).

Updates `actions/checkout` from 5 to 6
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: ci
...



(cherry picked from commit 663d1a1321)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-11-24 06:37:20 +01:00
Felix Fontein
2c72af252b Move ansible-core 2.17 to EOL CI. (#969) 2025-11-12 19:59:26 +01:00
Felix Fontein
dd82c009d6 The next release will be 2.26.7. 2025-10-29 22:11:55 +01:00
Felix Fontein
45d5db3d98 Release 2.26.6. 2025-10-29 21:27:53 +01:00
patchback[bot]
79c49f5b75 Stop mentioning Buypass. (#964) (#965) 
https://community.buypass.com/t/y4y130p
(cherry picked from commit 1b86848a6f)

Co-authored-by: Felix Fontein <felix@fontein.de>
 2025-10-29 21:23:43 +01:00
Felix Fontein
da5f524ee6 Prepare 2.26.6. 2025-10-29 20:59:34 +01:00
Felix Fontein
cb137cfb1c Move ansible-core 2.16 to EOL CI. (#962) 2025-10-27 19:16:18 +01:00
Felix Fontein
be91644e04 Fix/improve docs. 
(cherry picked from commit 6f0c58f483)
 2025-10-25 14:32:49 +02:00
Felix Fontein
b515b76278 Sort imports. 2025-10-11 15:56:14 +02:00
Felix Fontein
68907ac994 Stick to older community.general branch. 2025-10-11 15:39:18 +02:00
Felix Fontein
63cdc07ee1 Add repo configuration to antsibull-nox.toml. 
(cherry picked from commit c5135496c8)
 2025-09-26 06:57:24 +02:00
patchback[bot]
dbbc936b11 Bump actions/checkout from 4 to 5 in the ci group (#954) (#955) 
Bumps the ci group with 1 update: [actions/checkout](https://github.com/actions/checkout).

Updates `actions/checkout` from 4 to 5
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: ci
...



(cherry picked from commit 62b4535465)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-08-18 06:41:08 +02:00
Felix Fontein
b1c5665590 The next release will be 2.26.6. 2025-08-04 19:43:35 +02:00
Felix Fontein
0148434e36 Release 2.26.5. 2025-08-04 19:17:29 +02:00
patchback[bot]
f9f3c3d4ee Increase number of retries from 10 to 20. (#949) (#950) 
(cherry picked from commit ba5c551a29)

Co-authored-by: Felix Fontein <felix@fontein.de>
 2025-08-03 11:55:04 +02:00
Felix Fontein
5b1382c799 Prepare 2.26.5. 2025-08-02 21:02:06 +02:00
patchback[bot]
2d70e14250 Also retry on HTTP statuses 502 and 504. (#947) (#948) 
(cherry picked from commit 75413d0b08)

Co-authored-by: Felix Fontein <felix@fontein.de>
 2025-08-02 19:04:22 +02:00
Felix Fontein
1fed428d76 Update Azure Pipelines test container. 2025-07-30 06:22:07 +02:00
Felix Fontein
02e7c2ed77 Normalize changelog configs. 
(cherry picked from commit bc16487882)
 2025-07-27 16:35:49 +02:00
Felix Fontein
b4cb931621 The next release will be 2.26.5. 2025-07-26 15:20:46 +02:00
Felix Fontein
ded8568802 Release 2.26.4. 2025-07-26 14:37:51 +02:00
Felix Fontein
e145fe71a9 Move EE tests to nox. (#941) (#942) 
(cherry picked from commit 0636123f56)
 2025-07-25 20:44:16 +02:00
Felix Fontein
b6887ab1f4 Improve error message when lodaing corrupt private key or private key with wrong passphrase. (#939) (#940) 
(cherry picked from commit f219cac94c)
 2025-07-25 15:08:45 +00:00
Felix Fontein
71e9d2273a Prepare 2.26.4. 2025-07-25 14:41:18 +02:00
patchback[bot]
0f2f5a5fe9 Replace FreeBSD 13.3 with 13.5. (#937) (#938) 
(cherry picked from commit b4303b3a32)

Co-authored-by: Felix Fontein <felix@fontein.de>
 2025-07-24 21:58:15 +02:00
patchback[bot]
d0099b4f3e Ensure consistent SSH key format with idempotent Ed25519 key regeneration (#932) (#933) 
* Ensure consistent SSH key format with idempotent Ed25519 key regeneration

* Update plugins/modules/openssh_keypair.py



* removed extra whitespace

---------


(cherry picked from commit b2ab04861e)

Co-authored-by: Aditya Putta <puttaa@yahoo.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
 2025-07-11 12:35:16 +02:00
patchback[bot]
b1dfcf89a4 Docs: mention RFC 9773 instead of the ARI draft (#929) (#930) 
* Mention RFC 9773 instead of the ARI draft.

* Remove mentions of the draft.

(cherry picked from commit fcb50ed142)

Co-authored-by: Felix Fontein <felix@fontein.de>
 2025-07-06 17:24:28 +02:00
Felix Fontein
e200d363f2 Change devel to 2.19. (#926) 2025-07-01 21:34:01 +02:00
patchback[bot]
513c2fd5a0 [PR #921/bd070e85 backport][stable-2] Docs: use :ansplugin: (#922) 
* Use :ansplugin:. (#921)

(cherry picked from commit bd070e85a3)

* Add ignore.txt entries.

---------

Co-authored-by: Felix Fontein <felix@fontein.de>
 2025-06-25 22:52:26 +02:00
Felix Fontein
63d347e9f2 Add YAML lint config for extra docs. 
(cherry picked from commits d4fa1d094a
and 087aa70fe9)
 2025-06-17 17:47:47 +02:00
Felix Fontein
5eccff6190 Next release will be 2.26.4. 2025-06-14 17:05:06 +02:00
Felix Fontein
5ca4ecb54b Release 2.26.3. 2025-06-14 16:44:49 +02:00
Felix Fontein
ea970a044f Stick to community.general 10.x.y for CI. 2025-06-13 06:11:49 +02:00
Felix Fontein
3e3318f059 acme_account: check for 'externalAccountRequired' error (#919) (#920) 
* Check for 'externalAccountRequired' error.

* Add changelog fragment.

(cherry picked from commit 056ae1cf69)
 2025-06-13 06:10:41 +02:00
Felix Fontein
ae6fb88896 Prepare 2.26.3. 2025-06-12 22:45:19 +02:00
patchback[bot]
66d7989222 Add HARICA to the list of tested CAs (#915) (#916) 
* Add HARICA to the list of tested CAs



* Add ZeroSSL to list.

---------



(cherry picked from commit ec063d8515)

Signed-off-by: Daniel Ziegenberg <daniel@ziegenberg.at>
Co-authored-by: Daniel Ziegenberg <daniel@ziegenberg.at>
Co-authored-by: Felix Fontein <felix@fontein.de>
 2025-06-08 21:08:04 +02:00
Felix Fontein
99d6a17653 Fix some ansible-lint issues (#907) (#908) 
* Fix fqcn[action-core].

* Fix fqcn[action].

* Fix jinja[spacing].

(cherry picked from commit 8792635bef)
 2025-05-30 22:43:43 +02:00
patchback[bot]
edeed24e8f Document supported curves for Elliptic Curve keys on ACME Accounts (#904) (#906) 
(cherry picked from commit 7241d5543a)

Signed-off-by: Daniel Ziegenberg <daniel@ziegenberg.at>
Co-authored-by: Daniel Ziegenberg <daniel@ziegenberg.at>
 2025-05-30 13:08:08 +02:00
Felix Fontein
2f3809c84b Next release will be 2.26.3. 2025-05-22 22:02:19 +02:00
Felix Fontein
4f92a02bc4 Release 2.26.2. 2025-05-22 21:19:40 +02:00
Felix Fontein
f7b01bae60 Prepare 2.26.2. 2025-05-22 19:58:28 +02:00
Felix Fontein
43d7868646 [stable-2] Remove entrust announcement (#901) 
* Announce removal of Entrust content from community.crypto 3.0.0.

* Add more information on Entrust removal.
 2025-05-22 19:57:08 +02:00
patchback[bot]
3fbf173674 Add RHEL 10.0 to CI. (#899) (#902) 
(cherry picked from commit 41b71bb60c)

Co-authored-by: Felix Fontein <felix@fontein.de>
 2025-05-22 06:43:36 +02:00
Felix Fontein
d350b94ae6 Lint doc fragments. 
(cherry picked from commit ef230011fd)
 2025-05-01 16:48:13 +02:00
Felix Fontein
a75cc7345a Fix typo. 
(cherry picked from commit 718021b714)
 2025-04-29 08:13:56 +02:00
Felix Fontein
f7795f65b0 Remove 'upcoming' information on 2.0.0. 2025-04-28 12:06:34 +02:00
Felix Fontein
b5d3277798 The next release will be 2.26.2. 
There will be (very likely) no more minor releases from this branch.
 2025-04-28 11:59:23 +02:00
Felix Fontein
f1a170d427 This is now the stable-2 branch. 2025-04-28 11:58:55 +02:00
191 changed files with 3234 additions and 2950 deletions
Expand all files Collapse all files

193
.azure-pipelines/azure-pipelines.yml
View File

@@ -44,23 +44,23 @@ variables:
resources: resources:
containers: containers:
- container: default - container: default
image: quay.io/ansible/azure-pipelines-test-container:6.0.0 image: quay.io/ansible/azure-pipelines-test-container:7.0.0
pool: Standard pool: Standard
stages: stages:
### Sanity & units ### Sanity & units
- stage: Ansible_devel - stage: Ansible_2_19
displayName: Sanity & Units devel displayName: Sanity & Units 2.19
dependsOn: [] dependsOn: []
jobs: jobs:
- template: templates/matrix.yml - template: templates/matrix.yml
parameters: parameters:
targets: targets:
- name: Sanity - name: Sanity
test: 'devel/sanity/1' test: '2.19/sanity/1'
- name: Units - name: Units
test: 'devel/units/1' test: '2.19/units/1'
- stage: Ansible_2_18 - stage: Ansible_2_18
displayName: Sanity & Units 2.18 displayName: Sanity & Units 2.18
dependsOn: [] dependsOn: []
@@ -72,36 +72,14 @@ stages:
test: '2.18/sanity/1' test: '2.18/sanity/1'
- name: Units - name: Units
test: '2.18/units/1' test: '2.18/units/1'
- stage: Ansible_2_17
displayName: Sanity & Units 2.17
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
targets:
- name: Sanity
test: '2.17/sanity/1'
- name: Units
test: '2.17/units/1'
- stage: Ansible_2_16
displayName: Sanity & Units 2.16
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
targets:
- name: Sanity
test: '2.16/sanity/1'
- name: Units
test: '2.16/units/1'
### Docker ### Docker
- stage: Docker_devel - stage: Docker_2_19
displayName: Docker devel displayName: Docker 2.19
dependsOn: [] dependsOn: []
jobs: jobs:
- template: templates/matrix.yml - template: templates/matrix.yml
parameters: parameters:
testFormat: devel/linux/{0} testFormat: 2.19/linux/{0}
targets: targets:
- name: Fedora 41 - name: Fedora 41
test: fedora41 test: fedora41
@@ -129,68 +107,32 @@ stages:
groups: groups:
- 1 - 1
- 2 - 2
- stage: Docker_2_17
displayName: Docker 2.17
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
testFormat: 2.17/linux/{0}
targets:
- name: Fedora 39
test: fedora39
- name: Ubuntu 22.04
test: ubuntu2204
- name: Alpine 3.19
test: alpine319
groups:
- 1
- 2
- stage: Docker_2_16
displayName: Docker 2.16
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
testFormat: 2.16/linux/{0}
targets:
- name: Fedora 38
test: fedora38
- name: openSUSE 15
test: opensuse15
- name: Alpine 3
test: alpine3
groups:
- 1
- 2
### Community Docker ### Community Docker
- stage: Docker_community_devel - stage: Docker_community_2_19
displayName: Docker (community images) devel displayName: Docker (community images) 2.19
dependsOn: [] dependsOn: []
jobs: jobs:
- template: templates/matrix.yml - template: templates/matrix.yml
parameters: parameters:
testFormat: devel/linux-community/{0} testFormat: 2.19/linux-community/{0}
targets: targets:
- name: Debian Bullseye - name: Debian Bullseye
test: debian-bullseye/3.9 test: debian-bullseye/3.9
- name: Debian Bookworm - name: Debian Bookworm
test: debian-bookworm/3.11 test: debian-bookworm/3.11
- name: ArchLinux
test: archlinux/3.13
groups: groups:
- 1 - 1
- 2 - 2
### Remote ### Remote
- stage: Remote_devel_extra_vms - stage: Remote_2_19_extra_vms
displayName: Remote devel extra VMs displayName: Remote 2.19 extra VMs
dependsOn: [] dependsOn: []
jobs: jobs:
- template: templates/matrix.yml - template: templates/matrix.yml
parameters: parameters:
testFormat: devel/{0} testFormat: 2.19/{0}
targets: targets:
- name: Alpine 3.21 - name: Alpine 3.21
test: alpine/3.21 test: alpine/3.21
@@ -202,18 +144,18 @@ stages:
test: ubuntu/24.04 test: ubuntu/24.04
groups: groups:
- vm - vm
- stage: Remote_devel - stage: Remote_2_19
displayName: Remote devel displayName: Remote 2.19
dependsOn: [] dependsOn: []
jobs: jobs:
- template: templates/matrix.yml - template: templates/matrix.yml
parameters: parameters:
testFormat: devel/{0} testFormat: 2.19/{0}
targets: targets:
- name: macOS 15.3 - name: RHEL 10.1
test: macos/15.3 test: rhel/10.1
- name: RHEL 9.5 - name: RHEL 9.7
test: rhel/9.5 test: rhel/9.7
- name: FreeBSD 14.2 - name: FreeBSD 14.2
test: freebsd/14.2 test: freebsd/14.2
- name: FreeBSD 13.5 - name: FreeBSD 13.5
@@ -231,58 +173,20 @@ stages:
targets: targets:
- name: macOS 14.3 - name: macOS 14.3
test: macos/14.3 test: macos/14.3
- name: RHEL 9.4
test: rhel/9.4
- name: FreeBSD 14.1 - name: FreeBSD 14.1
test: freebsd/14.1 test: freebsd/14.1
groups: groups:
- 1 - 1
- 2 - 2
- stage: Remote_2_17
displayName: Remote 2.17
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
testFormat: 2.17/{0}
targets:
- name: RHEL 9.3
test: rhel/9.3
- name: FreeBSD 13.3
test: freebsd/13.3
groups:
- 1
- 2
- stage: Remote_2_16
displayName: Remote 2.16
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
testFormat: 2.16/{0}
targets:
- name: macOS 13.2
test: macos/13.2
- name: RHEL 9.2
test: rhel/9.2
- name: RHEL 8.8
test: rhel/8.8
- name: RHEL 7.9
test: rhel/7.9
# - name: FreeBSD 13.2
# test: freebsd/13.2
groups:
- 1
- 2
### Generic ### Generic
- stage: Generic_devel - stage: Generic_2_19
displayName: Generic devel displayName: Generic 2.19
dependsOn: [] dependsOn: []
jobs: jobs:
- template: templates/matrix.yml - template: templates/matrix.yml
parameters: parameters:
nameFormat: Python {0} nameFormat: Python {0}
testFormat: devel/generic/{0} testFormat: 2.19/generic/{0}
targets: targets:
- test: "3.8" - test: "3.8"
# - test: "3.9" # - test: "3.9"
@@ -306,58 +210,21 @@ stages:
groups: groups:
- 1 - 1
- 2 - 2
- stage: Generic_2_17
displayName: Generic 2.17
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
nameFormat: Python {0}
testFormat: 2.17/generic/{0}
targets:
- test: "3.7"
- test: "3.12"
groups:
- 1
- 2
- stage: Generic_2_16
displayName: Generic 2.16
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
nameFormat: Python {0}
testFormat: 2.16/generic/{0}
targets:
- test: "2.7"
- test: "3.6"
- test: "3.11"
groups:
- 1
- 2
## Finally ## Finally
- stage: Summary - stage: Summary
condition: succeededOrFailed() condition: succeededOrFailed()
dependsOn: dependsOn:
- Ansible_devel - Ansible_2_19
- Ansible_2_18 - Ansible_2_18
- Ansible_2_17 - Remote_2_19_extra_vms
- Ansible_2_16 - Remote_2_19
- Remote_devel_extra_vms
- Remote_devel
- Remote_2_18 - Remote_2_18
- Remote_2_17 - Docker_2_19
- Remote_2_16
- Docker_devel
- Docker_2_18 - Docker_2_18
- Docker_2_17 - Docker_community_2_19
- Docker_2_16 - Generic_2_19
- Docker_community_devel
- Generic_devel
- Generic_2_18 - Generic_2_18
- Generic_2_17
- Generic_2_16
jobs: jobs:
- template: templates/coverage.yml - template: templates/coverage.yml

96
.github/workflows/ansible-test.yml vendored
View File

@@ -36,6 +36,8 @@ jobs:
- '2.13' - '2.13'
- '2.14' - '2.14'
- '2.15' - '2.15'
- '2.16'
- '2.17'
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Perform sanity testing - name: Perform sanity testing
@@ -65,6 +67,8 @@ jobs:
- '2.13' - '2.13'
- '2.14' - '2.14'
- '2.15' - '2.15'
- '2.16'
- '2.17'
steps: steps:
- name: >- - name: >-
@@ -265,6 +269,96 @@ jobs:
docker: default docker: default
python: '3.10' python: '3.10'
target: azp/generic/2/ target: azp/generic/2/
# 2.16
- ansible: '2.16'
docker: fedora38
python: ''
target: azp/posix/1/
- ansible: '2.16'
docker: fedora38
python: ''
target: azp/posix/2/
- ansible: '2.16'
docker: opensuse15
python: ''
target: azp/posix/1/
- ansible: '2.16'
docker: opensuse15
python: ''
target: azp/posix/2/
- ansible: '2.16'
docker: alpine3
python: ''
target: azp/posix/1/
- ansible: '2.16'
docker: alpine3
python: ''
target: azp/posix/2/
- ansible: '2.16'
docker: default
python: '2.7'
target: azp/generic/1/
- ansible: '2.16'
docker: default
python: '2.7'
target: azp/generic/2/
- ansible: '2.16'
docker: default
python: '3.6'
target: azp/generic/1/
- ansible: '2.16'
docker: default
python: '3.6'
target: azp/generic/2/
- ansible: '2.16'
docker: default
python: '3.11'
target: azp/generic/1/
- ansible: '2.16'
docker: default
python: '3.11'
target: azp/generic/2/
# 2.17
- ansible: '2.17'
docker: fedora39
python: ''
target: azp/posix/1/
- ansible: '2.17'
docker: fedora39
python: ''
target: azp/posix/2/
- ansible: '2.17'
docker: ubuntu2204
python: ''
target: azp/posix/1/
- ansible: '2.17'
docker: ubuntu2204
python: ''
target: azp/posix/2/
- ansible: '2.17'
docker: alpine319
python: ''
target: azp/posix/1/
- ansible: '2.17'
docker: alpine319
python: ''
target: azp/posix/2/
- ansible: '2.17'
docker: default
python: '3.7'
target: azp/generic/1/
- ansible: '2.17'
docker: default
python: '3.7'
target: azp/generic/2/
- ansible: '2.17'
docker: default
python: '3.12'
target: azp/generic/1/
- ansible: '2.17'
docker: default
python: '3.12'
target: azp/generic/2/
steps: steps:
- name: >- - name: >-
@@ -284,7 +378,7 @@ jobs:
pre-test-cmd: >- pre-test-cmd: >-
git clone --depth=1 --single-branch https://github.com/ansible-collections/community.internal_test_tools.git ../../community/internal_test_tools git clone --depth=1 --single-branch https://github.com/ansible-collections/community.internal_test_tools.git ../../community/internal_test_tools
; ;
git clone --depth=1 --single-branch https://github.com/ansible-collections/community.general.git ../../community/general git clone --depth=1 --single-branch --branch stable-10 https://github.com/ansible-collections/community.general.git ../../community/general
pull-request-change-detection: 'true' pull-request-change-detection: 'true'
target: ${{ matrix.target }} target: ${{ matrix.target }}
target-python-version: ${{ matrix.python }} target-python-version: ${{ matrix.python }}

180
.github/workflows/ee.yml vendored
View File

@@ -1,180 +0,0 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
name: execution environment
'on':
# Run CI against all pushes (direct commits, also merged PRs), Pull Requests
push:
branches:
- main
- stable-*
pull_request:
# Run CI once per day (at 09:00 UTC)
# This ensures that even if there haven't been commits that we are still testing against latest version of ansible-builder
schedule:
- cron: '0 9 * * *'
env:
NAMESPACE: community
COLLECTION_NAME: crypto
jobs:
build:
name: Build and test EE (${{ matrix.name }})
strategy:
fail-fast: false
matrix:
name:
- ''
ansible_core:
- ''
ansible_runner:
- ''
base_image:
- ''
pre_base:
- ''
extra_vars:
- ''
other_deps:
- ''
exclude:
- ansible_core: ''
include:
- name: ansible-core devel @ RHEL UBI 9
ansible_core: https://github.com/ansible/ansible/archive/devel.tar.gz
ansible_runner: ansible-runner
other_deps: |2
python_interpreter:
package_system: python3.11 python3.11-pip python3.11-wheel python3.11-cryptography
python_path: "/usr/bin/python3.11"
base_image: docker.io/redhat/ubi9:latest
pre_base: '"#"'
# For some reason ansible-builder will not install EPEL dependencies on RHEL
extra_vars: -e has_no_pyopenssl=true
- name: ansible-core 2.15 @ Rocky Linux 9
ansible_core: https://github.com/ansible/ansible/archive/stable-2.15.tar.gz
ansible_runner: ansible-runner
base_image: quay.io/rockylinux/rockylinux:9
pre_base: RUN dnf install -y epel-release
# For some reason ansible-builder will not install EPEL dependencies on Rocky Linux
extra_vars: -e has_no_pyopenssl=true
- name: ansible-core 2.14 @ CentOS Stream 9
ansible_core: https://github.com/ansible/ansible/archive/stable-2.14.tar.gz
ansible_runner: ansible-runner
base_image: quay.io/centos/centos:stream9
pre_base: RUN dnf install -y epel-release epel-next-release
# For some reason, PyOpenSSL is **broken** on CentOS Stream 9 / EPEL
extra_vars: -e has_no_pyopenssl=true
- name: ansible-core 2.13 @ RHEL UBI 8
ansible_core: https://github.com/ansible/ansible/archive/stable-2.13.tar.gz
ansible_runner: ansible-runner
other_deps: |2
python_interpreter:
package_system: python39 python39-pip python39-wheel python39-cryptography
base_image: docker.io/redhat/ubi8:latest
pre_base: '"#"'
# We don't have PyOpenSSL for Python 3.9
extra_vars: -e has_no_pyopenssl=true
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4
with:
path: ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}
persist-credentials: false
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install ansible-builder and ansible-navigator
run: pip install ansible-builder ansible-navigator
- name: Verify requirements
run: ansible-builder introspect --sanitize .
- name: Make sure galaxy.yml has version entry
run: >-
python -c
'import yaml ;
f = open("galaxy.yml", "rb") ;
data = yaml.safe_load(f) ;
f.close() ;
data["version"] = data.get("version") or "0.0.1" ;
f = open("galaxy.yml", "wb") ;
f.write(yaml.dump(data).encode("utf-8")) ;
f.close() ;
'
working-directory: ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}
- name: Build collection
run: |
ansible-galaxy collection build --output-path ../../../
working-directory: ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}
- name: Create files for building execution environment
run: |
COLLECTION_FILENAME="$(ls "${NAMESPACE}-${COLLECTION_NAME}"-*.tar.gz)"
# EE config
cat > execution-environment.yml <<EOF
---
version: 3
dependencies:
ansible_core:
package_pip: ${{ matrix.ansible_core }}
ansible_runner:
package_pip: ${{ matrix.ansible_runner }}
galaxy: requirements.yml
${{ matrix.other_deps }}
images:
base_image:
name: ${{ matrix.base_image }}
additional_build_files:
- src: ${COLLECTION_FILENAME}
dest: src
additional_build_steps:
prepend_base:
- ${{ matrix.pre_base }}
EOF
echo "::group::execution-environment.yml"
cat execution-environment.yml
echo "::endgroup::"
# Requirements
cat > requirements.yml <<EOF
---
collections:
- name: src/${COLLECTION_FILENAME}
type: file
EOF
echo "::group::requirements.yml"
cat requirements.yml
echo "::endgroup::"
- name: Build image based on ${{ matrix.base_image }}
run: |
ansible-builder build --verbosity 3 --tag test-ee:latest --container-runtime podman
- name: Show images
run: podman image ls
- name: Run basic tests
run: >
ansible-navigator run
--mode stdout
--container-engine podman
--pull-policy never
--set-environment-variable ANSIBLE_PRIVATE_ROLE_VARS=true
--execution-environment-image test-ee:latest
-v
all.yml
${{ matrix.extra_vars }}
working-directory: ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}/tests/ee

5
.github/workflows/nox.yml vendored
View File

@@ -21,8 +21,11 @@ jobs:
name: "Run extra sanity tests" name: "Run extra sanity tests"
steps: steps:
- name: Check out collection - name: Check out collection
uses: actions/checkout@v4 uses: actions/checkout@v6
with: with:
persist-credentials: false persist-credentials: false
- name: Run nox - name: Run nox
uses: ansible-community/antsibull-nox@main uses: ansible-community/antsibull-nox@main
ansible-test:
uses: ansible-community/antsibull-nox/.github/workflows/reusable-nox-matrix.yml@main

53
.yamllint-extra-docs Normal file
View File

@@ -0,0 +1,53 @@
---
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
# SPDX-FileCopyrightText: 2025 Felix Fontein <felix@fontein.de>
extends: default
ignore: |
/changelogs/
rules:
line-length:
max: 160
level: error
document-start: disable
document-end:
present: false
truthy:
level: error
allowed-values:
- 'true'
- 'false'
indentation:
spaces: 2
indent-sequences: true
key-duplicates: enable
trailing-spaces: enable
new-line-at-end-of-file: disable
hyphens:
max-spaces-after: 1
empty-lines:
max: 2
max-start: 0
max-end: 0
commas:
max-spaces-before: 0
min-spaces-after: 1
max-spaces-after: 1
colons:
max-spaces-before: 0
max-spaces-after: 1
brackets:
min-spaces-inside: 0
max-spaces-inside: 0
braces:
min-spaces-inside: 0
max-spaces-inside: 1
octal-values:
forbid-implicit-octal: true
forbid-explicit-octal: true
comments:
min-spaces-from-content: 1
comments-indentation: false

697
CHANGELOG.md
View File

File diff suppressed because it is too large Load Diff

78
CHANGELOG.rst
View File

@@ -4,6 +4,84 @@ Community Crypto Release Notes
.. contents:: Topics .. contents:: Topics
v2.26.7
=======
Release Summary
---------------
Bugfix release.
Bugfixes
--------
- crypto_info, openssl_privatekey, openssl_privatekey_pipe - fix detection of EC support for cryptography 46.0.5+ (https://github.com/ansible-collections/community.crypto/pull/981).
v2.26.6
=======
Release Summary
---------------
Maintenance release.
v2.26.5
=======
Release Summary
---------------
Bugfix release.
Bugfixes
--------
- acme_* modules - also retry on HTTP responses 502 Bad Gateway and 504 Gateway Timeout. The latter is needed for ZeroSSL, which seems to have a lot of 504s (https://github.com/ansible-collections/community.crypto/issues/945, https://github.com/ansible-collections/community.crypto/pull/947).
- acme_* modules - increase the maximum amount of retries from 10 to 20 to accomodate ZeroSSL's buggy implementation (https://github.com/ansible-collections/community.crypto/pull/949).
v2.26.4
=======
Release Summary
---------------
Bugfix release.
Bugfixes
--------
- Improve error message when loading a private key fails due to correct private key files or wrong passwords. Also include the original cryptography error since it likely contains more helpful information (https://github.com/ansible-collections/community.crypto/issues/936, https://github.com/ansible-collections/community.crypto/pull/939).
v2.26.3
=======
Release Summary
---------------
Bugfix release.
Bugfixes
--------
- acme_account - make work with CAs that do not accept any account request without External Account Binding data (https://github.com/ansible-collections/community.crypto/issues/918, https://github.com/ansible-collections/community.crypto/pull/919).
v2.26.2
=======
Release Summary
---------------
Maintenance release announcing removal of the Entrust content from community.crypto 3.0.0.
Deprecated Features
-------------------
- The Entrust service in currently being sunsetted after the sale of Entrust's Public Certificates Business to Sectigo; see `the announcement with key dates <https://www.entrust.com/tls-certificate-information-center>`__ and `the migration brief for customers <https://www.sectigo.com/uploads/resources/EOL_Migration-Brief-End-Customer.pdf>`__ for details (https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
- ecs_certificate - the module will be removed from community.crypto 3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
- ecs_domain - the module will be removed from community.crypto 3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
- x509_certificate - the ``entrust`` provider will be removed from community.crypto 3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
- x509_certificate_pipe - the ``entrust`` provider will be removed from community.crypto 3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
v2.26.1 v2.26.1
======= =======

28
README.md
View File

@@ -7,9 +7,9 @@ SPDX-License-Identifier: GPL-3.0-or-later
# Ansible Community Crypto Collection # Ansible Community Crypto Collection
[![Documentation](https://img.shields.io/badge/docs-brightgreen.svg)](https://docs.ansible.com/ansible/devel/collections/community/crypto/) [![Documentation](https://img.shields.io/badge/docs-brightgreen.svg)](https://docs.ansible.com/ansible/devel/collections/community/crypto/)
[![Build Status](https://dev.azure.com/ansible/community.crypto/_apis/build/status/CI?branchName=main)](https://dev.azure.com/ansible/community.crypto/_build?definitionId=21) [![Build Status](https://dev.azure.com/ansible/community.crypto/_apis/build/status/CI?branchName=stable-2)](https://dev.azure.com/ansible/community.crypto/_build?definitionId=21)
[![EOL CI](https://github.com/ansible-collections/community.crypto/actions/workflows/ansible-test.yml/badge.svg?branch=main)](https://github.com/ansible-collections/community.crypto/actions) [![EOL CI](https://github.com/ansible-collections/community.crypto/actions/workflows/ansible-test.yml/badge.svg?branch=stable-2)](https://github.com/ansible-collections/community.crypto/actions)
[![Nox CI](https://github.com/ansible-collections/community.crypto/actions/workflows/nox.yml/badge.svg?branch=main)](https://github.com/ansible-collections/community.crypto/actions) [![Nox CI](https://github.com/ansible-collections/community.crypto/actions/workflows/nox.yml/badge.svg?branch=stable-2)](https://github.com/ansible-collections/community.crypto/actions)
[![Codecov](https://img.shields.io/codecov/c/github/ansible-collections/community.crypto)](https://codecov.io/gh/ansible-collections/community.crypto) [![Codecov](https://img.shields.io/codecov/c/github/ansible-collections/community.crypto)](https://codecov.io/gh/ansible-collections/community.crypto)
[![REUSE status](https://api.reuse.software/badge/github.com/ansible-collections/community.crypto)](https://api.reuse.software/info/github.com/ansible-collections/community.crypto) [![REUSE status](https://api.reuse.software/badge/github.com/ansible-collections/community.crypto)](https://api.reuse.software/info/github.com/ansible-collections/community.crypto)
@@ -40,7 +40,7 @@ For more information about communication, see the [Ansible communication guide](
## Tested with Ansible ## Tested with Ansible
Tested with the current Ansible 2.9, ansible-base 2.10, ansible-core 2.11, ansible-core 2.12, ansible-core 2.13, ansible-core 2.14, ansible-core 2.15, ansible-core 2.16, ansible-core-2.17, and ansible-core 2.18 releases and the current development version of ansible-core. Ansible versions before 2.9.10 are not supported. Tested with the current Ansible 2.9, ansible-base 2.10, ansible-core 2.11, ansible-core 2.12, ansible-core 2.13, ansible-core 2.14, ansible-core 2.15, ansible-core 2.16, ansible-core-2.17, ansible-core-2.18, and ansible-core 2.19 releases. Ansible versions before 2.9.10 are not supported.
## External requirements ## External requirements
@@ -54,7 +54,7 @@ Browsing the [**latest** collection documentation](https://docs.ansible.com/ansi
Browsing the [**devel** collection documentation](https://docs.ansible.com/ansible/devel/collections/community/crypto) shows docs for the _latest version released on Galaxy_. Browsing the [**devel** collection documentation](https://docs.ansible.com/ansible/devel/collections/community/crypto) shows docs for the _latest version released on Galaxy_.
We also separately publish [**latest commit** collection documentation](https://ansible-collections.github.io/community.crypto/branch/main/) which shows docs for the _latest commit in the `main` branch_. We also separately publish [**latest commit** collection documentation](https://ansible-collections.github.io/community.crypto/branch/stable-2/) which shows docs for the _latest commit in the `stable-2` branch_.
If you use the Ansible package and do not update collections independently, use **latest**. If you install or update this collection directly from Galaxy, use **devel**. If you are looking to contribute, use **latest commit**. If you use the Ansible package and do not update collections independently, use **latest**. If you install or update this collection directly from Galaxy, use **devel**. If you are looking to contribute, use **latest commit**.
@@ -109,7 +109,7 @@ If you use the Ansible package and do not update collections independently, use
- luks_device module - luks_device module
- parse_serial and to_serial filters - parse_serial and to_serial filters
You can also find a list of all modules and plugins with documentation on the [Ansible docs site](https://docs.ansible.com/ansible/latest/collections/community/crypto/), or the [latest commit collection documentation](https://ansible-collections.github.io/community.crypto/branch/main/). You can also find a list of all modules and plugins with documentation on the [Ansible docs site](https://docs.ansible.com/ansible/latest/collections/community/crypto/), or the [latest commit collection documentation](https://ansible-collections.github.io/community.crypto/branch/stable-2/).
## Using this collection ## Using this collection
@@ -141,19 +141,15 @@ See [Ansible's dev guide](https://docs.ansible.com/ansible/devel/dev_guide/devel
## Release notes ## Release notes
See the [changelog](https://github.com/ansible-collections/community.crypto/blob/main/CHANGELOG.md). See the [changelog](https://github.com/ansible-collections/community.crypto/blob/stable-2/CHANGELOG.md).
## Roadmap ## Roadmap
We plan to regularly release minor and patch versions, whenever new features are added or bugs fixed. Our collection follows [semantic versioning](https://semver.org/), so breaking changes will only happen in major releases. We plan to regularly release minor and patch versions, whenever new features are added or bugs fixed. Our collection follows [semantic versioning](https://semver.org/), so breaking changes will only happen in major releases.
Most modules will drop PyOpenSSL support in version 2.0.0 of the collection, i.e. in the next major version. We currently plan to release 2.0.0 somewhen during 2021. Around then, the supported versions of the most common distributions will contain a new enough version of ``cryptography``. In 2.0.0, the following notable features have been removed:
* PyOpenSSL backends of all modules, except ``openssl_pkcs12`` which did now have a ``cryptography`` backend for a long time due to lack of support of PKCS#12 functionality in ``cryptography``. (This changed.)
Once 2.0.0 has been released, bugfixes will still be backported to 1.0.0 for some time, and some features might also be backported. If we do not want to backport something ourselves because we think it is not worth the effort, backport PRs by non-maintainers are usually accepted. * The ``assertonly`` provider of ``x509_certificate`` has been removed.
In 2.0.0, the following notable features will be removed:
* PyOpenSSL backends of all modules, except ``openssl_pkcs12`` which does not have a ``cryptography`` backend due to lack of support of PKCS#12 functionality in ``cryptography``.
* The ``assertonly`` provider of ``x509_certificate`` will be removed.
## More information ## More information
@@ -166,8 +162,8 @@ In 2.0.0, the following notable features will be removed:
This collection is primarily licensed and distributed as a whole under the GNU General Public License v3.0 or later. This collection is primarily licensed and distributed as a whole under the GNU General Public License v3.0 or later.
See [LICENSES/GPL-3.0-or-later.txt](https://github.com/ansible-collections/community.crypto/blob/main/COPYING) for the full text. See [LICENSES/GPL-3.0-or-later.txt](https://github.com/ansible-collections/community.crypto/blob/stable-2/COPYING) for the full text.
Parts of the collection are licensed under the [Apache 2.0 license](https://github.com/ansible-collections/community.crypto/blob/main/LICENSES/Apache-2.0.txt) (`plugins/module_utils/crypto/_obj2txt.py` and `plugins/module_utils/crypto/_objects_data.py`), the [BSD 2-Clause license](https://github.com/ansible-collections/community.crypto/blob/main/LICENSES/BSD-2-Clause.txt) (`plugins/module_utils/ecs/api.py`), the [BSD 3-Clause license](https://github.com/ansible-collections/community.crypto/blob/main/LICENSES/BSD-3-Clause.txt) (`plugins/module_utils/crypto/_obj2txt.py`, `tests/integration/targets/prepare_jinja2_compat/filter_plugins/jinja_compatibility.py`), and the [PSF 2.0 license](https://github.com/ansible-collections/community.crypto/blob/main/LICENSES/PSF-2.0.txt) (`plugins/module_utils/_version.py`). This only applies to vendored files in ``plugins/module_utils/`` and to the ECS module utils. Parts of the collection are licensed under the [Apache 2.0 license](https://github.com/ansible-collections/community.crypto/blob/stable-2/LICENSES/Apache-2.0.txt) (`plugins/module_utils/crypto/_obj2txt.py` and `plugins/module_utils/crypto/_objects_data.py`), the [BSD 2-Clause license](https://github.com/ansible-collections/community.crypto/blob/stable-2/LICENSES/BSD-2-Clause.txt) (`plugins/module_utils/ecs/api.py`), the [BSD 3-Clause license](https://github.com/ansible-collections/community.crypto/blob/stable-2/LICENSES/BSD-3-Clause.txt) (`plugins/module_utils/crypto/_obj2txt.py`, `tests/integration/targets/prepare_jinja2_compat/filter_plugins/jinja_compatibility.py`), and the [PSF 2.0 license](https://github.com/ansible-collections/community.crypto/blob/stable-2/LICENSES/PSF-2.0.txt) (`plugins/module_utils/_version.py`). This only applies to vendored files in ``plugins/module_utils/`` and to the ECS module utils.
All files have a machine readable `SDPX-License-Identifier:` comment denoting its respective license(s) or an equivalent entry in an accompanying `.license` file. Only changelog fragments (which will not be part of a release) are covered by a blanket statement in `REUSE.toml`. This conforms to the [REUSE specification](https://reuse.software/spec/). All files have a machine readable `SDPX-License-Identifier:` comment denoting its respective license(s) or an equivalent entry in an accompanying `.license` file. Only changelog fragments (which will not be part of a release) are covered by a blanket statement in `REUSE.toml`. This conforms to the [REUSE specification](https://reuse.software/spec/).

60
antsibull-nox.toml
View File

@@ -3,8 +3,14 @@
# SPDX-FileCopyrightText: 2025 Felix Fontein <felix@fontein.de> # SPDX-FileCopyrightText: 2025 Felix Fontein <felix@fontein.de>
[collection_sources] [collection_sources]
"community.general" = "git+https://github.com/ansible-collections/community.general.git,main"
"community.internal_test_tools" = "git+https://github.com/ansible-collections/community.internal_test_tools.git,main" "community.internal_test_tools" = "git+https://github.com/ansible-collections/community.internal_test_tools.git,main"
[vcs]
vcs = "git"
development_branch = "main"
stable_branches = [ "stable-*" ]
[sessions] [sessions]
[sessions.lint] [sessions.lint]
@@ -18,6 +24,7 @@ run_yamllint = true
yamllint_config = ".yamllint" yamllint_config = ".yamllint"
yamllint_config_plugins = ".yamllint-docs" yamllint_config_plugins = ".yamllint-docs"
yamllint_config_plugins_examples = ".yamllint-examples" yamllint_config_plugins_examples = ".yamllint-examples"
yamllint_config_extra_docs = ".yamllint-extra-docs"
run_mypy = false run_mypy = false
[sessions.docs_check] [sessions.docs_check]
@@ -46,3 +53,56 @@ doc_fragment = "community.crypto.attributes.actiongroup_acme"
run_galaxy_importer = true run_galaxy_importer = true
# [sessions.ansible_lint] # [sessions.ansible_lint]
[[sessions.ee_check.execution_environments]]
name = "devel-ubi-9"
description = "ansible-core devel @ RHEL UBI 9"
test_playbooks = ["tests/ee/all.yml"]
config.images.base_image.name = "docker.io/redhat/ubi9:latest"
config.dependencies.ansible_core.package_pip = "https://github.com/ansible/ansible/archive/devel.tar.gz"
config.dependencies.ansible_runner.package_pip = "ansible-runner"
config.dependencies.python_interpreter.package_system = "python3.12 python3.12-pip python3.12-wheel python3.12-cryptography"
config.dependencies.python_interpreter.python_path = "/usr/bin/python3.12"
runtime_environment = {"ANSIBLE_PRIVATE_ROLE_VARS" = "true"}
# For some reason ansible-builder will not install EPEL dependencies on RHEL
runtime_extra_vars = { "has_no_pyopenssl" = "true" }
[[sessions.ee_check.execution_environments]]
name = "2.15-rocky-9"
description = "ansible-core 2.15 @ Rocky Linux 9"
test_playbooks = ["tests/ee/all.yml"]
config.images.base_image.name = "quay.io/rockylinux/rockylinux:9"
config.dependencies.ansible_core.package_pip = "https://github.com/ansible/ansible/archive/stable-2.15.tar.gz"
config.dependencies.ansible_runner.package_pip = "ansible-runner"
config.additional_build_steps.prepend_base = [
"RUN dnf install -y epel-release",
]
runtime_environment = {"ANSIBLE_PRIVATE_ROLE_VARS" = "true"}
# For some reason ansible-builder will not install EPEL dependencies on Rocky Linux
runtime_extra_vars = { "has_no_pyopenssl" = "true" }
[[sessions.ee_check.execution_environments]]
name = "2.14-centos-stream-9"
description = "ansible-core 2.14 @ CentOS Stream 9"
test_playbooks = ["tests/ee/all.yml"]
config.images.base_image.name = "quay.io/centos/centos:stream9"
config.dependencies.ansible_core.package_pip = "https://github.com/ansible/ansible/archive/stable-2.14.tar.gz"
config.dependencies.ansible_runner.package_pip = "ansible-runner"
config.additional_build_steps.prepend_base = [
"RUN dnf install -y epel-release epel-next-release",
]
runtime_environment = {"ANSIBLE_PRIVATE_ROLE_VARS" = "true"}
# For some reason, PyOpenSSL is **broken** on CentOS Stream 9 / EPEL
runtime_extra_vars = { "has_no_pyopenssl" = "true" }
[[sessions.ee_check.execution_environments]]
name = "2.13-ubi-8"
description = "ansible-core 2.13 @ RHEL UBI 8"
test_playbooks = ["tests/ee/all.yml"]
config.images.base_image.name = "docker.io/redhat/ubi8:latest"
config.dependencies.ansible_core.package_pip = "https://github.com/ansible/ansible/archive/stable-2.13.tar.gz"
config.dependencies.ansible_runner.package_pip = "ansible-runner"
config.dependencies.python_interpreter.package_system = "python39 python39-pip python39-wheel python39-cryptography"
runtime_environment = {"ANSIBLE_PRIVATE_ROLE_VARS" = "true"}
# We don't have PyOpenSSL for Python 3.9
runtime_extra_vars = { "has_no_pyopenssl" = "true" }

79
changelogs/changelog.yaml
View File

@@ -1643,3 +1643,82 @@ releases:
- 867-passphrase-encoding-nolog.yml - 867-passphrase-encoding-nolog.yml
- 868-luks-remove-keyslot.yml - 868-luks-remove-keyslot.yml
release_date: '2025-04-28' release_date: '2025-04-28'
2.26.2:
changes:
deprecated_features:
- The Entrust service in currently being sunsetted after the sale of Entrust's
Public Certificates Business to Sectigo; see `the announcement with key
dates <https://www.entrust.com/tls-certificate-information-center>`__ and
`the migration brief for customers <https://www.sectigo.com/uploads/resources/EOL_Migration-Brief-End-Customer.pdf>`__
for details (https://github.com/ansible-collections/community.crypto/issues/895,
https://github.com/ansible-collections/community.crypto/pull/901).
- ecs_certificate - the module will be removed from community.crypto 3.0.0
(https://github.com/ansible-collections/community.crypto/issues/895, https://github.com/ansible-collections/community.crypto/pull/901).
- ecs_domain - the module will be removed from community.crypto 3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895,
https://github.com/ansible-collections/community.crypto/pull/901).
- x509_certificate - the ``entrust`` provider will be removed from community.crypto
3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895,
https://github.com/ansible-collections/community.crypto/pull/901).
- x509_certificate_pipe - the ``entrust`` provider will be removed from community.crypto
3.0.0 (https://github.com/ansible-collections/community.crypto/issues/895,
https://github.com/ansible-collections/community.crypto/pull/901).
release_summary: Maintenance release announcing removal of the Entrust content
from community.crypto 3.0.0.
fragments:
- 2.26.2.yml
- 901-remove-entrust.yml
release_date: '2025-05-22'
2.26.3:
changes:
bugfixes:
- acme_account - make work with CAs that do not accept any account request
without External Account Binding data (https://github.com/ansible-collections/community.crypto/issues/918,
https://github.com/ansible-collections/community.crypto/pull/919).
release_summary: Bugfix release.
fragments:
- 2.26.3.yml
- 919-acme_account-ear.yml
release_date: '2025-06-14'
2.26.4:
changes:
bugfixes:
- Improve error message when loading a private key fails due to correct private
key files or wrong passwords. Also include the original cryptography error
since it likely contains more helpful information (https://github.com/ansible-collections/community.crypto/issues/936,
https://github.com/ansible-collections/community.crypto/pull/939).
release_summary: Bugfix release.
fragments:
- 2.26.4.yml
- 939-private-key-errors.yml
release_date: '2025-07-26'
2.26.5:
changes:
bugfixes:
- acme_* modules - also retry on HTTP responses 502 Bad Gateway and 504 Gateway
Timeout. The latter is needed for ZeroSSL, which seems to have a lot of
504s (https://github.com/ansible-collections/community.crypto/issues/945,
https://github.com/ansible-collections/community.crypto/pull/947).
- acme_* modules - increase the maximum amount of retries from 10 to 20 to
accomodate ZeroSSL's buggy implementation (https://github.com/ansible-collections/community.crypto/pull/949).
release_summary: Bugfix release.
fragments:
- 2.26.5.yml
- 947-acme-retry.yml
- 949-acme-retry.yml
release_date: '2025-08-04'
2.26.6:
changes:
release_summary: Maintenance release.
fragments:
- 2.26.6.yml
release_date: '2025-10-29'
2.26.7:
changes:
bugfixes:
- crypto_info, openssl_privatekey, openssl_privatekey_pipe - fix detection
of EC support for cryptography 46.0.5+ (https://github.com/ansible-collections/community.crypto/pull/981).
release_summary: Bugfix release.
fragments:
- 2.26.7.yml
- 981-ec.yml
release_date: '2026-02-12'

2
changelogs/config.yaml
View File

@@ -7,6 +7,7 @@ changelog_filename_template: ../CHANGELOG.rst
changelog_filename_version_depth: 0 changelog_filename_version_depth: 0
changes_file: changelog.yaml changes_file: changelog.yaml
changes_format: combined changes_format: combined
ignore_other_fragment_extensions: true
keep_fragments: false keep_fragments: false
mention_ancestor: true mention_ancestor: true
new_plugins_after_name: removed_features new_plugins_after_name: removed_features
@@ -39,3 +40,4 @@ use_fqcn: true
add_plugin_period: true add_plugin_period: true
changelog_nice_yaml: true changelog_nice_yaml: true
changelog_sort: version changelog_sort: version
vcs: auto

4
docs/docsite/rst/guide_ownca.rst
View File

@@ -51,7 +51,7 @@ The following instructions show how to set up a simple self-signed CA certificat
Use the CA to sign a certificate Use the CA to sign a certificate
-------------------------------- --------------------------------
To sign a certificate, you must pass a CSR to the :ref:`community.crypto.x509_certificate module <ansible_collections.community.crypto.x509_certificate_module>` or :ref:`community.crypto.x509_certificate_pipe module <ansible_collections.community.crypto.x509_certificate_pipe_module>`. To sign a certificate, you must pass a CSR to the :ansplugin:`community.crypto.x509_certificate module <community.crypto.x509_certificate#module>` or :ansplugin:`community.crypto.x509_certificate_pipe module <community.crypto.x509_certificate_pipe#module>`.
In the following example, we assume that the certificate to sign (including its private key) are on ``server_1``, while our CA certificate is on ``server_2``. We do not want any key material to leave each respective server. In the following example, we assume that the certificate to sign (including its private key) are on ``server_1``, while our CA certificate is on ``server_2``. We do not want any key material to leave each respective server.
@@ -94,7 +94,7 @@ In the following example, we assume that the certificate to sign (including its
delegate_to: server_1 delegate_to: server_1
run_once: true run_once: true
Please note that the above procedure is **not idempotent**. The following extended example reads the existing certificate from ``server_1`` (if exists) and provides it to the :ref:`community.crypto.x509_certificate_pipe module <ansible_collections.community.crypto.x509_certificate_pipe_module>`, and only writes the result back if it was changed: Please note that the above procedure is **not idempotent**. The following extended example reads the existing certificate from ``server_1`` (if exists) and provides it to the :ansplugin:`community.crypto.x509_certificate_pipe module <community.crypto.x509_certificate_pipe#module>`, and only writes the result back if it was changed:
.. code-block:: yaml+jinja .. code-block:: yaml+jinja

6
docs/docsite/rst/guide_selfsigned.rst
View File

@@ -10,7 +10,7 @@ How to create self-signed certificates
The `community.crypto collection <https://galaxy.ansible.com/ui/repo/published/community/crypto/>`_ offers multiple modules that create private keys, certificate signing requests, and certificates. This guide shows how to create self-signed certificates. The `community.crypto collection <https://galaxy.ansible.com/ui/repo/published/community/crypto/>`_ offers multiple modules that create private keys, certificate signing requests, and certificates. This guide shows how to create self-signed certificates.
For creating any kind of certificate, you always have to start with a private key. You can use the :ref:`community.crypto.openssl_privatekey module <ansible_collections.community.crypto.openssl_privatekey_module>` to create a private key. If you only specify :ansopt:`community.crypto.openssl_privatekey#module:path`, the default parameters will be used. This will result in a 4096 bit RSA private key: For creating any kind of certificate, you always have to start with a private key. You can use the :ansplugin:`community.crypto.openssl_privatekey module <community.crypto.openssl_privatekey#module>` to create a private key. If you only specify :ansopt:`community.crypto.openssl_privatekey#module:path`, the default parameters will be used. This will result in a 4096 bit RSA private key:
.. code-block:: yaml+jinja .. code-block:: yaml+jinja
@@ -28,7 +28,7 @@ You can specify :ansopt:`community.crypto.openssl_privatekey#module:type` to sel
type: X25519 type: X25519
passphrase: changeme passphrase: changeme
To create a very simple self-signed certificate with no specific information, you can proceed directly with the :ref:`community.crypto.x509_certificate module <ansible_collections.community.crypto.x509_certificate_module>`: To create a very simple self-signed certificate with no specific information, you can proceed directly with the :ansplugin:`community.crypto.x509_certificate module <community.crypto.x509_certificate#module>`:
.. code-block:: yaml+jinja .. code-block:: yaml+jinja
@@ -42,7 +42,7 @@ To create a very simple self-signed certificate with no specific information, yo
You can use :ansopt:`community.crypto.x509_certificate#module:selfsigned_not_after` to define when the certificate expires (default: in roughly 10 years), and :ansopt:`community.crypto.x509_certificate#module:selfsigned_not_before` to define from when the certificate is valid (default: now). You can use :ansopt:`community.crypto.x509_certificate#module:selfsigned_not_after` to define when the certificate expires (default: in roughly 10 years), and :ansopt:`community.crypto.x509_certificate#module:selfsigned_not_before` to define from when the certificate is valid (default: now).
To define further properties of the certificate, like the subject, Subject Alternative Names (SANs), key usages, name constraints, etc., you need to first create a Certificate Signing Request (CSR) and provide it to the :ref:`community.crypto.x509_certificate module <ansible_collections.community.crypto.x509_certificate_module>`. If you do not need the CSR file, you can use the :ref:`community.crypto.openssl_csr_pipe module <ansible_collections.community.crypto.openssl_csr_pipe_module>` as in the example below. (To store it to disk, use the :ref:`community.crypto.openssl_csr module <ansible_collections.community.crypto.openssl_csr_module>` instead.) To define further properties of the certificate, like the subject, Subject Alternative Names (SANs), key usages, name constraints, etc., you need to first create a Certificate Signing Request (CSR) and provide it to the :ansplugin:`community.crypto.x509_certificate module <community.crypto.x509_certificate#module>`. If you do not need the CSR file, you can use the :ansplugin:`community.crypto.openssl_csr_pipe module <community.crypto.openssl_csr_pipe#module>` as in the example below. (To store it to disk, use the :ansplugin:`community.crypto.openssl_csr module <community.crypto.openssl_csr#module>` instead.)
.. code-block:: yaml+jinja .. code-block:: yaml+jinja

2
galaxy.yml
View File

@@ -5,7 +5,7 @@
namespace: community namespace: community
name: crypto name: crypto
version: 2.26.1 version: 2.26.7
readme: README.md readme: README.md
authors: authors:
- Ansible (github.com/ansible) - Ansible (github.com/ansible)

21
plugins/doc_fragments/acme.py
View File

@@ -117,11 +117,12 @@ options:
BASIC = r""" BASIC = r"""
notes: notes:
- Although the defaults are chosen so that the module can be used with the L(Let's Encrypt,https://letsencrypt.org/) CA, - Although the defaults are chosen so that the module can be used with the L(Let's Encrypt,https://letsencrypt.org/) CA,
the module can in principle be used with any CA providing an ACME endpoint, such as L(Buypass Go SSL,https://www.buypass.com/ssl/products/acme). the module can in principle be used with any CA providing an ACME endpoint.
- So far, the ACME modules have only been tested by the developers against Let's Encrypt (staging and production), Buypass - So far, the ACME modules have only been tested by the developers against Let's Encrypt (staging and production),
(staging and production), ZeroSSL (production), and L(Pebble testing server,https://github.com/letsencrypt/Pebble). We ZeroSSL (production), and L(Pebble testing server,https://github.com/letsencrypt/Pebble).
have got community feedback that they also work with Sectigo ACME Service for InCommon. If you experience problems with We have got community feedback that they also work with Sectigo ACME Service for InCommon and with HARICA.
another ACME server, please L(create an issue,https://github.com/ansible-collections/community.crypto/issues/new/choose) If you experience problems with another ACME server, please
L(create an issue, https://github.com/ansible-collections/community.crypto/issues/new/choose)
to help us supporting it. Feedback that an ACME server not mentioned does work is also appreciated. to help us supporting it. Feedback that an ACME server not mentioned does work is also appreciated.
requirements: requirements:
- either openssl or L(cryptography,https://cryptography.io/) >= 1.5 - either openssl or L(cryptography,https://cryptography.io/) >= 1.5
@@ -140,12 +141,11 @@ options:
- The ACME directory to use. This is the entry point URL to access the ACME CA server API. - The ACME directory to use. This is the entry point URL to access the ACME CA server API.
- For safety reasons the default is set to the Let's Encrypt staging server (for the ACME v1 protocol). This will create - For safety reasons the default is set to the Let's Encrypt staging server (for the ACME v1 protocol). This will create
technically correct, but untrusted certificates. technically correct, but untrusted certificates.
- "For Let's Encrypt, all staging endpoints can be found here: U(https://letsencrypt.org/docs/staging-environment/). - "For Let's Encrypt, all staging endpoints can be found here: U(https://letsencrypt.org/docs/staging-environment/)."
For Buypass, all endpoints can be found here: U(https://community.buypass.com/t/63d4ay/buypass-go-ssl-endpoints)."
- For B(Let's Encrypt), the production directory URL for ACME v2 is U(https://acme-v02.api.letsencrypt.org/directory). - For B(Let's Encrypt), the production directory URL for ACME v2 is U(https://acme-v02.api.letsencrypt.org/directory).
- For B(Buypass), the production directory URL for ACME v2 and v1 is U(https://api.buypass.com/acme/directory).
- For B(ZeroSSL), the production directory URL for ACME v2 is U(https://acme.zerossl.com/v2/DV90). - For B(ZeroSSL), the production directory URL for ACME v2 is U(https://acme.zerossl.com/v2/DV90).
- For B(Sectigo), the production directory URL for ACME v2 is U(https://acme-qa.secure.trust-provider.com/v2/DV). - For B(Sectigo), the production directory URL for ACME v2 is U(https://acme-qa.secure.trust-provider.com/v2/DV).
- For B(HARICA), the production directory URL for ACME v2 is U(https://acme.harica.gr/XXX/directory) with XXX being specific to your account.
- The notes for this module contain a list of ACME services this module has been tested against. - The notes for this module contain a list of ACME services this module has been tested against.
required: true required: true
type: str type: str
@@ -185,6 +185,7 @@ options:
account_key_src: account_key_src:
description: description:
- Path to a file containing the ACME account RSA or Elliptic Curve key. - Path to a file containing the ACME account RSA or Elliptic Curve key.
- "For Elliptic Curve keys only the following curves are supported: V(secp256r1), V(secp384r1), and V(secp521r1)."
- 'Private keys can be created with the M(community.crypto.openssl_privatekey) or M(community.crypto.openssl_privatekey_pipe) - 'Private keys can be created with the M(community.crypto.openssl_privatekey) or M(community.crypto.openssl_privatekey_pipe)
modules. If the requisite (cryptography) is not available, keys can also be created directly with the C(openssl) command modules. If the requisite (cryptography) is not available, keys can also be created directly with the C(openssl) command
line tool: RSA keys can be created with C(openssl genrsa ...). Elliptic curve keys can be created with C(openssl ecparam line tool: RSA keys can be created with C(openssl genrsa ...). Elliptic curve keys can be created with C(openssl ecparam
@@ -192,10 +193,12 @@ options:
- Mutually exclusive with O(account_key_content). - Mutually exclusive with O(account_key_content).
- Required if O(account_key_content) is not used. - Required if O(account_key_content) is not used.
type: path type: path
aliases: [account_key] aliases:
- account_key
account_key_content: account_key_content:
description: description:
- Content of the ACME account RSA or Elliptic Curve key. - Content of the ACME account RSA or Elliptic Curve key.
- "For Elliptic Curve keys only the following curves are supported: V(secp256r1), V(secp384r1), and V(secp521r1)."
- Mutually exclusive with O(account_key_src). - Mutually exclusive with O(account_key_src).
- Required if O(account_key_src) is not used. - Required if O(account_key_src) is not used.
- B(Warning:) the content will be written into a temporary file, which will be deleted by Ansible when the module completes. - B(Warning:) the content will be written into a temporary file, which will be deleted by Ansible when the module completes.

8
plugins/doc_fragments/module_certificate.py
View File

@@ -125,7 +125,7 @@ options:
acme_directory: acme_directory:
description: description:
- "The ACME directory to use. You can use any directory that supports the ACME protocol, such as Buypass or Let's Encrypt." - "The ACME directory to use. You can use any directory that supports the ACME protocol, such as Let's Encrypt."
- "Let's Encrypt recommends using their staging server while developing jobs. U(https://letsencrypt.org/docs/staging-environment/)." - "Let's Encrypt recommends using their staging server while developing jobs. U(https://letsencrypt.org/docs/staging-environment/)."
type: str type: str
default: https://acme-v02.api.letsencrypt.org/directory default: https://acme-v02.api.letsencrypt.org/directory
@@ -377,7 +377,8 @@ options:
- This is only used by the V(selfsigned) provider. - This is only used by the V(selfsigned) provider.
type: str type: str
default: +0s default: +0s
aliases: [ selfsigned_notBefore ] aliases:
- selfsigned_notBefore
selfsigned_not_after: selfsigned_not_after:
description: description:
@@ -395,7 +396,8 @@ options:
Please see U(https://support.apple.com/en-us/HT210176) for more details. Please see U(https://support.apple.com/en-us/HT210176) for more details.
type: str type: str
default: +3650d default: +3650d
aliases: [ selfsigned_notAfter ] aliases:
- selfsigned_notAfter
selfsigned_create_subject_key_identifier: selfsigned_create_subject_key_identifier:
description: description:

63
plugins/doc_fragments/module_csr.py
View File

@@ -75,37 +75,51 @@ options:
description: description:
- The countryName field of the certificate signing request subject. - The countryName field of the certificate signing request subject.
type: str type: str
aliases: [C, countryName] aliases:
- C
- countryName
state_or_province_name: state_or_province_name:
description: description:
- The stateOrProvinceName field of the certificate signing request subject. - The stateOrProvinceName field of the certificate signing request subject.
type: str type: str
aliases: [ST, stateOrProvinceName] aliases:
- ST
- stateOrProvinceName
locality_name: locality_name:
description: description:
- The localityName field of the certificate signing request subject. - The localityName field of the certificate signing request subject.
type: str type: str
aliases: [L, localityName] aliases:
- L
- localityName
organization_name: organization_name:
description: description:
- The organizationName field of the certificate signing request subject. - The organizationName field of the certificate signing request subject.
type: str type: str
aliases: [O, organizationName] aliases:
- O
- organizationName
organizational_unit_name: organizational_unit_name:
description: description:
- The organizationalUnitName field of the certificate signing request subject. - The organizationalUnitName field of the certificate signing request subject.
type: str type: str
aliases: [OU, organizationalUnitName] aliases:
- OU
- organizationalUnitName
common_name: common_name:
description: description:
- The commonName field of the certificate signing request subject. - The commonName field of the certificate signing request subject.
type: str type: str
aliases: [CN, commonName] aliases:
- CN
- commonName
email_address: email_address:
description: description:
- The emailAddress field of the certificate signing request subject. - The emailAddress field of the certificate signing request subject.
type: str type: str
aliases: [E, emailAddress] aliases:
- E
- emailAddress
subject_alt_name: subject_alt_name:
description: description:
- Subject Alternative Name (SAN) extension to attach to the certificate signing request. - Subject Alternative Name (SAN) extension to attach to the certificate signing request.
@@ -116,63 +130,75 @@ options:
- More at U(https://tools.ietf.org/html/rfc5280#section-4.2.1.6). - More at U(https://tools.ietf.org/html/rfc5280#section-4.2.1.6).
type: list type: list
elements: str elements: str
aliases: [subjectAltName] aliases:
- subjectAltName
subject_alt_name_critical: subject_alt_name_critical:
description: description:
- Should the subjectAltName extension be considered as critical. - Should the subjectAltName extension be considered as critical.
type: bool type: bool
default: false default: false
aliases: [subjectAltName_critical] aliases:
- subjectAltName_critical
use_common_name_for_san: use_common_name_for_san:
description: description:
- If set to V(true), the module will fill the common name in for O(subject_alt_name) with C(DNS:) prefix if no SAN is - If set to V(true), the module will fill the common name in for O(subject_alt_name) with C(DNS:) prefix if no SAN is
specified. specified.
type: bool type: bool
default: true default: true
aliases: [useCommonNameForSAN] aliases:
- useCommonNameForSAN
key_usage: key_usage:
description: description:
- This defines the purpose (for example encipherment, signature, certificate signing) of the key contained in the certificate. - This defines the purpose (for example encipherment, signature, certificate signing) of the key contained in the certificate.
type: list type: list
elements: str elements: str
aliases: [keyUsage] aliases:
- keyUsage
key_usage_critical: key_usage_critical:
description: description:
- Should the keyUsage extension be considered as critical. - Should the keyUsage extension be considered as critical.
type: bool type: bool
default: false default: false
aliases: [keyUsage_critical] aliases:
- keyUsage_critical
extended_key_usage: extended_key_usage:
description: description:
- Additional restrictions (for example client authentication, server authentication) on the allowed purposes for which - Additional restrictions (for example client authentication, server authentication) on the allowed purposes for which
the public key may be used. the public key may be used.
type: list type: list
elements: str elements: str
aliases: [extKeyUsage, extendedKeyUsage] aliases:
- extKeyUsage
- extendedKeyUsage
extended_key_usage_critical: extended_key_usage_critical:
description: description:
- Should the extkeyUsage extension be considered as critical. - Should the extkeyUsage extension be considered as critical.
type: bool type: bool
default: false default: false
aliases: [extKeyUsage_critical, extendedKeyUsage_critical] aliases:
- extKeyUsage_critical
- extendedKeyUsage_critical
basic_constraints: basic_constraints:
description: description:
- Indicates basic constraints, such as if the certificate is a CA. - Indicates basic constraints, such as if the certificate is a CA.
type: list type: list
elements: str elements: str
aliases: [basicConstraints] aliases:
- basicConstraints
basic_constraints_critical: basic_constraints_critical:
description: description:
- Should the basicConstraints extension be considered as critical. - Should the basicConstraints extension be considered as critical.
type: bool type: bool
default: false default: false
aliases: [basicConstraints_critical] aliases:
- basicConstraints_critical
ocsp_must_staple: ocsp_must_staple:
description: description:
- Indicates that the certificate should contain the OCSP Must Staple extension (U(https://tools.ietf.org/html/rfc7633)). - Indicates that the certificate should contain the OCSP Must Staple extension (U(https://tools.ietf.org/html/rfc7633)).
type: bool type: bool
default: false default: false
aliases: [ocspMustStaple] aliases:
- ocspMustStaple
ocsp_must_staple_critical: ocsp_must_staple_critical:
description: description:
- Should the OCSP Must Staple extension be considered as critical. - Should the OCSP Must Staple extension be considered as critical.
@@ -180,7 +206,8 @@ options:
OCSP Must Staple are required to reject such certificates (see U(https://tools.ietf.org/html/rfc7633#section-4)). OCSP Must Staple are required to reject such certificates (see U(https://tools.ietf.org/html/rfc7633#section-4)).
type: bool type: bool
default: false default: false
aliases: [ocspMustStaple_critical] aliases:
- ocspMustStaple_critical
name_constraints_permitted: name_constraints_permitted:
description: description:
- For CA certificates, this specifies a list of identifiers which describe subtrees of names that this CA is allowed - For CA certificates, this specifies a list of identifiers which describe subtrees of names that this CA is allowed

29
plugins/module_utils/acme/account.py
View File

@@ -73,13 +73,28 @@ class ACMEAccount(object):
# and provide external_account_binding credentials. Thus we first send a request with allow_creation=False # and provide external_account_binding credentials. Thus we first send a request with allow_creation=False
# to see whether the account already exists. # to see whether the account already exists.
# Note that we pass contact here: ZeroSSL does not accept registration calls without contacts, even # Unfortunately, for other ACME servers it's the other way around: (at least some) HARICA endpoints
# if onlyReturnExisting is set to true. # do not allow *any* access without external account data. That's why we catch errors and check
created, data = self._new_reg(contact=contact, allow_creation=False) # for 'externalAccountRequired'.
if data: try:
# An account already exists! Return data # Note that we pass contact here: ZeroSSL does not accept registration calls without contacts, even
return created, data # if onlyReturnExisting is set to true.
# An account does not yet exist. Try to create one next. created, data = self._new_reg(contact=contact, allow_creation=False)
if data:
# An account already exists! Return data
return created, data
# An account does not yet exist. Try to create one next.
except ACMEProtocolException as exc:
if (
exc.error_type
!= "urn:ietf:params:acme:error:externalAccountRequired"
or external_account_binding is None
):
# Either another error happened, or we got 'externalAccountRequired' and external account data was not supplied
# => re-raise exception!
raise
# In this case, the server really wants external account data.
# The below code tries to create the account with external account data present.
new_reg = {"contact": contact} new_reg = {"contact": contact}
if not allow_creation: if not allow_creation:

4
plugins/module_utils/acme/acme.py
View File

@@ -60,9 +60,9 @@ else:
# -1 usually means connection problems # -1 usually means connection problems
RETRY_STATUS_CODES = (-1, 408, 429, 503) RETRY_STATUS_CODES = (-1, 408, 429, 502, 503, 504)
RETRY_COUNT = 10 RETRY_COUNT = 20
def _decode_retry(module, response, info, retry_count): def _decode_retry(module, response, info, retry_count):

2
plugins/module_utils/crypto/module_backends/privatekey.py
View File

@@ -276,7 +276,7 @@ class PrivateKeyBackend:
class PrivateKeyCryptographyBackend(PrivateKeyBackend): class PrivateKeyCryptographyBackend(PrivateKeyBackend):
def _get_ec_class(self, ectype): def _get_ec_class(self, ectype):
ecclass = cryptography.hazmat.primitives.asymmetric.ec.__dict__.get(ectype) ecclass = getattr(cryptography.hazmat.primitives.asymmetric.ec, ectype, None)
if ecclass is None: if ecclass is None:
self.module.fail_json( self.module.fail_json(
msg="Your cryptography version does not support {0}".format(ectype) msg="Your cryptography version does not support {0}".format(ectype)

9
plugins/module_utils/crypto/support.py
View File

@@ -40,6 +40,7 @@ except (ImportError, AttributeError):
try: try:
from cryptography import x509 from cryptography import x509
from cryptography.exceptions import UnsupportedAlgorithm
from cryptography.hazmat.backends import default_backend as cryptography_backend from cryptography.hazmat.backends import default_backend as cryptography_backend
from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.serialization import load_pem_private_key from cryptography.hazmat.primitives.serialization import load_pem_private_key
@@ -213,12 +214,16 @@ def load_privatekey(
None if passphrase is None else to_bytes(passphrase), None if passphrase is None else to_bytes(passphrase),
cryptography_backend(), cryptography_backend(),
) )
except UnsupportedAlgorithm as exc:
raise OpenSSLBadPassphraseError("Unsupported private key type: {exc}".format(exc=exc))
except TypeError: except TypeError:
raise OpenSSLBadPassphraseError( raise OpenSSLBadPassphraseError(
"Wrong or empty passphrase provided for private key" "Wrong or empty passphrase provided for private key"
) )
except ValueError: except ValueError as exc:
raise OpenSSLBadPassphraseError("Wrong passphrase provided for private key") raise OpenSSLBadPassphraseError(
"Wrong passphrase provided for private key, or private key cannot be parsed: {exc}".format(exc=exc)
)
return result return result

4
plugins/modules/acme_account.py
View File

@@ -105,8 +105,8 @@ options:
external_account_binding: external_account_binding:
description: description:
- Allows to provide external account binding data during account creation. - Allows to provide external account binding data during account creation.
- This is used by CAs like Sectigo to bind a new ACME account to an existing CA-specific account, to be able to properly - This is used by CAs like Sectigo, HARICA, or ZeroSSL to bind a new ACME account to an existing CA-specific account,
identify a customer. to be able to properly identify a customer.
- Only used when creating a new account. Can not be specified for ACME v1. - Only used when creating a new account. Can not be specified for ACME v1.
type: dict type: dict
suboptions: suboptions:

5
plugins/modules/acme_ari_info.py
View File

@@ -19,8 +19,7 @@ short_description: Retrieves ACME Renewal Information (ARI) for a certificate
description: description:
- Allows to retrieve renewal information on a certificate obtained with the L(ACME protocol,https://tools.ietf.org/html/rfc8555). - Allows to retrieve renewal information on a certificate obtained with the L(ACME protocol,https://tools.ietf.org/html/rfc8555).
- This module only works with the ACME v2 protocol, and requires the ACME server to support the ARI extension - This module only works with the ACME v2 protocol, and requires the ACME server to support the ARI extension
(U(https://datatracker.ietf.org/doc/draft-ietf-acme-ari/)). (L(RFC 9773, https://www.rfc-editor.org/rfc/rfc9773.html)).
This module implements version 3 of the ARI draft.
extends_documentation_fragment: extends_documentation_fragment:
- community.crypto.acme.basic - community.crypto.acme.basic
- community.crypto.acme.no_account - community.crypto.acme.no_account
@@ -59,7 +58,7 @@ EXAMPLES = r"""
RETURN = r""" RETURN = r"""
renewal_info: renewal_info:
description: The ARI renewal info object (U(https://www.ietf.org/archive/id/draft-ietf-acme-ari-03.html#section-4.2)). description: The ARI renewal info object (U(https://www.rfc-editor.org/rfc/rfc9773.html#section-4.2)).
returned: success returned: success
type: dict type: dict
contains: contains:

11
plugins/modules/acme_certificate.py
View File

@@ -17,8 +17,8 @@ author: "Michael Gruener (@mgruener)"
short_description: Create SSL/TLS certificates with the ACME protocol short_description: Create SSL/TLS certificates with the ACME protocol
description: description:
- Create and renew SSL/TLS certificates with a CA supporting the L(ACME protocol,https://tools.ietf.org/html/rfc8555), such - Create and renew SSL/TLS certificates with a CA supporting the L(ACME protocol,https://tools.ietf.org/html/rfc8555), such
as L(Let's Encrypt,https://letsencrypt.org/) or L(Buypass,https://www.buypass.com/). The current implementation supports as L(Let's Encrypt,https://letsencrypt.org/).
the V(http-01), V(dns-01) and V(tls-alpn-01) challenges. The current implementation supports the V(http-01), V(dns-01) and V(tls-alpn-01) challenges.
- To use this module, it has to be executed twice. Either as two different tasks in the same run or during two runs. Note - To use this module, it has to be executed twice. Either as two different tasks in the same run or during two runs. Note
that the output of the first run needs to be recorded and passed to the second run as the module argument O(data). that the output of the first run needs to be recorded and passed to the second run as the module argument O(data).
- Between these two tasks you have to fulfill the required steps for the chosen challenge by whatever means necessary. For - Between these two tasks you have to fulfill the required steps for the chosen challenge by whatever means necessary. For
@@ -40,9 +40,6 @@ seealso:
description: Documentation for the Let's Encrypt Certification Authority. Provides useful information for example on rate description: Documentation for the Let's Encrypt Certification Authority. Provides useful information for example on rate
limits. limits.
link: https://letsencrypt.org/docs/ link: https://letsencrypt.org/docs/
- name: Buypass Go SSL
description: Documentation for the Buypass Certification Authority. Provides useful information for example on rate limits.
link: https://www.buypass.com/ssl/products/acme
- name: Automatic Certificate Management Environment (ACME) - name: Automatic Certificate Management Environment (ACME)
description: The specification of the ACME protocol (RFC 8555). description: The specification of the ACME protocol (RFC 8555).
link: https://tools.ietf.org/html/rfc8555 link: https://tools.ietf.org/html/rfc8555
@@ -242,8 +239,8 @@ options:
type: str type: str
include_renewal_cert_id: include_renewal_cert_id:
description: description:
- Determines whether to request renewal of an existing certificate according to L(the ACME ARI draft 3, - Determines whether to request renewal of an existing certificate according to L(Section 5 of RFC 9773,
https://www.ietf.org/archive/id/draft-ietf-acme-ari-03.html#section-5). https://www.rfc-editor.org/rfc/rfc9773.html#section-5).
- This is only used when the certificate specified in O(dest) or O(fullchain_dest) already exists. - This is only used when the certificate specified in O(dest) or O(fullchain_dest) already exists.
- Generally you should use V(when_ari_supported) if you know that the ACME service supports a compatible draft (or final - Generally you should use V(when_ari_supported) if you know that the ACME service supports a compatible draft (or final
version, once it is out) of the ARI extension. V(always) should never be necessary. If you are not sure, or if you version, once it is out) of the ARI extension. V(always) should never be necessary. If you are not sure, or if you

15
plugins/modules/acme_certificate_order_create.py
View File

@@ -19,9 +19,9 @@ short_description: Create an ACME v2 order
description: description:
- Creates an ACME v2 order. This is the first step of obtaining a new certificate - Creates an ACME v2 order. This is the first step of obtaining a new certificate
with the L(ACME protocol,https://tools.ietf.org/html/rfc8555) from a Certificate with the L(ACME protocol,https://tools.ietf.org/html/rfc8555) from a Certificate
Authority such as L(Let's Encrypt,https://letsencrypt.org/) or Authority such as L(Let's Encrypt,https://letsencrypt.org/).
L(Buypass,https://www.buypass.com/). This module does not support ACME v1, the This module does not support ACME v1, the original version of the ACME protocol
original version of the ACME protocol before standardization. before standardization.
- The current implementation supports the V(http-01), V(dns-01) and V(tls-alpn-01) - The current implementation supports the V(http-01), V(dns-01) and V(tls-alpn-01)
challenges. challenges.
- This module needs to be used in conjunction with the - This module needs to be used in conjunction with the
@@ -60,10 +60,6 @@ seealso:
description: Documentation for the Let's Encrypt Certification Authority. description: Documentation for the Let's Encrypt Certification Authority.
Provides useful information for example on rate limits. Provides useful information for example on rate limits.
link: https://letsencrypt.org/docs/ link: https://letsencrypt.org/docs/
- name: Buypass Go SSL
description: Documentation for the Buypass Certification Authority.
Provides useful information for example on rate limits.
link: https://www.buypass.com/ssl/products/acme
- name: Automatic Certificate Management Environment (ACME) - name: Automatic Certificate Management Environment (ACME)
description: The specification of the ACME protocol (RFC 8555). description: The specification of the ACME protocol (RFC 8555).
link: https://tools.ietf.org/html/rfc8555 link: https://tools.ietf.org/html/rfc8555
@@ -111,9 +107,9 @@ options:
replaces_cert_id: replaces_cert_id:
description: description:
- If provided, will request the order to replace the certificate identified by this certificate ID - If provided, will request the order to replace the certificate identified by this certificate ID
according to L(the ACME ARI draft 3, https://www.ietf.org/archive/id/draft-ietf-acme-ari-03.html#section-5). according to L(Section 5 of RFC 9773, https://www.rfc-editor.org/rfc/rfc9773.html#section-5).
- This certificate ID must be computed as specified in - This certificate ID must be computed as specified in
L(the ACME ARI draft 3, https://www.ietf.org/archive/id/draft-ietf-acme-ari-03.html#section-4.1). L(Section 4.1 of RFC 9773, https://www.rfc-editor.org/rfc/rfc9773.html#section-4.1).
It is returned as return value RV(community.crypto.acme_certificate_renewal_info#module:cert_id) of the It is returned as return value RV(community.crypto.acme_certificate_renewal_info#module:cert_id) of the
M(community.crypto.acme_certificate_renewal_info) module. M(community.crypto.acme_certificate_renewal_info) module.
- ACME servers might refuse to create new orders that indicate to replace a certificate for which - ACME servers might refuse to create new orders that indicate to replace a certificate for which
@@ -281,6 +277,7 @@ challenge_data:
challenges: challenges:
description: description:
- Information for different challenge types supported for this identifier. - Information for different challenge types supported for this identifier.
- Note that the keys are not valid Jinja2 identifiers.
type: dict type: dict
contains: contains:
http-01: http-01:

9
plugins/modules/acme_certificate_order_finalize.py
View File

@@ -20,9 +20,8 @@ description:
- Finalizes an ACME v2 order and obtains the certificate and certificate chains. - Finalizes an ACME v2 order and obtains the certificate and certificate chains.
This is the final step of obtaining a new certificate with the This is the final step of obtaining a new certificate with the
L(ACME protocol,https://tools.ietf.org/html/rfc8555) from a Certificate L(ACME protocol,https://tools.ietf.org/html/rfc8555) from a Certificate
Authority such as L(Let's Encrypt,https://letsencrypt.org/) or Authority such as L(Let's Encrypt,https://letsencrypt.org/).
L(Buypass,https://www.buypass.com/). This module does not support ACME v1, the This module does not support ACME v1, the original version of the ACME protocol before standardization.
original version of the ACME protocol before standardization.
- This module needs to be used in conjunction with the - This module needs to be used in conjunction with the
M(community.crypto.acme_certificate_order_create) and. M(community.crypto.acme_certificate_order_create) and.
M(community.crypto.acme_certificate_order_validate) modules. M(community.crypto.acme_certificate_order_validate) modules.
@@ -37,10 +36,6 @@ seealso:
description: Documentation for the Let's Encrypt Certification Authority. description: Documentation for the Let's Encrypt Certification Authority.
Provides useful information for example on rate limits. Provides useful information for example on rate limits.
link: https://letsencrypt.org/docs/ link: https://letsencrypt.org/docs/
- name: Buypass Go SSL
description: Documentation for the Buypass Certification Authority.
Provides useful information for example on rate limits.
link: https://www.buypass.com/ssl/products/acme
- name: Automatic Certificate Management Environment (ACME) - name: Automatic Certificate Management Environment (ACME)
description: The specification of the ACME protocol (RFC 8555). description: The specification of the ACME protocol (RFC 8555).
link: https://tools.ietf.org/html/rfc8555 link: https://tools.ietf.org/html/rfc8555

11
plugins/modules/acme_certificate_order_info.py
View File

@@ -20,9 +20,8 @@ description:
- Obtain information for an ACME v2 order. - Obtain information for an ACME v2 order.
This can be used during the process of obtaining a new certificate with the This can be used during the process of obtaining a new certificate with the
L(ACME protocol,https://tools.ietf.org/html/rfc8555) from a Certificate L(ACME protocol,https://tools.ietf.org/html/rfc8555) from a Certificate
Authority such as L(Let's Encrypt,https://letsencrypt.org/) or Authority such as L(Let's Encrypt,https://letsencrypt.org/).
L(Buypass,https://www.buypass.com/). This module does not support ACME v1, the This module does not support ACME v1, the original version of the ACME protocol before standardization.
original version of the ACME protocol before standardization.
- This module needs to be used in conjunction with the - This module needs to be used in conjunction with the
M(community.crypto.acme_certificate_order_create), M(community.crypto.acme_certificate_order_create),
M(community.crypto.acme_certificate_order_validate), and M(community.crypto.acme_certificate_order_validate), and
@@ -141,7 +140,7 @@ order:
- Encoded in the date format defined in L(RFC 3339, https://www.rfc-editor.org/rfc/rfc3339). - Encoded in the date format defined in L(RFC 3339, https://www.rfc-editor.org/rfc/rfc3339).
type: str type: str
returned: depending on order returned: depending on order
notAfter (optional, string): notAfter:
description: description:
- The requested value of the C(notAfter) field in the certificate. - The requested value of the C(notAfter) field in the certificate.
- Encoded in the date format defined in L(RFC 3339, https://www.rfc-editor.org/rfc/rfc3339). - Encoded in the date format defined in L(RFC 3339, https://www.rfc-editor.org/rfc/rfc3339).
@@ -180,10 +179,10 @@ order:
replaces: replaces:
description: description:
- If the order was created to replace an existing certificate using the C(replaces) mechanism from - If the order was created to replace an existing certificate using the C(replaces) mechanism from
L(draft-ietf-acme-ari, https://datatracker.ietf.org/doc/draft-ietf-acme-ari/), this provides the L(RFC 9773, https://www.rfc-editor.org/rfc/rfc9773.html), this provides the
certificate ID of the certificate that will be replaced by this order. certificate ID of the certificate that will be replaced by this order.
type: str type: str
returned: when the certificate order is replacing a certificate through draft-ietf-acme-ari returned: when the certificate order is replacing a certificate through RFC 9773
profile: profile:
description: description:
- If the ACME CA supports profiles through the L(draft-aaron-acme-profiles, - If the ACME CA supports profiles through the L(draft-aaron-acme-profiles,

9
plugins/modules/acme_certificate_order_validate.py
View File

@@ -20,9 +20,8 @@ description:
- Validates pending authorizations of an ACME v2 order. - Validates pending authorizations of an ACME v2 order.
This is the second to last step of obtaining a new certificate with the This is the second to last step of obtaining a new certificate with the
L(ACME protocol,https://tools.ietf.org/html/rfc8555) from a Certificate L(ACME protocol,https://tools.ietf.org/html/rfc8555) from a Certificate
Authority such as L(Let's Encrypt,https://letsencrypt.org/) or Authority such as L(Let's Encrypt,https://letsencrypt.org/).
L(Buypass,https://www.buypass.com/). This module does not support ACME v1, the This module does not support ACME v1, the original version of the ACME protocol before standardization.
original version of the ACME protocol before standardization.
- This module needs to be used in conjunction with the - This module needs to be used in conjunction with the
M(community.crypto.acme_certificate_order_create) and M(community.crypto.acme_certificate_order_create) and
M(community.crypto.acme_certificate_order_finalize) modules. M(community.crypto.acme_certificate_order_finalize) modules.
@@ -37,10 +36,6 @@ seealso:
description: Documentation for the Let's Encrypt Certification Authority. description: Documentation for the Let's Encrypt Certification Authority.
Provides useful information for example on rate limits. Provides useful information for example on rate limits.
link: https://letsencrypt.org/docs/ link: https://letsencrypt.org/docs/
- name: Buypass Go SSL
description: Documentation for the Buypass Certification Authority.
Provides useful information for example on rate limits.
link: https://www.buypass.com/ssl/products/acme
- name: Automatic Certificate Management Environment (ACME) - name: Automatic Certificate Management Environment (ACME)
description: The specification of the ACME protocol (RFC 8555). description: The specification of the ACME protocol (RFC 8555).
link: https://tools.ietf.org/html/rfc8555 link: https://tools.ietf.org/html/rfc8555

8
plugins/modules/acme_certificate_renewal_info.py
View File

@@ -18,8 +18,8 @@ version_added: 2.20.0
short_description: Determine whether a certificate should be renewed or not short_description: Determine whether a certificate should be renewed or not
description: description:
- Uses various information to determine whether a certificate should be renewed or not. - Uses various information to determine whether a certificate should be renewed or not.
- If available, the ARI extension (ACME Renewal Information, U(https://datatracker.ietf.org/doc/draft-ietf-acme-ari/)) is - If available, the ARI extension (ACME Renewal Information, L(RFC 9773, https://www.rfc-editor.org/rfc/rfc9773.html)) is
used. This module implements version 3 of the ARI draft.". used.
extends_documentation_fragment: extends_documentation_fragment:
- community.crypto.acme.basic - community.crypto.acme.basic
- community.crypto.acme.no_account - community.crypto.acme.no_account
@@ -54,7 +54,7 @@ options:
description: description:
- If ARI information is used, selects which algorithm is used to determine whether to renew now. - If ARI information is used, selects which algorithm is used to determine whether to renew now.
- V(standard) selects the L(algorithm provided in the the ARI specification, - V(standard) selects the L(algorithm provided in the the ARI specification,
https://www.ietf.org/archive/id/draft-ietf-acme-ari-03.html#name-renewalinfo-objects). https://www.rfc-editor.org/rfc/rfc9773.html#section-4.2).
- V(start) returns RV(should_renew=true) once the start of the renewal interval has been reached. - V(start) returns RV(should_renew=true) once the start of the renewal interval has been reached.
type: str type: str
choices: choices:
@@ -157,7 +157,7 @@ supports_ari:
cert_id: cert_id:
description: description:
- The certificate ID according to the L(ARI specification, https://www.ietf.org/archive/id/draft-ietf-acme-ari-03.html#section-4.1). - The certificate ID according to L(Section 4.1 in RFC 9773, https://www.rfc-editor.org/rfc/rfc9773.html#section-4.1).
returned: success, the certificate exists, and has an Authority Key Identifier X.509 extension returned: success, the certificate exists, and has an Authority Key Identifier X.509 extension
type: str type: str
sample: aYhba4dGQEHhs3uEe6CuLN4ByNQ.AIdlQyE sample: aYhba4dGQEHhs3uEe6CuLN4ByNQ.AIdlQyE

6
plugins/modules/crypto_info.py
View File

@@ -286,10 +286,8 @@ def add_crypto_information(module):
backend = cryptography.hazmat.backends.default_backend() backend = cryptography.hazmat.backends.default_backend()
for curve_name, constructor_name in CURVES: for curve_name, constructor_name in CURVES:
ecclass = cryptography.hazmat.primitives.asymmetric.ec.__dict__.get( ecclass = getattr(cryptography.hazmat.primitives.asymmetric.ec, constructor_name, None)
constructor_name if ecclass is not None:
)
if ecclass:
try: try:
cryptography.hazmat.primitives.asymmetric.ec.generate_private_key( cryptography.hazmat.primitives.asymmetric.ec.generate_private_key(
curve=ecclass(), backend=backend curve=ecclass(), backend=backend

7
plugins/modules/openssh_keypair.py
View File

@@ -164,6 +164,13 @@ EXAMPLES = r"""
path: /tmp/id_ssh_rsa path: /tmp/id_ssh_rsa
force: true force: true
- name: Regenerate SSH keypair only if format or options mismatch
community.crypto.openssh_keypair:
path: /home/devops/.ssh/id_ed25519
type: ed25519
regenerate: full_idempotence
private_key_format: ssh
- name: Generate an OpenSSH keypair with a different algorithm (dsa) - name: Generate an OpenSSH keypair with a different algorithm (dsa)
community.crypto.openssh_keypair: community.crypto.openssh_keypair:
path: /tmp/id_ssh_dsa path: /tmp/id_ssh_dsa

6
tests/ee/all.yml
View File

@@ -6,11 +6,11 @@
- hosts: localhost - hosts: localhost
tasks: tasks:
- name: Show Python info - name: Show Python info
debug: ansible.builtin.debug:
var: ansible_python var: ansible_python
- name: Register cryptography version - name: Register cryptography version
command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'" ansible.builtin.command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
register: cryptography_version register: cryptography_version
- name: Register pyOpenSSL version - name: Register pyOpenSSL version
@@ -19,7 +19,7 @@
register: pyopenssl_version register: pyopenssl_version
- name: Determine output directory - name: Determine output directory
set_fact: ansible.builtin.set_fact:
output_path: "{{ 'output-%0x' % ((2**32) | random) }}" output_path: "{{ 'output-%0x' % ((2**32) | random) }}"
- name: Find all roles - name: Find all roles

4
tests/ee/roles/crypto_info/tasks/main.yml
View File

@@ -8,11 +8,11 @@
register: result register: result
- name: Dump result - name: Dump result
debug: ansible.builtin.debug:
var: result var: result
- name: Validate result - name: Validate result
assert: ansible.builtin.assert:
that: that:
- result.openssl_present - result.openssl_present
- result.python_cryptography_installed - result.python_cryptography_installed

6
tests/ee/roles/luks_device/tasks/main.yml
View File

@@ -24,13 +24,13 @@
when: false when: false
block: block:
- name: Create lookback device - name: Create lookback device
command: losetup -f {{ cryptfile_path }} ansible.builtin.command: losetup -f {{ cryptfile_path }}
- name: Determine loop device name - name: Determine loop device name
command: losetup -j {{ cryptfile_path }} --output name ansible.builtin.command: losetup -j {{ cryptfile_path }} --output name
register: cryptfile_device_output register: cryptfile_device_output
- set_fact: - ansible.builtin.set_fact:
cryptfile_device: "{{ cryptfile_device_output.stdout_lines[1] }}" cryptfile_device: "{{ cryptfile_device_output.stdout_lines[1] }}"
- name: Create LUKS container - name: Create LUKS container

4
tests/ee/roles/smoke/tasks/main.yml
View File

@@ -8,7 +8,7 @@
register: result register: result
- name: Validate result - name: Validate result
assert: ansible.builtin.assert:
that: that:
- result.msg == 'Everything is ok' - result.msg == 'Everything is ok'
@@ -17,6 +17,6 @@
register: result register: result
- name: Validate result - name: Validate result
assert: ansible.builtin.assert:
that: that:
- result.msg == 'Everything is ok' - result.msg == 'Everything is ok'

46
tests/integration/targets/acme_account/tasks/impl.yml
View File

@@ -5,7 +5,7 @@
- block: - block:
- name: Generate account keys - name: Generate account keys
openssl_privatekey: community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem" path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
passphrase: "{{ item.pass | default(omit) | default(omit, true) }}" passphrase: "{{ item.pass | default(omit) | default(omit, true) }}"
type: ECC type: ECC
@@ -14,7 +14,7 @@
loop: "{{ account_keys }}" loop: "{{ account_keys }}"
- name: Parse account keys (to ease debugging some test failures) - name: Parse account keys (to ease debugging some test failures)
openssl_privatekey_info: community.crypto.openssl_privatekey_info:
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem" path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
passphrase: "{{ item.pass | default(omit) | default(omit, true) }}" passphrase: "{{ item.pass | default(omit) | default(omit, true) }}"
return_private_key_data: true return_private_key_data: true
@@ -30,7 +30,7 @@
- name: accountkey5 - name: accountkey5
- name: Do not try to create account - name: Do not try to create account
acme_account: community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2 acme_version: 2
@@ -42,7 +42,7 @@
register: account_not_created register: account_not_created
- name: Create it now (check mode, diff) - name: Create it now (check mode, diff)
acme_account: community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2 acme_version: 2
@@ -58,7 +58,7 @@
register: account_created_check register: account_created_check
- name: Create it now - name: Create it now
acme_account: community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2 acme_version: 2
@@ -72,7 +72,7 @@
register: account_created register: account_created
- name: Create it now (idempotent) - name: Create it now (idempotent)
acme_account: community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2 acme_version: 2
@@ -86,12 +86,12 @@
register: account_created_idempotent register: account_created_idempotent
- name: Read account key - name: Read account key
slurp: ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/accountkey.pem' src: '{{ remote_tmp_dir }}/accountkey.pem'
register: slurp register: slurp
- name: Change email address (check mode, diff) - name: Change email address (check mode, diff)
acme_account: community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_content: "{{ slurp.content | b64decode }}" account_key_content: "{{ slurp.content | b64decode }}"
acme_version: 2 acme_version: 2
@@ -106,7 +106,7 @@
register: account_modified_check register: account_modified_check
- name: Change email address - name: Change email address
acme_account: community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_content: "{{ slurp.content | b64decode }}" account_key_content: "{{ slurp.content | b64decode }}"
acme_version: 2 acme_version: 2
@@ -119,7 +119,7 @@
register: account_modified register: account_modified
- name: Change email address (idempotent) - name: Change email address (idempotent)
acme_account: community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
account_uri: "{{ account_created.account_uri }}" account_uri: "{{ account_created.account_uri }}"
@@ -133,7 +133,7 @@
register: account_modified_idempotent register: account_modified_idempotent
- name: Cannot access account with wrong URI - name: Cannot access account with wrong URI
acme_account: community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
account_uri: "{{ account_created.account_uri ~ '12345thisdoesnotexist' }}" account_uri: "{{ account_created.account_uri ~ '12345thisdoesnotexist' }}"
@@ -146,7 +146,7 @@
register: account_modified_wrong_uri register: account_modified_wrong_uri
- name: Clear contact email addresses (check mode, diff) - name: Clear contact email addresses (check mode, diff)
acme_account: community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2 acme_version: 2
@@ -160,7 +160,7 @@
register: account_modified_2_check register: account_modified_2_check
- name: Clear contact email addresses - name: Clear contact email addresses
acme_account: community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2 acme_version: 2
@@ -172,7 +172,7 @@
register: account_modified_2 register: account_modified_2
- name: Clear contact email addresses (idempotent) - name: Clear contact email addresses (idempotent)
acme_account: community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2 acme_version: 2
@@ -184,7 +184,7 @@
register: account_modified_2_idempotent register: account_modified_2_idempotent
- name: Change account key (check mode, diff) - name: Change account key (check mode, diff)
acme_account: community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2 acme_version: 2
@@ -200,7 +200,7 @@
register: account_change_key_check register: account_change_key_check
- name: Change account key - name: Change account key
acme_account: community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2 acme_version: 2
@@ -214,7 +214,7 @@
register: account_change_key register: account_change_key
- name: Deactivate account (check mode, diff) - name: Deactivate account (check mode, diff)
acme_account: community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem" account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}" account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
@@ -227,7 +227,7 @@
register: account_deactivate_check register: account_deactivate_check
- name: Deactivate account - name: Deactivate account
acme_account: community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem" account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}" account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
@@ -238,7 +238,7 @@
register: account_deactivate register: account_deactivate
- name: Deactivate account (idempotent) - name: Deactivate account (idempotent)
acme_account: community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem" account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}" account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
@@ -249,7 +249,7 @@
register: account_deactivate_idempotent register: account_deactivate_idempotent
- name: Do not try to create account II - name: Do not try to create account II
acme_account: community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem" account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}" account_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
@@ -262,7 +262,7 @@
register: account_not_created_2 register: account_not_created_2
- name: Do not try to create account III - name: Do not try to create account III
acme_account: community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2 acme_version: 2
@@ -274,7 +274,7 @@
register: account_not_created_3 register: account_not_created_3
- name: Create account with External Account Binding - name: Create account with External Account Binding
acme_account: community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/{{ item.account }}.pem" account_key_src: "{{ remote_tmp_dir }}/{{ item.account }}.pem"
acme_version: 2 acme_version: 2
@@ -304,4 +304,4 @@
kid: kid-3 kid: kid-3
alg: HS512 alg: HS512
key: zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W key: zWNDZM6eQGHWpSRTPal5eIUYFTu7EajVIoguysqZ9wG44nMEtx3MUAsUDkMTQ12W
- debug: var=account_created_eab - ansible.builtin.debug: var=account_created_eab

12
tests/integration/targets/acme_account/tasks/main.yml
View File

@@ -10,31 +10,31 @@
- block: - block:
- name: Running tests with OpenSSL backend - name: Running tests with OpenSSL backend
include_tasks: impl.yml ansible.builtin.include_tasks: impl.yml
vars: vars:
select_crypto_backend: openssl select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml - ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version.stdout is version('1.0.0', '>=') when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory - name: Remove output directory
file: ansible.builtin.file:
path: "{{ remote_tmp_dir }}" path: "{{ remote_tmp_dir }}"
state: absent state: absent
- name: Re-create output directory - name: Re-create output directory
file: ansible.builtin.file:
path: "{{ remote_tmp_dir }}" path: "{{ remote_tmp_dir }}"
state: directory state: directory
- block: - block:
- name: Running tests with cryptography backend - name: Running tests with cryptography backend
include_tasks: impl.yml ansible.builtin.include_tasks: impl.yml
vars: vars:
select_crypto_backend: cryptography select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml - ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version.stdout is version('1.5', '>=') when: cryptography_version.stdout is version('1.5', '>=')

38
tests/integration/targets/acme_account/tests/validate.yml
View File

@@ -4,13 +4,13 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Validate that account wasn't created in the first step - name: Validate that account wasn't created in the first step
assert: ansible.builtin.assert:
that: that:
- account_not_created is failed - account_not_created is failed
- account_not_created.msg == 'Account does not exist or is deactivated.' - account_not_created.msg == 'Account does not exist or is deactivated.'
- name: Validate that account was created in the second step (check mode) - name: Validate that account was created in the second step (check mode)
assert: ansible.builtin.assert:
that: that:
- account_created_check is changed - account_created_check is changed
- account_created_check.account_uri is none - account_created_check.account_uri is none
@@ -21,19 +21,19 @@
- account_created_check.diff.after.contact[0] in ['mailto:example@example.org', 'mailto:********@********.org'] - account_created_check.diff.after.contact[0] in ['mailto:example@example.org', 'mailto:********@********.org']
- name: Validate that account was created in the second step - name: Validate that account was created in the second step
assert: ansible.builtin.assert:
that: that:
- account_created is changed - account_created is changed
- account_created.account_uri is not none - account_created.account_uri is not none
- name: Validate that account was created in the second step (idempotency) - name: Validate that account was created in the second step (idempotency)
assert: ansible.builtin.assert:
that: that:
- account_created_idempotent is not changed - account_created_idempotent is not changed
- account_created_idempotent.account_uri is not none - account_created_idempotent.account_uri is not none
- name: Validate that email address was changed (check mode) - name: Validate that email address was changed (check mode)
assert: ansible.builtin.assert:
that: that:
- account_modified_check is changed - account_modified_check is changed
- account_modified_check.account_uri is not none - account_modified_check.account_uri is not none
@@ -44,24 +44,24 @@
- account_modified_check.diff.after.contact[0] in ['mailto:example@example.com', 'mailto:********@********.com'] - account_modified_check.diff.after.contact[0] in ['mailto:example@example.com', 'mailto:********@********.com']
- name: Validate that email address was changed - name: Validate that email address was changed
assert: ansible.builtin.assert:
that: that:
- account_modified is changed - account_modified is changed
- account_modified.account_uri is not none - account_modified.account_uri is not none
- name: Validate that email address was not changed a second time (idempotency) - name: Validate that email address was not changed a second time (idempotency)
assert: ansible.builtin.assert:
that: that:
- account_modified_idempotent is not changed - account_modified_idempotent is not changed
- account_modified_idempotent.account_uri is not none - account_modified_idempotent.account_uri is not none
- name: Make sure that with the wrong account URI, the account cannot be changed - name: Make sure that with the wrong account URI, the account cannot be changed
assert: ansible.builtin.assert:
that: that:
- account_modified_wrong_uri is failed - account_modified_wrong_uri is failed
- name: Validate that email address was cleared (check mode) - name: Validate that email address was cleared (check mode)
assert: ansible.builtin.assert:
that: that:
- account_modified_2_check is changed - account_modified_2_check is changed
- account_modified_2_check.account_uri is not none - account_modified_2_check.account_uri is not none
@@ -71,19 +71,19 @@
- account_modified_2_check.diff.after.contact | length == 0 - account_modified_2_check.diff.after.contact | length == 0
- name: Validate that email address was cleared - name: Validate that email address was cleared
assert: ansible.builtin.assert:
that: that:
- account_modified_2 is changed - account_modified_2 is changed
- account_modified_2.account_uri is not none - account_modified_2.account_uri is not none
- name: Validate that email address was not cleared a second time (idempotency) - name: Validate that email address was not cleared a second time (idempotency)
assert: ansible.builtin.assert:
that: that:
- account_modified_2_idempotent is not changed - account_modified_2_idempotent is not changed
- account_modified_2_idempotent.account_uri is not none - account_modified_2_idempotent.account_uri is not none
- name: Validate that the account key was changed (check mode) - name: Validate that the account key was changed (check mode)
assert: ansible.builtin.assert:
that: that:
- account_change_key_check is changed - account_change_key_check is changed
- account_change_key_check.account_uri is not none - account_change_key_check.account_uri is not none
@@ -91,13 +91,13 @@
- account_change_key_check.diff.before.public_account_key != account_change_key_check.diff.after.public_account_key - account_change_key_check.diff.before.public_account_key != account_change_key_check.diff.after.public_account_key
- name: Validate that the account key was changed - name: Validate that the account key was changed
assert: ansible.builtin.assert:
that: that:
- account_change_key is changed - account_change_key is changed
- account_change_key.account_uri is not none - account_change_key.account_uri is not none
- name: Validate that the account was deactivated (check mode) - name: Validate that the account was deactivated (check mode)
assert: ansible.builtin.assert:
that: that:
- account_deactivate_check is changed - account_deactivate_check is changed
- account_deactivate_check.account_uri is not none - account_deactivate_check.account_uri is not none
@@ -106,13 +106,13 @@
- "account_deactivate_check.diff.after == {}" - "account_deactivate_check.diff.after == {}"
- name: Validate that the account was deactivated - name: Validate that the account was deactivated
assert: ansible.builtin.assert:
that: that:
- account_deactivate is changed - account_deactivate is changed
- account_deactivate.account_uri is not none - account_deactivate.account_uri is not none
- name: Validate that the account was really deactivated (idempotency) - name: Validate that the account was really deactivated (idempotency)
assert: ansible.builtin.assert:
that: that:
- account_deactivate_idempotent is not changed - account_deactivate_idempotent is not changed
# The next condition should be true for all conforming ACME servers. # The next condition should be true for all conforming ACME servers.
@@ -121,19 +121,19 @@
- account_deactivate_idempotent.account_uri is none - account_deactivate_idempotent.account_uri is none
- name: Validate that the account is gone (new account key) - name: Validate that the account is gone (new account key)
assert: ansible.builtin.assert:
that: that:
- account_not_created_2 is failed - account_not_created_2 is failed
- account_not_created_2.msg == 'Account does not exist or is deactivated.' - account_not_created_2.msg == 'Account does not exist or is deactivated.'
- name: Validate that the account is gone (old account key) - name: Validate that the account is gone (old account key)
assert: ansible.builtin.assert:
that: that:
- account_not_created_3 is failed - account_not_created_3 is failed
- account_not_created_3.msg == 'Account does not exist or is deactivated.' - account_not_created_3.msg == 'Account does not exist or is deactivated.'
- name: Validate that the account with External Account Binding has been created - name: Validate that the account with External Account Binding has been created
assert: ansible.builtin.assert:
that: that:
- account_created_eab.results[0] is changed - account_created_eab.results[0] is changed
- account_created_eab.results[1] is changed - account_created_eab.results[1] is changed

20
tests/integration/targets/acme_account_info/tasks/impl.yml
View File

@@ -5,7 +5,7 @@
- block: - block:
- name: Generate account keys - name: Generate account keys
openssl_privatekey: community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item }}.pem" path: "{{ remote_tmp_dir }}/{{ item }}.pem"
type: ECC type: ECC
curve: secp256r1 curve: secp256r1
@@ -13,7 +13,7 @@
loop: "{{ account_keys }}" loop: "{{ account_keys }}"
- name: Parse account keys (to ease debugging some test failures) - name: Parse account keys (to ease debugging some test failures)
openssl_privatekey_info: community.crypto.openssl_privatekey_info:
path: "{{ remote_tmp_dir }}/{{ item }}.pem" path: "{{ remote_tmp_dir }}/{{ item }}.pem"
return_private_key_data: true return_private_key_data: true
loop: "{{ account_keys }}" loop: "{{ account_keys }}"
@@ -24,7 +24,7 @@
- accountkey2 - accountkey2
- name: Check that account does not exist - name: Check that account does not exist
acme_account_info: community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2 acme_version: 2
@@ -33,7 +33,7 @@
register: account_not_created register: account_not_created
- name: Create it now - name: Create it now
acme_account: community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2 acme_version: 2
@@ -46,7 +46,7 @@
- mailto:example@example.org - mailto:example@example.org
- name: Check that account exists - name: Check that account exists
acme_account_info: community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2 acme_version: 2
@@ -55,12 +55,12 @@
register: account_created register: account_created
- name: Read account key - name: Read account key
slurp: ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/accountkey.pem' src: '{{ remote_tmp_dir }}/accountkey.pem'
register: slurp register: slurp
- name: Clear email address - name: Clear email address
acme_account: community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_content: "{{ slurp.content | b64decode }}" account_key_content: "{{ slurp.content | b64decode }}"
acme_version: 2 acme_version: 2
@@ -71,7 +71,7 @@
contact: [] contact: []
- name: Check that account was modified - name: Check that account was modified
acme_account_info: community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2 acme_version: 2
@@ -81,7 +81,7 @@
register: account_modified register: account_modified
- name: Check with wrong account URI - name: Check with wrong account URI
acme_account_info: community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
acme_version: 2 acme_version: 2
@@ -91,7 +91,7 @@
register: account_not_exist register: account_not_exist
- name: Check with wrong account key - name: Check with wrong account key
acme_account_info: community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem" account_key_src: "{{ remote_tmp_dir }}/accountkey2.pem"
acme_version: 2 acme_version: 2

12
tests/integration/targets/acme_account_info/tasks/main.yml
View File

@@ -10,31 +10,31 @@
- block: - block:
- name: Running tests with OpenSSL backend - name: Running tests with OpenSSL backend
include_tasks: impl.yml ansible.builtin.include_tasks: impl.yml
vars: vars:
select_crypto_backend: openssl select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml - ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version.stdout is version('1.0.0', '>=') when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory - name: Remove output directory
file: ansible.builtin.file:
path: "{{ remote_tmp_dir }}" path: "{{ remote_tmp_dir }}"
state: absent state: absent
- name: Re-create output directory - name: Re-create output directory
file: ansible.builtin.file:
path: "{{ remote_tmp_dir }}" path: "{{ remote_tmp_dir }}"
state: directory state: directory
- block: - block:
- name: Running tests with cryptography backend - name: Running tests with cryptography backend
include_tasks: impl.yml ansible.builtin.include_tasks: impl.yml
vars: vars:
select_crypto_backend: cryptography select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml - ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version.stdout is version('1.5', '>=') when: cryptography_version.stdout is version('1.5', '>=')

10
tests/integration/targets/acme_account_info/tests/validate.yml
View File

@@ -4,14 +4,14 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Validate that account wasn't there - name: Validate that account wasn't there
assert: ansible.builtin.assert:
that: that:
- not account_not_created.exists - not account_not_created.exists
- account_not_created.account_uri is none - account_not_created.account_uri is none
- "'account' not in account_not_created" - "'account' not in account_not_created"
- name: Validate that account was created - name: Validate that account was created
assert: ansible.builtin.assert:
that: that:
- account_created.exists - account_created.exists
- account_created.account_uri is not none - account_created.account_uri is not none
@@ -22,7 +22,7 @@
- "account_created.account.contact[0] == 'mailto:example@example.org'" - "account_created.account.contact[0] == 'mailto:example@example.org'"
- name: Validate that account email was removed - name: Validate that account email was removed
assert: ansible.builtin.assert:
that: that:
- account_modified.exists - account_modified.exists
- account_modified.account_uri is not none - account_modified.account_uri is not none
@@ -32,13 +32,13 @@
- account_modified.account.contact | length == 0 - account_modified.account.contact | length == 0
- name: Validate that account does not exist with wrong account URI - name: Validate that account does not exist with wrong account URI
assert: ansible.builtin.assert:
that: that:
- not account_not_exist.exists - not account_not_exist.exists
- account_not_exist.account_uri is none - account_not_exist.account_uri is none
- "'account' not in account_not_exist" - "'account' not in account_not_exist"
- name: Validate that account cannot be accessed with wrong key - name: Validate that account cannot be accessed with wrong key
assert: ansible.builtin.assert:
that: that:
- account_wrong_key is failed - account_wrong_key is failed

12
tests/integration/targets/acme_ari_info/tasks/impl.yml
View File

@@ -6,7 +6,7 @@
## SET UP ACCOUNT KEYS ######################################################################## ## SET UP ACCOUNT KEYS ########################################################################
- block: - block:
- name: Generate account keys - name: Generate account keys
openssl_privatekey: community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem" path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
type: "{{ item.type }}" type: "{{ item.type }}"
size: "{{ item.size | default(omit) }}" size: "{{ item.size | default(omit) }}"
@@ -21,7 +21,7 @@
curve: secp256r1 curve: secp256r1
## CREATE ACCOUNTS AND OBTAIN CERTIFICATES #################################################### ## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
- name: Obtain cert 1 - name: Obtain cert 1
include_tasks: obtain-cert.yml ansible.builtin.include_tasks: obtain-cert.yml
vars: vars:
certgen_title: Certificate 1 for renewal check certgen_title: Certificate 1 for renewal check
certificate_name: cert-1 certificate_name: cert-1
@@ -39,18 +39,18 @@
account_email: "example@example.org" account_email: "example@example.org"
## OBTAIN CERTIFICATE INFOS ################################################################### ## OBTAIN CERTIFICATE INFOS ###################################################################
- name: Dump OpenSSL x509 info - name: Dump OpenSSL x509 info
command: ansible.builtin.command:
cmd: openssl x509 -in {{ remote_tmp_dir }}/cert-1.pem -noout -text cmd: openssl x509 -in {{ remote_tmp_dir }}/cert-1.pem -noout -text
- name: Obtain certificate information - name: Obtain certificate information
x509_certificate_info: community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-1.pem" path: "{{ remote_tmp_dir }}/cert-1.pem"
register: cert_1_info register: cert_1_info
- name: Read certificate - name: Read certificate
slurp: ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/cert-1.pem' src: '{{ remote_tmp_dir }}/cert-1.pem'
register: slurp_cert_1 register: slurp_cert_1
- name: Obtain certificate information - name: Obtain certificate information
acme_ari_info: community.crypto.acme_ari_info:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem" certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2 acme_version: 2

12
tests/integration/targets/acme_ari_info/tasks/main.yml
View File

@@ -14,31 +14,31 @@
block: block:
- block: - block:
- name: Running tests with OpenSSL backend - name: Running tests with OpenSSL backend
include_tasks: impl.yml ansible.builtin.include_tasks: impl.yml
vars: vars:
select_crypto_backend: openssl select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml - ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version.stdout is version('1.0.0', '>=') when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory - name: Remove output directory
file: ansible.builtin.file:
path: "{{ remote_tmp_dir }}" path: "{{ remote_tmp_dir }}"
state: absent state: absent
- name: Re-create output directory - name: Re-create output directory
file: ansible.builtin.file:
path: "{{ remote_tmp_dir }}" path: "{{ remote_tmp_dir }}"
state: directory state: directory
- block: - block:
- name: Running tests with cryptography backend - name: Running tests with cryptography backend
include_tasks: impl.yml ansible.builtin.include_tasks: impl.yml
vars: vars:
select_crypto_backend: cryptography select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml - ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version.stdout is version('1.5', '>=') when: cryptography_version.stdout is version('1.5', '>=')

2
tests/integration/targets/acme_ari_info/tests/validate.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Validate results - name: Validate results
assert: ansible.builtin.assert:
that: that:
- cert_1 is not changed - cert_1 is not changed
- cert_1.renewal_info.explanationURL is not defined or cert_1.renewal_info.explanationURL is string - cert_1.renewal_info.explanationURL is not defined or cert_1.renewal_info.explanationURL is string

116
tests/integration/targets/acme_certificate/tasks/impl.yml
View File

@@ -6,7 +6,7 @@
## SET UP ACCOUNT KEYS ######################################################################## ## SET UP ACCOUNT KEYS ########################################################################
- block: - block:
- name: Generate account keys - name: Generate account keys
openssl_privatekey: community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem" path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
type: "{{ item.type }}" type: "{{ item.type }}"
size: "{{ item.size | default(omit) }}" size: "{{ item.size | default(omit) }}"
@@ -28,7 +28,7 @@
## SET UP ACCOUNTS ############################################################################ ## SET UP ACCOUNTS ############################################################################
- name: Make sure ECC256 account hasn't been created yet - name: Make sure ECC256 account hasn't been created yet
acme_account: community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
acme_version: 2 acme_version: 2
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
@@ -36,11 +36,11 @@
account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem" account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
state: absent state: absent
- name: Read account key (EC384) - name: Read account key (EC384)
slurp: ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/account-ec384.pem' src: '{{ remote_tmp_dir }}/account-ec384.pem'
register: slurp register: slurp
- name: Create ECC384 account - name: Create ECC384 account
acme_account: community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
acme_version: 2 acme_version: 2
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
@@ -53,7 +53,7 @@
- mailto:example@example.org - mailto:example@example.org
- mailto:example@example.com - mailto:example@example.com
- name: Create RSA account - name: Create RSA account
acme_account: community.crypto.acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
acme_version: 2 acme_version: 2
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
@@ -66,7 +66,7 @@
## OBTAIN CERTIFICATES ######################################################################## ## OBTAIN CERTIFICATES ########################################################################
- name: Obtain cert 1 - name: Obtain cert 1
include_tasks: obtain-cert.yml ansible.builtin.include_tasks: obtain-cert.yml
vars: vars:
certgen_title: Certificate 1 certgen_title: Certificate 1
certificate_name: cert-1 certificate_name: cert-1
@@ -89,11 +89,11 @@
issuer: "{{ acme_roots[1].subject }}" issuer: "{{ acme_roots[1].subject }}"
use_csr_content: true use_csr_content: true
- name: Store obtain results for cert 1 - name: Store obtain results for cert 1
set_fact: ansible.builtin.set_fact:
cert_1_obtain_results: "{{ certificate_obtain_result }}" cert_1_obtain_results: "{{ certificate_obtain_result }}"
cert_1_alternate: "{{ 1 if select_crypto_backend == 'cryptography' else 0 }}" cert_1_alternate: "{{ 1 if select_crypto_backend == 'cryptography' else 0 }}"
- name: Obtain cert 2 - name: Obtain cert 2
include_tasks: obtain-cert.yml ansible.builtin.include_tasks: obtain-cert.yml
vars: vars:
certgen_title: Certificate 2 certgen_title: Certificate 2
certificate_name: cert-2 certificate_name: cert-2
@@ -122,15 +122,15 @@
issuer: "{{ acme_roots[2].subject }}" issuer: "{{ acme_roots[2].subject }}"
use_csr_content: false use_csr_content: false
- name: Store obtain results for cert 2 - name: Store obtain results for cert 2
set_fact: ansible.builtin.set_fact:
cert_2_obtain_results: "{{ certificate_obtain_result }}" cert_2_obtain_results: "{{ certificate_obtain_result }}"
cert_2_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}" cert_2_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
- name: Read account key (RSA) - name: Read account key (RSA)
slurp: ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/account-rsa.pem' src: '{{ remote_tmp_dir }}/account-rsa.pem'
register: slurp_account_key register: slurp_account_key
- name: Obtain cert 3 - name: Obtain cert 3
include_tasks: obtain-cert.yml ansible.builtin.include_tasks: obtain-cert.yml
vars: vars:
certgen_title: Certificate 3 certgen_title: Certificate 3
certificate_name: cert-3 certificate_name: cert-3
@@ -152,11 +152,11 @@
subject: "{{ acme_roots[1].subject }}" subject: "{{ acme_roots[1].subject }}"
use_csr_content: true use_csr_content: true
- name: Store obtain results for cert 3 - name: Store obtain results for cert 3
set_fact: ansible.builtin.set_fact:
cert_3_obtain_results: "{{ certificate_obtain_result }}" cert_3_obtain_results: "{{ certificate_obtain_result }}"
cert_3_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}" cert_3_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
- name: Obtain cert 4 - name: Obtain cert 4
include_tasks: obtain-cert.yml ansible.builtin.include_tasks: obtain-cert.yml
vars: vars:
certgen_title: Certificate 4 certgen_title: Certificate 4
certificate_name: cert-4 certificate_name: cert-4
@@ -181,11 +181,11 @@
issuer: "{{ acme_roots[1].subject }}" issuer: "{{ acme_roots[1].subject }}"
use_csr_content: false use_csr_content: false
- name: Store obtain results for cert 4 - name: Store obtain results for cert 4
set_fact: ansible.builtin.set_fact:
cert_4_obtain_results: "{{ certificate_obtain_result }}" cert_4_obtain_results: "{{ certificate_obtain_result }}"
cert_4_alternate: "{{ 2 if select_crypto_backend == 'cryptography' else 0 }}" cert_4_alternate: "{{ 2 if select_crypto_backend == 'cryptography' else 0 }}"
- name: Obtain cert 5 - name: Obtain cert 5
include_tasks: obtain-cert.yml ansible.builtin.include_tasks: obtain-cert.yml
vars: vars:
certgen_title: Certificate 5, Iteration 1/4 certgen_title: Certificate 5, Iteration 1/4
certificate_name: cert-5 certificate_name: cert-5
@@ -202,11 +202,11 @@
account_email: "" account_email: ""
use_csr_content: true use_csr_content: true
- name: Store obtain results for cert 5a - name: Store obtain results for cert 5a
set_fact: ansible.builtin.set_fact:
cert_5a_obtain_results: "{{ certificate_obtain_result }}" cert_5a_obtain_results: "{{ certificate_obtain_result }}"
cert_5_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}" cert_5_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
- name: Obtain cert 5 (should not, since already there and valid for more than 1 days) - name: Obtain cert 5 (should not, since already there and valid for more than 1 days)
include_tasks: obtain-cert.yml ansible.builtin.include_tasks: obtain-cert.yml
vars: vars:
certgen_title: Certificate 5, Iteration 2/4 certgen_title: Certificate 5, Iteration 2/4
certificate_name: cert-5 certificate_name: cert-5
@@ -223,10 +223,10 @@
account_email: "" account_email: ""
use_csr_content: false use_csr_content: false
- name: Store obtain results for cert 5b - name: Store obtain results for cert 5b
set_fact: ansible.builtin.set_fact:
cert_5_recreate_1: "{{ challenge_data is changed }}" cert_5_recreate_1: "{{ challenge_data is changed }}"
- name: Obtain cert 5 (should again by less days) - name: Obtain cert 5 (should again by less days)
include_tasks: obtain-cert.yml ansible.builtin.include_tasks: obtain-cert.yml
vars: vars:
certgen_title: Certificate 5, Iteration 3/4 certgen_title: Certificate 5, Iteration 3/4
certificate_name: cert-5 certificate_name: cert-5
@@ -245,15 +245,15 @@
acme_certificate_profile: "{{ '6days' if acme_supports_profiles else omit }}" acme_certificate_profile: "{{ '6days' if acme_supports_profiles else omit }}"
acme_certificate_include_renewal_cert_id: when_ari_supported acme_certificate_include_renewal_cert_id: when_ari_supported
- name: Store obtain results for cert 5c - name: Store obtain results for cert 5c
set_fact: ansible.builtin.set_fact:
cert_5_recreate_2: "{{ challenge_data is changed }}" cert_5_recreate_2: "{{ challenge_data is changed }}"
cert_5c_obtain_results: "{{ certificate_obtain_result }}" cert_5c_obtain_results: "{{ certificate_obtain_result }}"
- name: Read account key (EC384) - name: Read account key (EC384)
slurp: ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/account-ec384.pem' src: '{{ remote_tmp_dir }}/account-ec384.pem'
register: slurp_account_key register: slurp_account_key
- name: Obtain cert 5 (should again by force) - name: Obtain cert 5 (should again by force)
include_tasks: obtain-cert.yml ansible.builtin.include_tasks: obtain-cert.yml
vars: vars:
certgen_title: Certificate 5, Iteration 4/4 certgen_title: Certificate 5, Iteration 4/4
certificate_name: cert-5 certificate_name: cert-5
@@ -270,12 +270,12 @@
account_email: "" account_email: ""
use_csr_content: false use_csr_content: false
- name: Store obtain results for cert 5d - name: Store obtain results for cert 5d
set_fact: ansible.builtin.set_fact:
cert_5_recreate_3: "{{ challenge_data is changed }}" cert_5_recreate_3: "{{ challenge_data is changed }}"
cert_5d_obtain_results: "{{ certificate_obtain_result }}" cert_5d_obtain_results: "{{ certificate_obtain_result }}"
- block: - block:
- name: Obtain cert 6 - name: Obtain cert 6
include_tasks: obtain-cert.yml ansible.builtin.include_tasks: obtain-cert.yml
vars: vars:
certgen_title: Certificate 6 certgen_title: Certificate 6
certificate_name: cert-6 certificate_name: cert-6
@@ -303,13 +303,13 @@
issuer: "{{ acme_roots[1].subject }}" issuer: "{{ acme_roots[1].subject }}"
use_csr_content: true use_csr_content: true
- name: Store obtain results for cert 6 - name: Store obtain results for cert 6
set_fact: ansible.builtin.set_fact:
cert_6_obtain_results: "{{ certificate_obtain_result }}" cert_6_obtain_results: "{{ certificate_obtain_result }}"
cert_6_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}" cert_6_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
when: acme_intermediates[0].subject_key_identifier is defined when: acme_intermediates[0].subject_key_identifier is defined
- block: - block:
- name: Obtain cert 7 - name: Obtain cert 7
include_tasks: obtain-cert.yml ansible.builtin.include_tasks: obtain-cert.yml
vars: vars:
certgen_title: Certificate 7 certgen_title: Certificate 7
certificate_name: cert-7 certificate_name: cert-7
@@ -333,13 +333,13 @@
authority_key_identifier: "{{ acme_roots[2].subject_key_identifier }}" authority_key_identifier: "{{ acme_roots[2].subject_key_identifier }}"
use_csr_content: false use_csr_content: false
- name: Store obtain results for cert 7 - name: Store obtain results for cert 7
set_fact: ansible.builtin.set_fact:
cert_7_obtain_results: "{{ certificate_obtain_result }}" cert_7_obtain_results: "{{ certificate_obtain_result }}"
cert_7_alternate: "{{ 2 if select_crypto_backend == 'cryptography' else 0 }}" cert_7_alternate: "{{ 2 if select_crypto_backend == 'cryptography' else 0 }}"
when: acme_roots[2].subject_key_identifier is defined when: acme_roots[2].subject_key_identifier is defined
- block: - block:
- name: Obtain cert 8 - name: Obtain cert 8
include_tasks: obtain-cert.yml ansible.builtin.include_tasks: obtain-cert.yml
vars: vars:
certgen_title: Certificate 8 certgen_title: Certificate 8
certificate_name: cert-8 certificate_name: cert-8
@@ -361,7 +361,7 @@
account_email: "example@example.org" account_email: "example@example.org"
use_csr_content: true use_csr_content: true
- name: Store obtain results for cert 8 - name: Store obtain results for cert 8
set_fact: ansible.builtin.set_fact:
cert_8_obtain_results: "{{ certificate_obtain_result }}" cert_8_obtain_results: "{{ certificate_obtain_result }}"
cert_8_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}" cert_8_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
when: cryptography_version.stdout is version('1.3', '>=') when: cryptography_version.stdout is version('1.3', '>=')
@@ -369,110 +369,110 @@
## DISSECT CERTIFICATES ####################################################################### ## DISSECT CERTIFICATES #######################################################################
# Make sure certificates are valid. Root certificate for Pebble equals the chain certificate. # Make sure certificates are valid. Root certificate for Pebble equals the chain certificate.
- name: Verifying cert 1 - name: Verifying cert 1
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-1-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-1-chain.pem" "{{ remote_tmp_dir }}/cert-1.pem"' ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-1-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-1-chain.pem" "{{ remote_tmp_dir }}/cert-1.pem"'
ignore_errors: true ignore_errors: true
register: cert_1_valid register: cert_1_valid
- name: Verifying cert 2 - name: Verifying cert 2
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-2-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-2-chain.pem" "{{ remote_tmp_dir }}/cert-2.pem"' ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-2-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-2-chain.pem" "{{ remote_tmp_dir }}/cert-2.pem"'
ignore_errors: true ignore_errors: true
register: cert_2_valid register: cert_2_valid
- name: Verifying cert 3 - name: Verifying cert 3
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-3-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-3-chain.pem" "{{ remote_tmp_dir }}/cert-3.pem"' ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-3-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-3-chain.pem" "{{ remote_tmp_dir }}/cert-3.pem"'
ignore_errors: true ignore_errors: true
register: cert_3_valid register: cert_3_valid
- name: Verifying cert 4 - name: Verifying cert 4
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-4-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-4-chain.pem" "{{ remote_tmp_dir }}/cert-4.pem"' ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-4-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-4-chain.pem" "{{ remote_tmp_dir }}/cert-4.pem"'
ignore_errors: true ignore_errors: true
register: cert_4_valid register: cert_4_valid
- name: Verifying cert 5 - name: Verifying cert 5
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-5-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-5-chain.pem" "{{ remote_tmp_dir }}/cert-5.pem"' ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-5-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-5-chain.pem" "{{ remote_tmp_dir }}/cert-5.pem"'
ignore_errors: true ignore_errors: true
register: cert_5_valid register: cert_5_valid
- name: Verifying cert 6 - name: Verifying cert 6
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-6-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-6-chain.pem" "{{ remote_tmp_dir }}/cert-6.pem"' ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-6-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-6-chain.pem" "{{ remote_tmp_dir }}/cert-6.pem"'
ignore_errors: true ignore_errors: true
register: cert_6_valid register: cert_6_valid
when: acme_intermediates[0].subject_key_identifier is defined when: acme_intermediates[0].subject_key_identifier is defined
- name: Verifying cert 7 - name: Verifying cert 7
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-7-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-7-chain.pem" "{{ remote_tmp_dir }}/cert-7.pem"' ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-7-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-7-chain.pem" "{{ remote_tmp_dir }}/cert-7.pem"'
ignore_errors: true ignore_errors: true
register: cert_7_valid register: cert_7_valid
when: acme_roots[2].subject_key_identifier is defined when: acme_roots[2].subject_key_identifier is defined
- name: Verifying cert 8 - name: Verifying cert 8
command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-8-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-8-chain.pem" "{{ remote_tmp_dir }}/cert-8.pem"' ansible.builtin.command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-8-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-8-chain.pem" "{{ remote_tmp_dir }}/cert-8.pem"'
ignore_errors: true ignore_errors: true
register: cert_8_valid register: cert_8_valid
when: cryptography_version.stdout is version('1.3', '>=') when: cryptography_version.stdout is version('1.3', '>=')
# Dump certificate info # Dump certificate info
- name: Dumping cert 1 - name: Dumping cert 1
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-1.pem" -noout -text' ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-1.pem" -noout -text'
register: cert_1_text register: cert_1_text
- name: Dumping cert 2 - name: Dumping cert 2
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-2.pem" -noout -text' ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-2.pem" -noout -text'
register: cert_2_text register: cert_2_text
- name: Dumping cert 3 - name: Dumping cert 3
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-3.pem" -noout -text' ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-3.pem" -noout -text'
register: cert_3_text register: cert_3_text
- name: Dumping cert 4 - name: Dumping cert 4
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-4.pem" -noout -text' ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-4.pem" -noout -text'
register: cert_4_text register: cert_4_text
- name: Dumping cert 5 - name: Dumping cert 5
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-5.pem" -noout -text' ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-5.pem" -noout -text'
register: cert_5_text register: cert_5_text
- name: Dumping cert 6 - name: Dumping cert 6
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-6.pem" -noout -text' ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-6.pem" -noout -text'
register: cert_6_text register: cert_6_text
when: acme_intermediates[0].subject_key_identifier is defined when: acme_intermediates[0].subject_key_identifier is defined
- name: Dumping cert 7 - name: Dumping cert 7
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-7.pem" -noout -text' ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-7.pem" -noout -text'
register: cert_7_text register: cert_7_text
when: acme_roots[2].subject_key_identifier is defined when: acme_roots[2].subject_key_identifier is defined
- name: Dumping cert 8 - name: Dumping cert 8
command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-8.pem" -noout -text' ansible.builtin.command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-8.pem" -noout -text'
register: cert_8_text register: cert_8_text
when: cryptography_version.stdout is version('1.3', '>=') when: cryptography_version.stdout is version('1.3', '>=')
# Dump certificate info # Dump certificate info
- name: Dumping cert 1 - name: Dumping cert 1
x509_certificate_info: community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-1.pem" path: "{{ remote_tmp_dir }}/cert-1.pem"
register: cert_1_info register: cert_1_info
- name: Dumping cert 2 - name: Dumping cert 2
x509_certificate_info: community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-2.pem" path: "{{ remote_tmp_dir }}/cert-2.pem"
register: cert_2_info register: cert_2_info
- name: Dumping cert 3 - name: Dumping cert 3
x509_certificate_info: community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-3.pem" path: "{{ remote_tmp_dir }}/cert-3.pem"
register: cert_3_info register: cert_3_info
- name: Dumping cert 4 - name: Dumping cert 4
x509_certificate_info: community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-4.pem" path: "{{ remote_tmp_dir }}/cert-4.pem"
register: cert_4_info register: cert_4_info
- name: Dumping cert 5 - name: Dumping cert 5
x509_certificate_info: community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-5.pem" path: "{{ remote_tmp_dir }}/cert-5.pem"
register: cert_5_info register: cert_5_info
- name: Dumping cert 6 - name: Dumping cert 6
x509_certificate_info: community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-6.pem" path: "{{ remote_tmp_dir }}/cert-6.pem"
register: cert_6_info register: cert_6_info
when: acme_intermediates[0].subject_key_identifier is defined when: acme_intermediates[0].subject_key_identifier is defined
- name: Dumping cert 7 - name: Dumping cert 7
x509_certificate_info: community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-7.pem" path: "{{ remote_tmp_dir }}/cert-7.pem"
register: cert_7_info register: cert_7_info
when: acme_roots[2].subject_key_identifier is defined when: acme_roots[2].subject_key_identifier is defined
- name: Dumping cert 8 - name: Dumping cert 8
x509_certificate_info: community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-8.pem" path: "{{ remote_tmp_dir }}/cert-8.pem"
register: cert_8_info register: cert_8_info
when: cryptography_version.stdout is version('1.3', '>=') when: cryptography_version.stdout is version('1.3', '>=')
## GET ACCOUNT ORDERS ######################################################################### ## GET ACCOUNT ORDERS #########################################################################
- name: Don't retrieve orders - name: Don't retrieve orders
acme_account_info: community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem" account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
acme_version: 2 acme_version: 2
@@ -481,7 +481,7 @@
retrieve_orders: ignore retrieve_orders: ignore
register: account_orders_not register: account_orders_not
- name: Retrieve orders as URL list (1/2) - name: Retrieve orders as URL list (1/2)
acme_account_info: community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem" account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
acme_version: 2 acme_version: 2
@@ -490,7 +490,7 @@
retrieve_orders: url_list retrieve_orders: url_list
register: account_orders_urls register: account_orders_urls
- name: Retrieve orders as URL list (2/2) - name: Retrieve orders as URL list (2/2)
acme_account_info: community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/account-ec384.pem" account_key_src: "{{ remote_tmp_dir }}/account-ec384.pem"
acme_version: 2 acme_version: 2
@@ -499,7 +499,7 @@
retrieve_orders: url_list retrieve_orders: url_list
register: account_orders_urls2 register: account_orders_urls2
- name: Retrieve orders as object list (1/2) - name: Retrieve orders as object list (1/2)
acme_account_info: community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem" account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
acme_version: 2 acme_version: 2
@@ -508,7 +508,7 @@
retrieve_orders: object_list retrieve_orders: object_list
register: account_orders_full register: account_orders_full
- name: Retrieve orders as object list (2/2) - name: Retrieve orders as object list (2/2)
acme_account_info: community.crypto.acme_account_info:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/account-ec384.pem" account_key_src: "{{ remote_tmp_dir }}/account-ec384.pem"
acme_version: 2 acme_version: 2

36
tests/integration/targets/acme_certificate/tasks/main.yml
View File

@@ -10,46 +10,46 @@
- block: - block:
- name: Obtain root and intermediate certificates - name: Obtain root and intermediate certificates
get_url: ansible.builtin.get_url:
url: "http://{{ acme_host }}:5000/{{ item.0 }}-certificate-for-ca/{{ item.1 }}" url: "http://{{ acme_host }}:5000/{{ item.0 }}-certificate-for-ca/{{ item.1 }}"
dest: "{{ remote_tmp_dir }}/acme-{{ item.0 }}-{{ item.1 }}.pem" dest: "{{ remote_tmp_dir }}/acme-{{ item.0 }}-{{ item.1 }}.pem"
loop: "{{ query('nested', types, root_numbers) }}" loop: "{{ query('nested', types, root_numbers) }}"
- name: Analyze root certificates - name: Analyze root certificates
x509_certificate_info: community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/acme-root-{{ item }}.pem" path: "{{ remote_tmp_dir }}/acme-root-{{ item }}.pem"
loop: "{{ root_numbers }}" loop: "{{ root_numbers }}"
register: acme_roots register: acme_roots
- name: Analyze intermediate certificates - name: Analyze intermediate certificates
x509_certificate_info: community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/acme-intermediate-{{ item }}.pem" path: "{{ remote_tmp_dir }}/acme-intermediate-{{ item }}.pem"
loop: "{{ root_numbers }}" loop: "{{ root_numbers }}"
register: acme_intermediates register: acme_intermediates
- name: Read root certificates - name: Read root certificates
slurp: ansible.builtin.slurp:
src: "{{ remote_tmp_dir ~ '/acme-root-' ~ item ~ '.pem' }}" src: "{{ remote_tmp_dir ~ '/acme-root-' ~ item ~ '.pem' }}"
loop: "{{ root_numbers }}" loop: "{{ root_numbers }}"
register: slurp_roots register: slurp_roots
- set_fact: - ansible.builtin.set_fact:
x__: "{{ item | dict2items | selectattr('key', 'in', interesting_keys) | list | items2dict }}" x__: "{{ item | dict2items | selectattr('key', 'in', interesting_keys) | list | items2dict }}"
loop: "{{ acme_roots.results }}" loop: "{{ acme_roots.results }}"
register: acme_roots_tmp register: acme_roots_tmp
- name: Read intermediate certificates - name: Read intermediate certificates
slurp: ansible.builtin.slurp:
src: "{{ remote_tmp_dir ~ '/acme-intermediate-' ~ item ~ '.pem' }}" src: "{{ remote_tmp_dir ~ '/acme-intermediate-' ~ item ~ '.pem' }}"
loop: "{{ root_numbers }}" loop: "{{ root_numbers }}"
register: slurp_intermediates register: slurp_intermediates
- set_fact: - ansible.builtin.set_fact:
x__: "{{ item | dict2items | selectattr('key', 'in', interesting_keys) | list | items2dict }}" x__: "{{ item | dict2items | selectattr('key', 'in', interesting_keys) | list | items2dict }}"
loop: "{{ acme_intermediates.results }}" loop: "{{ acme_intermediates.results }}"
register: acme_intermediates_tmp register: acme_intermediates_tmp
- set_fact: - ansible.builtin.set_fact:
acme_roots: "{{ acme_roots_tmp.results | map(attribute='ansible_facts.x__') | list }}" acme_roots: "{{ acme_roots_tmp.results | map(attribute='ansible_facts.x__') | list }}"
acme_root_certs: "{{ slurp_roots.results | map(attribute='content') | map('b64decode') | list }}" acme_root_certs: "{{ slurp_roots.results | map(attribute='content') | map('b64decode') | list }}"
acme_intermediates: "{{ acme_intermediates_tmp.results | map(attribute='ansible_facts.x__') | list }}" acme_intermediates: "{{ acme_intermediates_tmp.results | map(attribute='ansible_facts.x__') | list }}"
@@ -74,48 +74,48 @@
# - public_key_fingerprints # - public_key_fingerprints
- name: ACME root certificate info - name: ACME root certificate info
debug: ansible.builtin.debug:
var: acme_roots var: acme_roots
# - name: ACME root certificates as PEM # - name: ACME root certificates as PEM
# debug: # ansible.builtin.debug:
# var: acme_root_certs # var: acme_root_certs
- name: ACME intermediate certificate info - name: ACME intermediate certificate info
debug: ansible.builtin.debug:
var: acme_intermediates var: acme_intermediates
# - name: ACME intermediate certificates as PEM # - name: ACME intermediate certificates as PEM
# debug: # ansible.builtin.debug:
# var: acme_intermediate_certs # var: acme_intermediate_certs
- block: - block:
- name: Running tests with OpenSSL backend - name: Running tests with OpenSSL backend
include_tasks: impl.yml ansible.builtin.include_tasks: impl.yml
vars: vars:
select_crypto_backend: openssl select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml - ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version.stdout is version('1.0.0', '>=') when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory - name: Remove output directory
file: ansible.builtin.file:
path: "{{ remote_tmp_dir }}" path: "{{ remote_tmp_dir }}"
state: absent state: absent
- name: Re-create output directory - name: Re-create output directory
file: ansible.builtin.file:
path: "{{ remote_tmp_dir }}" path: "{{ remote_tmp_dir }}"
state: directory state: directory
- block: - block:
- name: Running tests with cryptography backend - name: Running tests with cryptography backend
include_tasks: impl.yml ansible.builtin.include_tasks: impl.yml
vars: vars:
select_crypto_backend: cryptography select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml - ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version.stdout is version('1.5', '>=') when: cryptography_version.stdout is version('1.5', '>=')

62
tests/integration/targets/acme_certificate/tests/validate.yml
View File

@@ -4,15 +4,15 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Check that certificate 1 is valid - name: Check that certificate 1 is valid
assert: ansible.builtin.assert:
that: that:
- cert_1_valid is not failed - cert_1_valid is not failed
- name: Check that certificate 1 contains correct SANs - name: Check that certificate 1 contains correct SANs
assert: ansible.builtin.assert:
that: that:
- "'DNS:example.com' in cert_1_text.stdout" - "'DNS:example.com' in cert_1_text.stdout"
- name: Read certificate 1 files - name: Read certificate 1 files
slurp: ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/{{ item }}' src: '{{ remote_tmp_dir }}/{{ item }}'
loop: loop:
- cert-1.pem - cert-1.pem
@@ -20,7 +20,7 @@
- cert-1-fullchain.pem - cert-1-fullchain.pem
register: slurp register: slurp
- name: Check that certificate 1 retrieval got all chains - name: Check that certificate 1 retrieval got all chains
assert: ansible.builtin.assert:
that: that:
- "'all_chains' in cert_1_obtain_results" - "'all_chains' in cert_1_obtain_results"
- "cert_1_obtain_results.all_chains | length > 1" - "cert_1_obtain_results.all_chains | length > 1"
@@ -32,16 +32,16 @@
- "(slurp.results[2].content | b64decode) == cert_1_obtain_results.all_chains[cert_1_alternate | int].full_chain" - "(slurp.results[2].content | b64decode) == cert_1_obtain_results.all_chains[cert_1_alternate | int].full_chain"
- name: Check that certificate 2 is valid - name: Check that certificate 2 is valid
assert: ansible.builtin.assert:
that: that:
- cert_2_valid is not failed - cert_2_valid is not failed
- name: Check that certificate 2 contains correct SANs - name: Check that certificate 2 contains correct SANs
assert: ansible.builtin.assert:
that: that:
- "'DNS:*.example.com' in cert_2_text.stdout" - "'DNS:*.example.com' in cert_2_text.stdout"
- "'DNS:example.com' in cert_2_text.stdout" - "'DNS:example.com' in cert_2_text.stdout"
- name: Read certificate 2 files - name: Read certificate 2 files
slurp: ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/{{ item }}' src: '{{ remote_tmp_dir }}/{{ item }}'
loop: loop:
- cert-2.pem - cert-2.pem
@@ -49,7 +49,7 @@
- cert-2-fullchain.pem - cert-2-fullchain.pem
register: slurp register: slurp
- name: Check that certificate 1 retrieval got all chains - name: Check that certificate 1 retrieval got all chains
assert: ansible.builtin.assert:
that: that:
- "'all_chains' in cert_2_obtain_results" - "'all_chains' in cert_2_obtain_results"
- "cert_2_obtain_results.all_chains | length > 1" - "cert_2_obtain_results.all_chains | length > 1"
@@ -61,17 +61,17 @@
- "(slurp.results[2].content | b64decode) == cert_2_obtain_results.all_chains[cert_2_alternate | int].full_chain" - "(slurp.results[2].content | b64decode) == cert_2_obtain_results.all_chains[cert_2_alternate | int].full_chain"
- name: Check that certificate 3 is valid - name: Check that certificate 3 is valid
assert: ansible.builtin.assert:
that: that:
- cert_3_valid is not failed - cert_3_valid is not failed
- name: Check that certificate 3 contains correct SANs - name: Check that certificate 3 contains correct SANs
assert: ansible.builtin.assert:
that: that:
- "'DNS:*.example.com' in cert_3_text.stdout" - "'DNS:*.example.com' in cert_3_text.stdout"
- "'DNS:example.org' in cert_3_text.stdout" - "'DNS:example.org' in cert_3_text.stdout"
- "'DNS:t1.example.com' in cert_3_text.stdout" - "'DNS:t1.example.com' in cert_3_text.stdout"
- name: Read certificate 3 files - name: Read certificate 3 files
slurp: ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/{{ item }}' src: '{{ remote_tmp_dir }}/{{ item }}'
loop: loop:
- cert-3.pem - cert-3.pem
@@ -79,7 +79,7 @@
- cert-3-fullchain.pem - cert-3-fullchain.pem
register: slurp register: slurp
- name: Check that certificate 1 retrieval got all chains - name: Check that certificate 1 retrieval got all chains
assert: ansible.builtin.assert:
that: that:
- "'all_chains' in cert_3_obtain_results" - "'all_chains' in cert_3_obtain_results"
- "cert_3_obtain_results.all_chains | length > 1" - "cert_3_obtain_results.all_chains | length > 1"
@@ -91,11 +91,11 @@
- "(slurp.results[2].content | b64decode) == cert_3_obtain_results.all_chains[cert_3_alternate | int].full_chain" - "(slurp.results[2].content | b64decode) == cert_3_obtain_results.all_chains[cert_3_alternate | int].full_chain"
- name: Check that certificate 4 is valid - name: Check that certificate 4 is valid
assert: ansible.builtin.assert:
that: that:
- cert_4_valid is not failed - cert_4_valid is not failed
- name: Check that certificate 4 contains correct SANs - name: Check that certificate 4 contains correct SANs
assert: ansible.builtin.assert:
that: that:
- "'DNS:example.com' in cert_4_text.stdout" - "'DNS:example.com' in cert_4_text.stdout"
- "'DNS:t1.example.com' in cert_4_text.stdout" - "'DNS:t1.example.com' in cert_4_text.stdout"
@@ -103,72 +103,72 @@
- "'DNS:example.org' in cert_4_text.stdout" - "'DNS:example.org' in cert_4_text.stdout"
- "'DNS:TesT.example.org' in cert_4_text.stdout" - "'DNS:TesT.example.org' in cert_4_text.stdout"
- name: Check that certificate 4 retrieval did not get all chains - name: Check that certificate 4 retrieval did not get all chains
assert: ansible.builtin.assert:
that: that:
- "'all_chains' not in cert_4_obtain_results" - "'all_chains' not in cert_4_obtain_results"
- name: Check that certificate 5 is valid - name: Check that certificate 5 is valid
assert: ansible.builtin.assert:
that: that:
- cert_5_valid is not failed - cert_5_valid is not failed
- name: Check that certificate 5 contains correct SANs - name: Check that certificate 5 contains correct SANs
assert: ansible.builtin.assert:
that: that:
- "'DNS:t2.example.com' in cert_5_text.stdout" - "'DNS:t2.example.com' in cert_5_text.stdout"
- name: Check that certificate 5 was not recreated on the first try - name: Check that certificate 5 was not recreated on the first try
assert: ansible.builtin.assert:
that: that:
- cert_5_recreate_1 == false - cert_5_recreate_1 == false
- name: Check that certificate 5 was recreated on the second try - name: Check that certificate 5 was recreated on the second try
assert: ansible.builtin.assert:
that: that:
- cert_5_recreate_2 == true - cert_5_recreate_2 == true
- name: Check that certificate 5 was recreated on the third try - name: Check that certificate 5 was recreated on the third try
assert: ansible.builtin.assert:
that: that:
- cert_5_recreate_3 == true - cert_5_recreate_3 == true
- block: - block:
- name: Check that certificate 6 is valid - name: Check that certificate 6 is valid
assert: ansible.builtin.assert:
that: that:
- cert_6_valid is not failed - cert_6_valid is not failed
- name: Check that certificate 6 contains correct SANs - name: Check that certificate 6 contains correct SANs
assert: ansible.builtin.assert:
that: that:
- "'DNS:example.org' in cert_6_text.stdout" - "'DNS:example.org' in cert_6_text.stdout"
when: acme_intermediates[0].subject_key_identifier is defined when: acme_intermediates[0].subject_key_identifier is defined
- block: - block:
- name: Check that certificate 7 is valid - name: Check that certificate 7 is valid
assert: ansible.builtin.assert:
that: that:
- cert_7_valid is not failed - cert_7_valid is not failed
- name: Check that certificate 7 contains correct SANs - name: Check that certificate 7 contains correct SANs
assert: ansible.builtin.assert:
that: that:
- "'IP Address:127.0.0.1' in cert_8_text.stdout or 'IP:127.0.0.1' in cert_8_text.stdout" - "'IP Address:127.0.0.1' in cert_8_text.stdout or 'IP:127.0.0.1' in cert_8_text.stdout"
when: acme_roots[2].subject_key_identifier is defined when: acme_roots[2].subject_key_identifier is defined
- block: - block:
- name: Check that certificate 8 is valid - name: Check that certificate 8 is valid
assert: ansible.builtin.assert:
that: that:
- cert_8_valid is not failed - cert_8_valid is not failed
- name: Check that certificate 8 contains correct SANs - name: Check that certificate 8 contains correct SANs
assert: ansible.builtin.assert:
that: that:
- "'IP Address:127.0.0.1' in cert_8_text.stdout or 'IP:127.0.0.1' in cert_8_text.stdout" - "'IP Address:127.0.0.1' in cert_8_text.stdout or 'IP:127.0.0.1' in cert_8_text.stdout"
when: cryptography_version.stdout is version('1.3', '>=') when: cryptography_version.stdout is version('1.3', '>=')
- name: Validate that orders were not retrieved - name: Validate that orders were not retrieved
assert: ansible.builtin.assert:
that: that:
- "'account' in account_orders_not" - "'account' in account_orders_not"
- "'orders' not in account_orders_not" - "'orders' not in account_orders_not"
- name: Validate that orders were retrieved as list of URLs (1/2) - name: Validate that orders were retrieved as list of URLs (1/2)
assert: ansible.builtin.assert:
that: that:
- "'account' in account_orders_urls" - "'account' in account_orders_urls"
- "'orders' not in account_orders_urls" - "'orders' not in account_orders_urls"
@@ -176,7 +176,7 @@
- "account_orders_urls.order_uris[0] is string" - "account_orders_urls.order_uris[0] is string"
- name: Validate that orders were retrieved as list of URLs (2/2) - name: Validate that orders were retrieved as list of URLs (2/2)
assert: ansible.builtin.assert:
that: that:
- "'account' in account_orders_urls2" - "'account' in account_orders_urls2"
- "'orders' not in account_orders_urls2" - "'orders' not in account_orders_urls2"
@@ -184,7 +184,7 @@
- "account_orders_urls2.order_uris[0] is string" - "account_orders_urls2.order_uris[0] is string"
- name: Validate that orders were retrieved as list of objects (1/2) - name: Validate that orders were retrieved as list of objects (1/2)
assert: ansible.builtin.assert:
that: that:
- "'account' in account_orders_full" - "'account' in account_orders_full"
- "'orders' in account_orders_full" - "'orders' in account_orders_full"
@@ -193,7 +193,7 @@
- "account_orders_full.order_uris[0] is string" - "account_orders_full.order_uris[0] is string"
- name: Validate that orders were retrieved as list of objects (2/2) - name: Validate that orders were retrieved as list of objects (2/2)
assert: ansible.builtin.assert:
that: that:
- "'account' in account_orders_full2" - "'account' in account_orders_full2"
- "'orders' in account_orders_full2" - "'orders' in account_orders_full2"

36
tests/integration/targets/acme_certificate_deactivate_authz/tasks/impl.yml
View File

@@ -9,24 +9,24 @@
account_email: example@example.org account_email: example@example.org
block: block:
- name: Generate account key - name: Generate account key
openssl_privatekey: community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/account-ec256.pem" path: "{{ remote_tmp_dir }}/account-ec256.pem"
type: ECC type: ECC
curve: secp256r1 curve: secp256r1
force: true force: true
- name: Create cert private key - name: Create cert private key
openssl_privatekey: community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ certificate_name }}.key" path: "{{ remote_tmp_dir }}/{{ certificate_name }}.key"
type: ECC type: ECC
curve: secp256r1 curve: secp256r1
force: true force: true
- name: Create cert CSR - name: Create cert CSR
openssl_csr: community.crypto.openssl_csr:
path: "{{ remote_tmp_dir }}/{{ certificate_name }}.csr" path: "{{ remote_tmp_dir }}/{{ certificate_name }}.csr"
privatekey_path: "{{ remote_tmp_dir }}/{{ certificate_name }}.key" privatekey_path: "{{ remote_tmp_dir }}/{{ certificate_name }}.key"
subject_alt_name: "{{ subject_alt_name }}" subject_alt_name: "{{ subject_alt_name }}"
- name: Start process of obtaining certificate - name: Start process of obtaining certificate
acme_certificate: community.crypto.acme_certificate:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
acme_version: 2 acme_version: 2
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
@@ -42,7 +42,7 @@
register: certificate_data register: certificate_data
- name: Inspect order - name: Inspect order
acme_inspect: community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -52,11 +52,11 @@
method: get method: get
register: order_1 register: order_1
- name: Show order - name: Show order
debug: ansible.builtin.debug:
var: order_1.output_json var: order_1.output_json
- name: Deactivate order (check mode) - name: Deactivate order (check mode)
acme_certificate_deactivate_authz: community.crypto.acme_certificate_deactivate_authz:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -67,7 +67,7 @@
register: deactivate_1 register: deactivate_1
- name: Inspect order again - name: Inspect order again
acme_inspect: community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -77,11 +77,11 @@
method: get method: get
register: order_2 register: order_2
- name: Show order - name: Show order
debug: ansible.builtin.debug:
var: order_2.output_json var: order_2.output_json
- name: Deactivate order - name: Deactivate order
acme_certificate_deactivate_authz: community.crypto.acme_certificate_deactivate_authz:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -91,7 +91,7 @@
register: deactivate_2 register: deactivate_2
- name: Inspect order again - name: Inspect order again
acme_inspect: community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -101,11 +101,11 @@
method: get method: get
register: order_3 register: order_3
- name: Show order - name: Show order
debug: ansible.builtin.debug:
var: order_3.output_json var: order_3.output_json
- name: Deactivate order (check mode, idempotent) - name: Deactivate order (check mode, idempotent)
acme_certificate_deactivate_authz: community.crypto.acme_certificate_deactivate_authz:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -116,7 +116,7 @@
register: deactivate_3 register: deactivate_3
- name: Inspect order again - name: Inspect order again
acme_inspect: community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -126,11 +126,11 @@
method: get method: get
register: order_4 register: order_4
- name: Show order - name: Show order
debug: ansible.builtin.debug:
var: order_4.output_json var: order_4.output_json
- name: Deactivate order (idempotent) - name: Deactivate order (idempotent)
acme_certificate_deactivate_authz: community.crypto.acme_certificate_deactivate_authz:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -140,7 +140,7 @@
register: deactivate_4 register: deactivate_4
- name: Inspect order again - name: Inspect order again
acme_inspect: community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -150,5 +150,5 @@
method: get method: get
register: order_5 register: order_5
- name: Show order - name: Show order
debug: ansible.builtin.debug:
var: order_5.output_json var: order_5.output_json

12
tests/integration/targets/acme_certificate_deactivate_authz/tasks/main.yml
View File

@@ -10,31 +10,31 @@
- block: - block:
- name: Running tests with OpenSSL backend - name: Running tests with OpenSSL backend
include_tasks: impl.yml ansible.builtin.include_tasks: impl.yml
vars: vars:
select_crypto_backend: openssl select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml - ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version.stdout is version('1.0.0', '>=') when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory - name: Remove output directory
file: ansible.builtin.file:
path: "{{ remote_tmp_dir }}" path: "{{ remote_tmp_dir }}"
state: absent state: absent
- name: Re-create output directory - name: Re-create output directory
file: ansible.builtin.file:
path: "{{ remote_tmp_dir }}" path: "{{ remote_tmp_dir }}"
state: directory state: directory
- block: - block:
- name: Running tests with cryptography backend - name: Running tests with cryptography backend
include_tasks: impl.yml ansible.builtin.include_tasks: impl.yml
vars: vars:
select_crypto_backend: cryptography select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml - ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version.stdout is version('1.5', '>=') when: cryptography_version.stdout is version('1.5', '>=')

2
tests/integration/targets/acme_certificate_deactivate_authz/tests/validate.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Checks - name: Checks
assert: ansible.builtin.assert:
that: that:
- order_1.output_json.status == 'pending' - order_1.output_json.status == 'pending'
- deactivate_1 is changed - deactivate_1 is changed

110
tests/integration/targets/acme_certificate_order/tasks/impl.yml
View File

@@ -4,23 +4,23 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: "({{ select_crypto_backend }}) Generate random domain name" - name: "({{ select_crypto_backend }}) Generate random domain name"
set_fact: ansible.builtin.set_fact:
domain_name: "host{{ '%0x' % ((2**32) | random) }}.example.com" domain_name: "host{{ '%0x' % ((2**32) | random) }}.example.com"
- name: "({{ select_crypto_backend }}) Generate account key" - name: "({{ select_crypto_backend }}) Generate account key"
openssl_privatekey: community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/accountkey.pem" path: "{{ remote_tmp_dir }}/accountkey.pem"
type: ECC type: ECC
curve: secp256r1 curve: secp256r1
force: true force: true
- name: "({{ select_crypto_backend }}) Parse account keys (to ease debugging some test failures)" - name: "({{ select_crypto_backend }}) Parse account keys (to ease debugging some test failures)"
openssl_privatekey_info: community.crypto.openssl_privatekey_info:
path: "{{ remote_tmp_dir }}/accountkey.pem" path: "{{ remote_tmp_dir }}/accountkey.pem"
return_private_key_data: true return_private_key_data: true
- name: "({{ select_crypto_backend }}) Create ACME account" - name: "({{ select_crypto_backend }}) Create ACME account"
acme_account: community.crypto.acme_account:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -31,14 +31,14 @@
register: account register: account
- name: "({{ select_crypto_backend }}) Generate certificate key" - name: "({{ select_crypto_backend }}) Generate certificate key"
openssl_privatekey: community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/cert.key" path: "{{ remote_tmp_dir }}/cert.key"
type: ECC type: ECC
curve: secp256r1 curve: secp256r1
force: true force: true
- name: "({{ select_crypto_backend }}) Generate certificate CSR" - name: "({{ select_crypto_backend }}) Generate certificate CSR"
openssl_csr: community.crypto.openssl_csr:
path: "{{ remote_tmp_dir }}/cert.csr" path: "{{ remote_tmp_dir }}/cert.csr"
privatekey_path: "{{ remote_tmp_dir }}/cert.key" privatekey_path: "{{ remote_tmp_dir }}/cert.key"
subject: subject:
@@ -47,7 +47,7 @@
register: csr register: csr
- name: "({{ select_crypto_backend }}) Create certificate order" - name: "({{ select_crypto_backend }}) Create certificate order"
acme_certificate_order_create: community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -57,11 +57,11 @@
register: order_1 register: order_1
- name: "({{ select_crypto_backend }}) Show order information" - name: "({{ select_crypto_backend }}) Show order information"
debug: ansible.builtin.debug:
var: order_1 var: order_1
- name: "({{ select_crypto_backend }}) Check order" - name: "({{ select_crypto_backend }}) Check order"
assert: ansible.builtin.assert:
that: that:
- order_1 is changed - order_1 is changed
- order_1.order_uri.startswith('https://' ~ acme_host ~ ':14000/') - order_1.order_uri.startswith('https://' ~ acme_host ~ ':14000/')
@@ -81,7 +81,7 @@
- order_1.account_uri == account.account_uri - order_1.account_uri == account.account_uri
- name: "({{ select_crypto_backend }}) Get order information" - name: "({{ select_crypto_backend }}) Get order information"
acme_certificate_order_info: community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -91,11 +91,11 @@
register: order_info_1 register: order_info_1
- name: "({{ select_crypto_backend }}) Show order information" - name: "({{ select_crypto_backend }}) Show order information"
debug: ansible.builtin.debug:
var: order_info_1 var: order_info_1
- name: "({{ select_crypto_backend }}) Check order information" - name: "({{ select_crypto_backend }}) Check order information"
assert: ansible.builtin.assert:
that: that:
- order_info_1 is not changed - order_info_1 is not changed
- order_info_1.authorizations_by_identifier | length == 1 - order_info_1.authorizations_by_identifier | length == 1
@@ -120,8 +120,8 @@
- order_info_1.account_uri == account.account_uri - order_info_1.account_uri == account.account_uri
- name: "({{ select_crypto_backend }}) Create HTTP challenges" - name: "({{ select_crypto_backend }}) Create HTTP challenges"
uri: ansible.builtin.uri:
url: "http://{{ acme_host }}:5000/http/{{ item.identifier }}/{{ item.challenges['http-01'].resource[('.well-known/acme-challenge/'|length):] }}" url: "http://{{ acme_host }}:5000/http/{{ item.identifier }}/{{ item.challenges['http-01'].resource[('.well-known/acme-challenge/' | length) :] }}"
method: PUT method: PUT
body_format: raw body_format: raw
body: "{{ item.challenges['http-01'].resource_value }}" body: "{{ item.challenges['http-01'].resource_value }}"
@@ -142,7 +142,7 @@
register: validate_1 register: validate_1
- name: "({{ select_crypto_backend }}) Check validation result" - name: "({{ select_crypto_backend }}) Check validation result"
assert: ansible.builtin.assert:
that: that:
- validate_1 is changed - validate_1 is changed
- validate_1.account_uri == account.account_uri - validate_1.account_uri == account.account_uri
@@ -153,7 +153,7 @@
when: ansible_version.full is version('2.12', '<') when: ansible_version.full is version('2.12', '<')
- name: "({{ select_crypto_backend }}) Get order information" - name: "({{ select_crypto_backend }}) Get order information"
acme_certificate_order_info: community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -163,11 +163,11 @@
register: order_info_2 register: order_info_2
- name: "({{ select_crypto_backend }}) Show order information" - name: "({{ select_crypto_backend }}) Show order information"
debug: ansible.builtin.debug:
var: order_info_2 var: order_info_2
- name: "({{ select_crypto_backend }}) Check order information" - name: "({{ select_crypto_backend }}) Check order information"
assert: ansible.builtin.assert:
that: that:
- order_info_2 is not changed - order_info_2 is not changed
- order_info_2.authorizations_by_identifier | length == 1 - order_info_2.authorizations_by_identifier | length == 1
@@ -203,7 +203,7 @@
register: validate_2 register: validate_2
- name: "({{ select_crypto_backend }}) Check validation result" - name: "({{ select_crypto_backend }}) Check validation result"
assert: ansible.builtin.assert:
that: that:
- validate_2 is not changed - validate_2 is not changed
- validate_2.account_uri == account.account_uri - validate_2.account_uri == account.account_uri
@@ -225,7 +225,7 @@
register: finalize_1 register: finalize_1
- name: "({{ select_crypto_backend }}) Check finalization result" - name: "({{ select_crypto_backend }}) Check finalization result"
assert: ansible.builtin.assert:
that: that:
- finalize_1 is changed - finalize_1 is changed
- finalize_1.account_uri == account.account_uri - finalize_1.account_uri == account.account_uri
@@ -236,7 +236,7 @@
- finalize_1.selected_chain.full_chain == finalize_1.selected_chain.cert + finalize_1.selected_chain.chain - finalize_1.selected_chain.full_chain == finalize_1.selected_chain.cert + finalize_1.selected_chain.chain
- name: "({{ select_crypto_backend }}) Read files from disk" - name: "({{ select_crypto_backend }}) Read files from disk"
slurp: ansible.builtin.slurp:
src: "{{ remote_tmp_dir }}/{{ item }}.pem" src: "{{ remote_tmp_dir }}/{{ item }}.pem"
loop: loop:
- cert - cert
@@ -245,14 +245,14 @@
register: slurp register: slurp
- name: "({{ select_crypto_backend }}) Compare finalization result with files on disk" - name: "({{ select_crypto_backend }}) Compare finalization result with files on disk"
assert: ansible.builtin.assert:
that: that:
- finalize_1.selected_chain.cert == slurp.results[0].content | b64decode - finalize_1.selected_chain.cert == slurp.results[0].content | b64decode
- finalize_1.selected_chain.chain == slurp.results[1].content | b64decode - finalize_1.selected_chain.chain == slurp.results[1].content | b64decode
- finalize_1.selected_chain.full_chain == slurp.results[2].content | b64decode - finalize_1.selected_chain.full_chain == slurp.results[2].content | b64decode
- name: "({{ select_crypto_backend }}) Get order information" - name: "({{ select_crypto_backend }}) Get order information"
acme_certificate_order_info: community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -262,11 +262,11 @@
register: order_info_3 register: order_info_3
- name: "({{ select_crypto_backend }}) Show order information" - name: "({{ select_crypto_backend }}) Show order information"
debug: ansible.builtin.debug:
var: order_info_3 var: order_info_3
- name: "({{ select_crypto_backend }}) Check order information" - name: "({{ select_crypto_backend }}) Check order information"
assert: ansible.builtin.assert:
that: that:
- order_info_3 is not changed - order_info_3 is not changed
- order_info_3.authorizations_by_identifier['dns:' ~ domain_name].identifier.type == 'dns' - order_info_3.authorizations_by_identifier['dns:' ~ domain_name].identifier.type == 'dns'
@@ -304,7 +304,7 @@
register: finalize_2 register: finalize_2
- name: "({{ select_crypto_backend }}) Check finalization result" - name: "({{ select_crypto_backend }}) Check finalization result"
assert: ansible.builtin.assert:
that: that:
- finalize_2 is not changed - finalize_2 is not changed
- finalize_2.account_uri == account.account_uri - finalize_2.account_uri == account.account_uri
@@ -316,7 +316,7 @@
- finalize_2.selected_chain == finalize_1.selected_chain - finalize_2.selected_chain == finalize_1.selected_chain
- name: "({{ select_crypto_backend }}) Get order information" - name: "({{ select_crypto_backend }}) Get order information"
acme_certificate_order_info: community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -326,11 +326,11 @@
register: order_info_4 register: order_info_4
- name: "({{ select_crypto_backend }}) Show order information" - name: "({{ select_crypto_backend }}) Show order information"
debug: ansible.builtin.debug:
var: order_info_4 var: order_info_4
- name: "({{ select_crypto_backend }}) Check order information" - name: "({{ select_crypto_backend }}) Check order information"
assert: ansible.builtin.assert:
that: that:
- order_info_4 is not changed - order_info_4 is not changed
- order_info_4.authorizations_by_identifier['dns:' ~ domain_name].identifier.type == 'dns' - order_info_4.authorizations_by_identifier['dns:' ~ domain_name].identifier.type == 'dns'
@@ -356,7 +356,7 @@
- when: acme_supports_ari - when: acme_supports_ari
block: block:
- name: "({{ select_crypto_backend }}) Get certificate renewal information" - name: "({{ select_crypto_backend }}) Get certificate renewal information"
acme_certificate_renewal_info: community.crypto.acme_certificate_renewal_info:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -366,14 +366,14 @@
register: cert_info register: cert_info
- name: "({{ select_crypto_backend }}) Verify information" - name: "({{ select_crypto_backend }}) Verify information"
assert: ansible.builtin.assert:
that: that:
- cert_info.supports_ari == true - cert_info.supports_ari == true
- cert_info.should_renew == false - cert_info.should_renew == false
- cert_info.cert_id is string - cert_info.cert_id is string
- name: "({{ select_crypto_backend }}) Create replacement order 1" - name: "({{ select_crypto_backend }}) Create replacement order 1"
acme_certificate_order_create: community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -386,7 +386,7 @@
register: replacement_order_1 register: replacement_order_1
- name: "({{ select_crypto_backend }}) Get replacement order 1 information" - name: "({{ select_crypto_backend }}) Get replacement order 1 information"
acme_certificate_order_info: community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -396,7 +396,7 @@
register: order_info_5 register: order_info_5
- name: "({{ select_crypto_backend }}) Check replacement order 1" - name: "({{ select_crypto_backend }}) Check replacement order 1"
assert: ansible.builtin.assert:
that: that:
- replacement_order_1 is changed - replacement_order_1 is changed
- replacement_order_1.order_uri.startswith('https://' ~ acme_host ~ ':14000/') - replacement_order_1.order_uri.startswith('https://' ~ acme_host ~ ':14000/')
@@ -417,7 +417,7 @@
- replacement_order_1.order_uri not in [order_1.order_uri] - replacement_order_1.order_uri not in [order_1.order_uri]
- name: "({{ select_crypto_backend }}) Check replacement order 1 information" - name: "({{ select_crypto_backend }}) Check replacement order 1 information"
assert: ansible.builtin.assert:
that: that:
- order_info_5 is not changed - order_info_5 is not changed
- order_info_5.authorizations_by_identifier | length == 1 - order_info_5.authorizations_by_identifier | length == 1
@@ -446,7 +446,7 @@
- when: false # TODO get Pebble improved - when: false # TODO get Pebble improved
block: block:
- name: "({{ select_crypto_backend }}) Create replacement order 2 (should fail)" - name: "({{ select_crypto_backend }}) Create replacement order 2 (should fail)"
acme_certificate_order_create: community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -459,7 +459,7 @@
ignore_errors: true ignore_errors: true
- name: "({{ select_crypto_backend }}) Check replacement order 2" - name: "({{ select_crypto_backend }}) Check replacement order 2"
assert: ansible.builtin.assert:
that: that:
- replacement_order_2 is failed - replacement_order_2 is failed
- >- - >-
@@ -470,7 +470,7 @@
) )
- name: "({{ select_crypto_backend }}) Create replacement order 3 with error handling" - name: "({{ select_crypto_backend }}) Create replacement order 3 with error handling"
acme_certificate_order_create: community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -482,7 +482,7 @@
register: replacement_order_3 register: replacement_order_3
- name: "({{ select_crypto_backend }}) Get replacement order 3 information" - name: "({{ select_crypto_backend }}) Get replacement order 3 information"
acme_certificate_order_info: community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -492,7 +492,7 @@
register: order_info_6 register: order_info_6
- name: "({{ select_crypto_backend }}) Check replacement order 3" - name: "({{ select_crypto_backend }}) Check replacement order 3"
assert: ansible.builtin.assert:
that: that:
- replacement_order_3 is changed - replacement_order_3 is changed
- replacement_order_3.order_uri.startswith('https://' ~ acme_host ~ ':14000/') - replacement_order_3.order_uri.startswith('https://' ~ acme_host ~ ':14000/')
@@ -515,7 +515,7 @@
('Stop passing `replaces=' ~ cert_info.cert_id ~ '` due to error 409 urn:ietf:params:acme:error:malformed when creating ACME order') in replacement_order_3.warnings ('Stop passing `replaces=' ~ cert_info.cert_id ~ '` due to error 409 urn:ietf:params:acme:error:malformed when creating ACME order') in replacement_order_3.warnings
- name: "({{ select_crypto_backend }}) Check replacement order 3 information" - name: "({{ select_crypto_backend }}) Check replacement order 3 information"
assert: ansible.builtin.assert:
that: that:
- order_info_6 is not changed - order_info_6 is not changed
- order_info_6.authorizations_by_identifier | length == 1 - order_info_6.authorizations_by_identifier | length == 1
@@ -540,7 +540,7 @@
- order_info_6.account_uri == account.account_uri - order_info_6.account_uri == account.account_uri
- name: "({{ select_crypto_backend }}) Deactivate authzs for replacement order 3" - name: "({{ select_crypto_backend }}) Deactivate authzs for replacement order 3"
acme_certificate_deactivate_authz: community.crypto.acme_certificate_deactivate_authz:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -551,8 +551,8 @@
# Complete replacement order 1 # Complete replacement order 1
- name: "({{ select_crypto_backend }}) Create HTTP challenges (replacement order 1)" - name: "({{ select_crypto_backend }}) Create HTTP challenges (replacement order 1)"
uri: ansible.builtin.uri:
url: "http://{{ acme_host }}:5000/http/{{ item.identifier }}/{{ item.challenges['http-01'].resource[('.well-known/acme-challenge/'|length):] }}" url: "http://{{ acme_host }}:5000/http/{{ item.identifier }}/{{ item.challenges['http-01'].resource[('.well-known/acme-challenge/' | length) :] }}"
method: PUT method: PUT
body_format: raw body_format: raw
body: "{{ item.challenges['http-01'].resource_value }}" body: "{{ item.challenges['http-01'].resource_value }}"
@@ -590,7 +590,7 @@
- when: true - when: true
block: block:
- name: "({{ select_crypto_backend }}) Create replacement order 4 (should fail)" - name: "({{ select_crypto_backend }}) Create replacement order 4 (should fail)"
acme_certificate_order_create: community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -603,7 +603,7 @@
ignore_errors: true ignore_errors: true
- name: "({{ select_crypto_backend }}) Check replacement order 4" - name: "({{ select_crypto_backend }}) Check replacement order 4"
assert: ansible.builtin.assert:
that: that:
- replacement_order_4 is failed - replacement_order_4 is failed
- replacement_order_4.msg.startswith('Failed to start new order for https://' ~ acme_host) - replacement_order_4.msg.startswith('Failed to start new order for https://' ~ acme_host)
@@ -611,7 +611,7 @@
' with status 409 Conflict. Error urn:ietf:params:acme:error:malformed: ' in replacement_order_4.msg ' with status 409 Conflict. Error urn:ietf:params:acme:error:malformed: ' in replacement_order_4.msg
- name: "({{ select_crypto_backend }}) Create replacement order 5 with error handling" - name: "({{ select_crypto_backend }}) Create replacement order 5 with error handling"
acme_certificate_order_create: community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -623,7 +623,7 @@
register: replacement_order_5 register: replacement_order_5
- name: "({{ select_crypto_backend }}) Get replacement order 5 information" - name: "({{ select_crypto_backend }}) Get replacement order 5 information"
acme_certificate_order_info: community.crypto.acme_certificate_order_info:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -633,7 +633,7 @@
register: order_info_7 register: order_info_7
- name: "({{ select_crypto_backend }}) Check replacement order 5" - name: "({{ select_crypto_backend }}) Check replacement order 5"
assert: ansible.builtin.assert:
that: that:
- replacement_order_5 is changed - replacement_order_5 is changed
- replacement_order_5.order_uri.startswith('https://' ~ acme_host ~ ':14000/') - replacement_order_5.order_uri.startswith('https://' ~ acme_host ~ ':14000/')
@@ -656,7 +656,7 @@
('Stop passing `replaces=' ~ cert_info.cert_id ~ '` due to error 409 urn:ietf:params:acme:error:malformed when creating ACME order') in replacement_order_5.warnings ('Stop passing `replaces=' ~ cert_info.cert_id ~ '` due to error 409 urn:ietf:params:acme:error:malformed when creating ACME order') in replacement_order_5.warnings
- name: "({{ select_crypto_backend }}) Check replacement order 5 information" - name: "({{ select_crypto_backend }}) Check replacement order 5 information"
assert: ansible.builtin.assert:
that: that:
- order_info_7 is not changed - order_info_7 is not changed
- order_info_7.authorizations_by_identifier | length == 1 - order_info_7.authorizations_by_identifier | length == 1
@@ -681,7 +681,7 @@
- order_info_7.account_uri == account.account_uri - order_info_7.account_uri == account.account_uri
- name: "({{ select_crypto_backend }}) Deactivate authzs for replacement order 5" - name: "({{ select_crypto_backend }}) Deactivate authzs for replacement order 5"
acme_certificate_deactivate_authz: community.crypto.acme_certificate_deactivate_authz:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -694,7 +694,7 @@
- when: acme_supports_profiles - when: acme_supports_profiles
block: block:
- name: "({{ select_crypto_backend }}) Create order with invalid profile (should fail)" - name: "({{ select_crypto_backend }}) Create order with invalid profile (should fail)"
acme_certificate_order_create: community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -707,7 +707,7 @@
ignore_errors: true ignore_errors: true
- name: "({{ select_crypto_backend }}) Check invalid profile order" - name: "({{ select_crypto_backend }}) Check invalid profile order"
assert: ansible.builtin.assert:
that: that:
- invalid_profile_order is failed - invalid_profile_order is failed
- invalid_profile_order.msg == "The ACME CA does not support selected profile 'does-not-exist'." - invalid_profile_order.msg == "The ACME CA does not support selected profile 'does-not-exist'."
@@ -717,7 +717,7 @@
- when: not acme_supports_profiles - when: not acme_supports_profiles
block: block:
- name: "({{ select_crypto_backend }}) Create order with profile when server does not support it (should fail)" - name: "({{ select_crypto_backend }}) Create order with profile when server does not support it (should fail)"
acme_certificate_order_create: community.crypto.acme_certificate_order_create:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -729,7 +729,7 @@
ignore_errors: true ignore_errors: true
- name: "({{ select_crypto_backend }}) Check profile without server support order" - name: "({{ select_crypto_backend }}) Check profile without server support order"
assert: ansible.builtin.assert:
that: that:
- profile_without_server_support is failed - profile_without_server_support is failed
- profile_without_server_support.msg == 'The ACME CA does not support profiles. Please omit the "profile" option.' - profile_without_server_support.msg == 'The ACME CA does not support profiles. Please omit the "profile" option.'

8
tests/integration/targets/acme_certificate_order/tasks/main.yml
View File

@@ -10,7 +10,7 @@
- block: - block:
- name: Running tests with OpenSSL backend - name: Running tests with OpenSSL backend
include_tasks: impl.yml ansible.builtin.include_tasks: impl.yml
vars: vars:
select_crypto_backend: openssl select_crypto_backend: openssl
@@ -18,18 +18,18 @@
when: openssl_version.stdout is version('1.0.0', '>=') when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory - name: Remove output directory
file: ansible.builtin.file:
path: "{{ remote_tmp_dir }}" path: "{{ remote_tmp_dir }}"
state: absent state: absent
- name: Re-create output directory - name: Re-create output directory
file: ansible.builtin.file:
path: "{{ remote_tmp_dir }}" path: "{{ remote_tmp_dir }}"
state: directory state: directory
- block: - block:
- name: Running tests with cryptography backend - name: Running tests with cryptography backend
include_tasks: impl.yml ansible.builtin.include_tasks: impl.yml
vars: vars:
select_crypto_backend: cryptography select_crypto_backend: cryptography

34
tests/integration/targets/acme_certificate_renewal_info/tasks/impl.yml
View File

@@ -6,7 +6,7 @@
## SET UP ACCOUNT KEYS ######################################################################## ## SET UP ACCOUNT KEYS ########################################################################
- block: - block:
- name: Generate account keys - name: Generate account keys
openssl_privatekey: community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem" path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
type: "{{ item.type }}" type: "{{ item.type }}"
size: "{{ item.size | default(omit) }}" size: "{{ item.size | default(omit) }}"
@@ -22,7 +22,7 @@
## CREATE ACCOUNTS AND OBTAIN CERTIFICATES #################################################### ## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
- name: Obtain cert 1 - name: Obtain cert 1
include_tasks: obtain-cert.yml ansible.builtin.include_tasks: obtain-cert.yml
vars: vars:
certgen_title: Certificate 1 for renewal check certgen_title: Certificate 1 for renewal check
certificate_name: cert-1 certificate_name: cert-1
@@ -41,18 +41,18 @@
## OBTAIN CERTIFICATE INFOS ################################################################### ## OBTAIN CERTIFICATE INFOS ###################################################################
- name: Dump OpenSSL x509 info - name: Dump OpenSSL x509 info
command: ansible.builtin.command:
cmd: openssl x509 -in {{ remote_tmp_dir }}/cert-1.pem -noout -text cmd: openssl x509 -in {{ remote_tmp_dir }}/cert-1.pem -noout -text
- name: Obtain certificate information - name: Obtain certificate information
x509_certificate_info: community.crypto.x509_certificate_info:
path: "{{ remote_tmp_dir }}/cert-1.pem" path: "{{ remote_tmp_dir }}/cert-1.pem"
register: cert_1_info register: cert_1_info
- name: Read certificate - name: Read certificate
slurp: ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/cert-1.pem' src: '{{ remote_tmp_dir }}/cert-1.pem'
register: slurp_cert_1 register: slurp_cert_1
- name: Obtain certificate information (1/11) - name: Obtain certificate information (1/11)
acme_certificate_renewal_info: community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem" certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2 acme_version: 2
@@ -60,7 +60,7 @@
validate_certs: false validate_certs: false
register: cert_1_renewal_1 register: cert_1_renewal_1
- name: Obtain certificate information (2/11) - name: Obtain certificate information (2/11)
acme_certificate_renewal_info: community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem" certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2 acme_version: 2
@@ -70,7 +70,7 @@
remaining_percentage: 0.5 remaining_percentage: 0.5
register: cert_1_renewal_2 register: cert_1_renewal_2
- name: Obtain certificate information (3/11) - name: Obtain certificate information (3/11)
acme_certificate_renewal_info: community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
certificate_content: "{{ slurp_cert_1.content | b64decode }}" certificate_content: "{{ slurp_cert_1.content | b64decode }}"
acme_version: 2 acme_version: 2
@@ -79,7 +79,7 @@
now: +1800d now: +1800d
register: cert_1_renewal_3 register: cert_1_renewal_3
- name: Obtain certificate information (4/11) - name: Obtain certificate information (4/11)
acme_certificate_renewal_info: community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem" certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2 acme_version: 2
@@ -90,7 +90,7 @@
remaining_percentage: 0.1 remaining_percentage: 0.1
register: cert_1_renewal_4 register: cert_1_renewal_4
- name: Obtain certificate information (5/11) - name: Obtain certificate information (5/11)
acme_certificate_renewal_info: community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem" certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2 acme_version: 2
@@ -101,7 +101,7 @@
remaining_percentage: 0.01 remaining_percentage: 0.01
register: cert_1_renewal_5 register: cert_1_renewal_5
- name: Obtain certificate information (6/11) - name: Obtain certificate information (6/11)
acme_certificate_renewal_info: community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem" certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2 acme_version: 2
@@ -112,7 +112,7 @@
remaining_percentage: 0.03 remaining_percentage: 0.03
register: cert_1_renewal_6 register: cert_1_renewal_6
- name: Obtain certificate information (7/11) - name: Obtain certificate information (7/11)
acme_certificate_renewal_info: community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-1.pem" certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
acme_version: 2 acme_version: 2
@@ -121,7 +121,7 @@
now: +1830d now: +1830d
register: cert_1_renewal_7 register: cert_1_renewal_7
- name: Obtain certificate information (8/11) - name: Obtain certificate information (8/11)
acme_certificate_renewal_info: community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
acme_version: 2 acme_version: 2
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
@@ -129,7 +129,7 @@
now: +1830d now: +1830d
register: cert_1_renewal_8 register: cert_1_renewal_8
- name: Obtain certificate information (9/11) - name: Obtain certificate information (9/11)
acme_certificate_renewal_info: community.crypto.acme_certificate_renewal_info:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-does-not-exist.pem" certificate_path: "{{ remote_tmp_dir }}/cert-does-not-exist.pem"
acme_version: 2 acme_version: 2
@@ -137,12 +137,12 @@
validate_certs: false validate_certs: false
register: cert_1_renewal_9 register: cert_1_renewal_9
- name: Create broken file - name: Create broken file
copy: ansible.builtin.copy:
dest: "{{ remote_tmp_dir }}/cert-is-broken.pem" dest: "{{ remote_tmp_dir }}/cert-is-broken.pem"
content: | content: |
--- THIS IS NOT A CERT --- --- THIS IS NOT A CERT ---
- name: Obtain certificate information (10/11) - name: Obtain certificate information (10/11)
acme_certificate_renewal_info: community.crypto.acme_certificate_renewal_info:
treat_parsing_error_as_non_existing: false treat_parsing_error_as_non_existing: false
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-is-broken.pem" certificate_path: "{{ remote_tmp_dir }}/cert-is-broken.pem"
@@ -152,7 +152,7 @@
register: cert_1_renewal_10 register: cert_1_renewal_10
ignore_errors: true ignore_errors: true
- name: Obtain certificate information (11/11) - name: Obtain certificate information (11/11)
acme_certificate_renewal_info: community.crypto.acme_certificate_renewal_info:
treat_parsing_error_as_non_existing: true treat_parsing_error_as_non_existing: true
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
certificate_path: "{{ remote_tmp_dir }}/cert-is-broken.pem" certificate_path: "{{ remote_tmp_dir }}/cert-is-broken.pem"

12
tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml
View File

@@ -13,31 +13,31 @@
block: block:
- block: - block:
- name: Running tests with OpenSSL backend - name: Running tests with OpenSSL backend
include_tasks: impl.yml ansible.builtin.include_tasks: impl.yml
vars: vars:
select_crypto_backend: openssl select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml - ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version.stdout is version('1.0.0', '>=') when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory - name: Remove output directory
file: ansible.builtin.file:
path: "{{ remote_tmp_dir }}" path: "{{ remote_tmp_dir }}"
state: absent state: absent
- name: Re-create output directory - name: Re-create output directory
file: ansible.builtin.file:
path: "{{ remote_tmp_dir }}" path: "{{ remote_tmp_dir }}"
state: directory state: directory
- block: - block:
- name: Running tests with cryptography backend - name: Running tests with cryptography backend
include_tasks: impl.yml ansible.builtin.include_tasks: impl.yml
vars: vars:
select_crypto_backend: cryptography select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml - ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version.stdout is version('1.5', '>=') when: cryptography_version.stdout is version('1.5', '>=')

6
tests/integration/targets/acme_certificate_renewal_info/tests/validate.yml
View File

@@ -9,7 +9,7 @@
block: block:
- name: Validate results (generic) - name: Validate results (generic)
assert: ansible.builtin.assert:
that: that:
- cert_1_renewal_1.should_renew == false - cert_1_renewal_1.should_renew == false
- cert_1_renewal_1.msg == 'The certificate is still valid and no condition was reached' - cert_1_renewal_1.msg == 'The certificate is still valid and no condition was reached'
@@ -64,7 +64,7 @@
when: not acme_supports_ari when: not acme_supports_ari
- name: Validate results without ARI - name: Validate results without ARI
assert: ansible.builtin.assert:
that: that:
- cert_1_renewal_1.supports_ari == false - cert_1_renewal_1.supports_ari == false
- cert_1_renewal_2.supports_ari == false - cert_1_renewal_2.supports_ari == false
@@ -84,7 +84,7 @@
when: not acme_supports_ari when: not acme_supports_ari
- name: Validate results with ARI - name: Validate results with ARI
assert: ansible.builtin.assert:
that: that:
- cert_1_renewal_1.supports_ari == true - cert_1_renewal_1.supports_ari == true
- cert_1_renewal_2.supports_ari == true - cert_1_renewal_2.supports_ari == true

18
tests/integration/targets/acme_certificate_revoke/tasks/impl.yml
View File

@@ -6,7 +6,7 @@
## SET UP ACCOUNT KEYS ######################################################################## ## SET UP ACCOUNT KEYS ########################################################################
- block: - block:
- name: Generate account keys - name: Generate account keys
openssl_privatekey: community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item.name }}.pem" path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
type: "{{ item.type }}" type: "{{ item.type }}"
size: "{{ item.size | default(omit) }}" size: "{{ item.size | default(omit) }}"
@@ -28,11 +28,11 @@
## CREATE ACCOUNTS AND OBTAIN CERTIFICATES #################################################### ## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
- name: Read account key (EC256) - name: Read account key (EC256)
slurp: ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/account-ec256.pem' src: '{{ remote_tmp_dir }}/account-ec256.pem'
register: slurp_account_key register: slurp_account_key
- name: Obtain cert 1 - name: Obtain cert 1
include_tasks: obtain-cert.yml ansible.builtin.include_tasks: obtain-cert.yml
vars: vars:
certgen_title: Certificate 1 for revocation certgen_title: Certificate 1 for revocation
certificate_name: cert-1 certificate_name: cert-1
@@ -49,7 +49,7 @@
terms_agreed: true terms_agreed: true
account_email: "example@example.org" account_email: "example@example.org"
- name: Obtain cert 2 - name: Obtain cert 2
include_tasks: obtain-cert.yml ansible.builtin.include_tasks: obtain-cert.yml
vars: vars:
certgen_title: Certificate 2 for revocation certgen_title: Certificate 2 for revocation
certificate_name: cert-2 certificate_name: cert-2
@@ -66,7 +66,7 @@
terms_agreed: true terms_agreed: true
account_email: "example@example.org" account_email: "example@example.org"
- name: Obtain cert 3 - name: Obtain cert 3
include_tasks: obtain-cert.yml ansible.builtin.include_tasks: obtain-cert.yml
vars: vars:
certgen_title: Certificate 3 for revocation certgen_title: Certificate 3 for revocation
certificate_name: cert-3 certificate_name: cert-3
@@ -84,7 +84,7 @@
## REVOKE CERTIFICATES ######################################################################## ## REVOKE CERTIFICATES ########################################################################
- name: Revoke certificate 1 via account key - name: Revoke certificate 1 via account key
acme_certificate_revoke: community.crypto.acme_certificate_revoke:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem" account_key_src: "{{ remote_tmp_dir }}/account-ec256.pem"
certificate: "{{ remote_tmp_dir }}/cert-1.pem" certificate: "{{ remote_tmp_dir }}/cert-1.pem"
@@ -94,7 +94,7 @@
ignore_errors: true ignore_errors: true
register: cert_1_revoke register: cert_1_revoke
- name: Revoke certificate 2 via certificate private key - name: Revoke certificate 2 via certificate private key
acme_certificate_revoke: community.crypto.acme_certificate_revoke:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
private_key_src: "{{ remote_tmp_dir }}/cert-2.key" private_key_src: "{{ remote_tmp_dir }}/cert-2.key"
private_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}" private_key_passphrase: "{{ 'hunter2' if select_crypto_backend != 'openssl' else omit }}"
@@ -105,11 +105,11 @@
ignore_errors: true ignore_errors: true
register: cert_2_revoke register: cert_2_revoke
- name: Read account key (RSA) - name: Read account key (RSA)
slurp: ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/account-rsa.pem' src: '{{ remote_tmp_dir }}/account-rsa.pem'
register: slurp_account_key register: slurp_account_key
- name: Revoke certificate 3 via account key (fullchain) - name: Revoke certificate 3 via account key (fullchain)
acme_certificate_revoke: community.crypto.acme_certificate_revoke:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_content: "{{ slurp_account_key.content | b64decode }}" account_key_content: "{{ slurp_account_key.content | b64decode }}"
certificate: "{{ remote_tmp_dir }}/cert-3-fullchain.pem" certificate: "{{ remote_tmp_dir }}/cert-3-fullchain.pem"

12
tests/integration/targets/acme_certificate_revoke/tasks/main.yml
View File

@@ -10,31 +10,31 @@
- block: - block:
- name: Running tests with OpenSSL backend - name: Running tests with OpenSSL backend
include_tasks: impl.yml ansible.builtin.include_tasks: impl.yml
vars: vars:
select_crypto_backend: openssl select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml - ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version.stdout is version('1.0.0', '>=') when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory - name: Remove output directory
file: ansible.builtin.file:
path: "{{ remote_tmp_dir }}" path: "{{ remote_tmp_dir }}"
state: absent state: absent
- name: Re-create output directory - name: Re-create output directory
file: ansible.builtin.file:
path: "{{ remote_tmp_dir }}" path: "{{ remote_tmp_dir }}"
state: directory state: directory
- block: - block:
- name: Running tests with cryptography backend - name: Running tests with cryptography backend
include_tasks: impl.yml ansible.builtin.include_tasks: impl.yml
vars: vars:
select_crypto_backend: cryptography select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml - ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version.stdout is version('1.5', '>=') when: cryptography_version.stdout is version('1.5', '>=')

6
tests/integration/targets/acme_certificate_revoke/tests/validate.yml
View File

@@ -4,17 +4,17 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Check that certificate 1 was revoked - name: Check that certificate 1 was revoked
assert: ansible.builtin.assert:
that: that:
- cert_1_revoke is changed - cert_1_revoke is changed
- cert_1_revoke is not failed - cert_1_revoke is not failed
- name: Check that certificate 2 was revoked - name: Check that certificate 2 was revoked
assert: ansible.builtin.assert:
that: that:
- cert_2_revoke is changed - cert_2_revoke is changed
- cert_2_revoke is not failed - cert_2_revoke is not failed
- name: Check that certificate 3 was revoked - name: Check that certificate 3 was revoked
assert: ansible.builtin.assert:
that: that:
- cert_3_revoke is changed - cert_3_revoke is changed
- cert_3_revoke is not failed - cert_3_revoke is not failed

4
tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml
View File

@@ -10,13 +10,13 @@
- block: - block:
- name: Generate ECC256 account keys - name: Generate ECC256 account keys
openssl_privatekey: community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/account-ec256.pem" path: "{{ remote_tmp_dir }}/account-ec256.pem"
type: ECC type: ECC
curve: secp256r1 curve: secp256r1
force: true force: true
- name: Obtain cert 1 - name: Obtain cert 1
include_tasks: obtain-cert.yml ansible.builtin.include_tasks: obtain-cert.yml
vars: vars:
select_crypto_backend: auto select_crypto_backend: auto
certgen_title: Certificate 1 certgen_title: Certificate 1

46
tests/integration/targets/acme_inspect/tasks/impl.yml
View File

@@ -5,7 +5,7 @@
- block: - block:
- name: Generate account keys - name: Generate account keys
openssl_privatekey: community.crypto.openssl_privatekey:
path: "{{ remote_tmp_dir }}/{{ item }}.pem" path: "{{ remote_tmp_dir }}/{{ item }}.pem"
type: ECC type: ECC
curve: secp256r1 curve: secp256r1
@@ -13,7 +13,7 @@
loop: "{{ account_keys }}" loop: "{{ account_keys }}"
- name: Parse account keys (to ease debugging some test failures) - name: Parse account keys (to ease debugging some test failures)
openssl_privatekey_info: community.crypto.openssl_privatekey_info:
path: "{{ remote_tmp_dir }}/{{ item }}.pem" path: "{{ remote_tmp_dir }}/{{ item }}.pem"
return_private_key_data: true return_private_key_data: true
loop: "{{ account_keys }}" loop: "{{ account_keys }}"
@@ -23,32 +23,32 @@
- accountkey - accountkey
- name: Get directory - name: Get directory
acme_inspect: community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
method: directory-only method: directory-only
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
register: directory register: directory
- debug: var=directory - ansible.builtin.debug: var=directory
- name: Create an account - name: Create an account
acme_inspect: community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
account_key_src: "{{ remote_tmp_dir }}/accountkey.pem" account_key_src: "{{ remote_tmp_dir }}/accountkey.pem"
url: "{{ directory.directory.newAccount}}" url: "{{ directory.directory.newAccount }}"
method: post method: post
content: '{"termsOfServiceAgreed":true}' content: '{"termsOfServiceAgreed":true}'
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
register: account_creation register: account_creation
# account_creation.headers.location contains the account URI # account_creation.headers.location contains the account URI
# if creation was successful # if creation was successful
- debug: var=account_creation - ansible.builtin.debug: var=account_creation
- name: Get account information - name: Get account information
acme_inspect: community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -58,10 +58,10 @@
method: get method: get
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
register: account_get register: account_get
- debug: var=account_get - ansible.builtin.debug: var=account_get
- name: Update account contacts - name: Update account contacts
acme_inspect: community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -78,10 +78,10 @@
contact: contact:
- mailto:me@example.com - mailto:me@example.com
register: account_update register: account_update
- debug: var=account_update - ansible.builtin.debug: var=account_update
- name: Create certificate order - name: Create certificate order
acme_inspect: community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -102,10 +102,10 @@
- type: dns - type: dns
value: example.org value: example.org
register: new_order register: new_order
- debug: var=new_order - ansible.builtin.debug: var=new_order
- name: Get order information - name: Get order information
acme_inspect: community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -115,10 +115,10 @@
method: get method: get
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
register: order register: order
- debug: var=order - ansible.builtin.debug: var=order
- name: Get authzs for order - name: Get authzs for order
acme_inspect: community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -129,10 +129,10 @@
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
loop: "{{ order.output_json.authorizations }}" loop: "{{ order.output_json.authorizations }}"
register: authz register: authz
- debug: var=authz - ansible.builtin.debug: var=authz
- name: Get HTTP-01 challenge for authz - name: Get HTTP-01 challenge for authz
acme_inspect: community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -143,10 +143,10 @@
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
register: http01challenge register: http01challenge
loop: "{{ authz.results | map(attribute='output_json') | list }}" loop: "{{ authz.results | map(attribute='output_json') | list }}"
- debug: var=http01challenge - ansible.builtin.debug: var=http01challenge
- name: Activate HTTP-01 challenge manually - name: Activate HTTP-01 challenge manually
acme_inspect: community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -158,10 +158,10 @@
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
register: activation register: activation
loop: "{{ http01challenge.results | map(attribute='output_json') | list }}" loop: "{{ http01challenge.results | map(attribute='output_json') | list }}"
- debug: var=activation - ansible.builtin.debug: var=activation
- name: Get HTTP-01 challenge results - name: Get HTTP-01 challenge results
acme_inspect: community.crypto.acme_inspect:
acme_directory: "{{ acme_directory_url }}" acme_directory: "{{ acme_directory_url }}"
acme_version: 2 acme_version: 2
validate_certs: false validate_certs: false
@@ -175,4 +175,4 @@
until: "validation_result.output_json.status not in ['pending', 'processing']" until: "validation_result.output_json.status not in ['pending', 'processing']"
retries: 20 retries: 20
delay: 1 delay: 1
- debug: var=validation_result - ansible.builtin.debug: var=validation_result

12
tests/integration/targets/acme_inspect/tasks/main.yml
View File

@@ -10,31 +10,31 @@
- block: - block:
- name: Running tests with OpenSSL backend - name: Running tests with OpenSSL backend
include_tasks: impl.yml ansible.builtin.include_tasks: impl.yml
vars: vars:
select_crypto_backend: openssl select_crypto_backend: openssl
- import_tasks: ../tests/validate.yml - ansible.builtin.import_tasks: ../tests/validate.yml
# Old 0.9.8 versions have insufficient CLI support for signing with EC keys # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
when: openssl_version.stdout is version('1.0.0', '>=') when: openssl_version.stdout is version('1.0.0', '>=')
- name: Remove output directory - name: Remove output directory
file: ansible.builtin.file:
path: "{{ remote_tmp_dir }}" path: "{{ remote_tmp_dir }}"
state: absent state: absent
- name: Re-create output directory - name: Re-create output directory
file: ansible.builtin.file:
path: "{{ remote_tmp_dir }}" path: "{{ remote_tmp_dir }}"
state: directory state: directory
- block: - block:
- name: Running tests with cryptography backend - name: Running tests with cryptography backend
include_tasks: impl.yml ansible.builtin.include_tasks: impl.yml
vars: vars:
select_crypto_backend: cryptography select_crypto_backend: cryptography
- import_tasks: ../tests/validate.yml - ansible.builtin.import_tasks: ../tests/validate.yml
when: cryptography_version.stdout is version('1.5', '>=') when: cryptography_version.stdout is version('1.5', '>=')

20
tests/integration/targets/acme_inspect/tests/validate.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Check directory output - name: Check directory output
assert: ansible.builtin.assert:
that: that:
- directory is not changed - directory is not changed
- "'directory' in directory" - "'directory' in directory"
@@ -16,7 +16,7 @@
- "'output_json' not in directory" - "'output_json' not in directory"
- name: Check account creation output - name: Check account creation output
assert: ansible.builtin.assert:
that: that:
- account_creation is changed - account_creation is changed
- "'directory' in account_creation" - "'directory' in account_creation"
@@ -30,7 +30,7 @@
- account_creation.output_text | from_json == account_creation.output_json - account_creation.output_text | from_json == account_creation.output_json
- name: Check account get output - name: Check account get output
assert: ansible.builtin.assert:
that: that:
- account_get is not changed - account_get is not changed
- "'directory' in account_get" - "'directory' in account_get"
@@ -41,7 +41,7 @@
- account_get.output_json == account_creation.output_json - account_get.output_json == account_creation.output_json
- name: Check account update output - name: Check account update output
assert: ansible.builtin.assert:
that: that:
- account_update is changed - account_update is changed
- "'directory' in account_update" - "'directory' in account_update"
@@ -53,7 +53,7 @@
- account_update.output_json.contact[0] in ['mailto:me@example.com', 'mailto:*******@example.com'] - account_update.output_json.contact[0] in ['mailto:me@example.com', 'mailto:*******@example.com']
- name: Check certificate request output - name: Check certificate request output
assert: ansible.builtin.assert:
that: that:
- new_order is changed - new_order is changed
- "'directory' in new_order" - "'directory' in new_order"
@@ -66,7 +66,7 @@
- "'finalize' in new_order.output_json" - "'finalize' in new_order.output_json"
- name: Check get order output - name: Check get order output
assert: ansible.builtin.assert:
that: that:
- order is not changed - order is not changed
- "'directory' in order" - "'directory' in order"
@@ -77,7 +77,7 @@
# - new_order.output_json == order.output_json # - new_order.output_json == order.output_json
- name: Check get authz output - name: Check get authz output
assert: ansible.builtin.assert:
that: that:
- item is not changed - item is not changed
- "'directory' in item" - "'directory' in item"
@@ -90,7 +90,7 @@
loop: "{{ authz.results }}" loop: "{{ authz.results }}"
- name: Check get challenge output - name: Check get challenge output
assert: ansible.builtin.assert:
that: that:
- item is not changed - item is not changed
- "'directory' in item" - "'directory' in item"
@@ -104,7 +104,7 @@
loop: "{{ http01challenge.results }}" loop: "{{ http01challenge.results }}"
- name: Check challenge activation output - name: Check challenge activation output
assert: ansible.builtin.assert:
that: that:
- item is changed - item is changed
- "'directory' in item" - "'directory' in item"
@@ -118,7 +118,7 @@
loop: "{{ activation.results }}" loop: "{{ activation.results }}"
- name: Check validation result - name: Check validation result
assert: ansible.builtin.assert:
that: that:
- item is not changed - item is not changed
- "'directory' in item" - "'directory' in item"

4
tests/integration/targets/certificate_complete_chain/tasks/create-single-certificate.yml
View File

@@ -9,14 +9,14 @@
#################################################################### ####################################################################
- name: Generate CSR for {{ certificate.name }} - name: Generate CSR for {{ certificate.name }}
openssl_csr: community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/{{ certificate.name }}.csr' path: '{{ remote_tmp_dir }}/{{ certificate.name }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/{{ certificate.name }}.key' privatekey_path: '{{ remote_tmp_dir }}/{{ certificate.name }}.key'
subject: '{{ certificate.subject }}' subject: '{{ certificate.subject }}'
useCommonNameForSAN: false useCommonNameForSAN: false
- name: Generate certificate for {{ certificate.name }} - name: Generate certificate for {{ certificate.name }}
x509_certificate: community.crypto.x509_certificate:
path: '{{ remote_tmp_dir }}/{{ certificate.name }}.pem' path: '{{ remote_tmp_dir }}/{{ certificate.name }}.pem'
csr_path: '{{ remote_tmp_dir }}/{{ certificate.name }}.csr' csr_path: '{{ remote_tmp_dir }}/{{ certificate.name }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/{{ certificate.name }}.key' privatekey_path: '{{ remote_tmp_dir }}/{{ certificate.name }}.key'

8
tests/integration/targets/certificate_complete_chain/tasks/create.yml
View File

@@ -10,25 +10,25 @@
- block: - block:
- name: Create private keys - name: Create private keys
openssl_privatekey: community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/{{ item.name }}.key' path: '{{ remote_tmp_dir }}/{{ item.name }}.key'
size: '{{ default_rsa_key_size_certificates }}' size: '{{ default_rsa_key_size_certificates }}'
loop: '{{ certificates }}' loop: '{{ certificates }}'
- name: Generate certificates - name: Generate certificates
include_tasks: create-single-certificate.yml ansible.builtin.include_tasks: create-single-certificate.yml
loop: '{{ certificates }}' loop: '{{ certificates }}'
loop_control: loop_control:
loop_var: certificate loop_var: certificate
- name: Read certificates - name: Read certificates
slurp: ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/{{ item.name }}.pem' src: '{{ remote_tmp_dir }}/{{ item.name }}.pem'
loop: '{{ certificates }}' loop: '{{ certificates }}'
register: certificates_read register: certificates_read
- name: Store read certificates - name: Store read certificates
set_fact: ansible.builtin.set_fact:
read_certificates: >- read_certificates: >-
{{ certificates_read.results | map(attribute='content') | map('b64decode') {{ certificates_read.results | map(attribute='content') | map('b64decode')
| zip(certificates | map(attribute='name')) | zip(certificates | map(attribute='name'))

10
tests/integration/targets/certificate_complete_chain/tasks/created.yml
View File

@@ -9,7 +9,7 @@
#################################################################### ####################################################################
- name: Case A => works - name: Case A => works
certificate_complete_chain: community.crypto.certificate_complete_chain:
input_chain: "{{ read_certificates['d-leaf'] }}" input_chain: "{{ read_certificates['d-leaf'] }}"
intermediate_certificates: intermediate_certificates:
- '{{ remote_tmp_dir }}/b-intermediate.pem' - '{{ remote_tmp_dir }}/b-intermediate.pem'
@@ -19,7 +19,7 @@
- name: Case B => doesn't work, but this is expected - name: Case B => doesn't work, but this is expected
failed_when: false failed_when: false
register: caseb register: caseb
certificate_complete_chain: community.crypto.certificate_complete_chain:
input_chain: "{{ read_certificates['d-leaf'] }}" input_chain: "{{ read_certificates['d-leaf'] }}"
intermediate_certificates: intermediate_certificates:
- '{{ remote_tmp_dir }}/c-intermediate.pem' - '{{ remote_tmp_dir }}/c-intermediate.pem'
@@ -27,11 +27,11 @@
- '{{ remote_tmp_dir }}/a-root.pem' - '{{ remote_tmp_dir }}/a-root.pem'
- name: Assert that case B failed - name: Assert that case B failed
assert: ansible.builtin.assert:
that: "'Cannot complete chain' in caseb.msg" that: "'Cannot complete chain' in caseb.msg"
- name: Case C => works - name: Case C => works
certificate_complete_chain: community.crypto.certificate_complete_chain:
input_chain: "{{ read_certificates['d-leaf'] }}" input_chain: "{{ read_certificates['d-leaf'] }}"
intermediate_certificates: intermediate_certificates:
- '{{ remote_tmp_dir }}/c-intermediate.pem' - '{{ remote_tmp_dir }}/c-intermediate.pem'
@@ -40,7 +40,7 @@
- '{{ remote_tmp_dir }}/a-root.pem' - '{{ remote_tmp_dir }}/a-root.pem'
- name: Case D => works as well after PR 403 - name: Case D => works as well after PR 403
certificate_complete_chain: community.crypto.certificate_complete_chain:
input_chain: "{{ read_certificates['d-leaf'] }}" input_chain: "{{ read_certificates['d-leaf'] }}"
intermediate_certificates: intermediate_certificates:
- '{{ remote_tmp_dir }}/b-intermediate.pem' - '{{ remote_tmp_dir }}/b-intermediate.pem'

32
tests/integration/targets/certificate_complete_chain/tasks/existing.yml
View File

@@ -10,13 +10,13 @@
- block: - block:
- name: Find root for cert 1 using directory - name: Find root for cert 1 using directory
certificate_complete_chain: community.crypto.certificate_complete_chain:
input_chain: '{{ fullchain | trim }}' input_chain: '{{ fullchain | trim }}'
root_certificates: root_certificates:
- '{{ remote_tmp_dir }}/files/roots/' - '{{ remote_tmp_dir }}/files/roots/'
register: cert1_root register: cert1_root
- name: Verify root for cert 1 - name: Verify root for cert 1
assert: ansible.builtin.assert:
that: that:
- cert1_root.complete_chain | join('') == (fullchain ~ root) - cert1_root.complete_chain | join('') == (fullchain ~ root)
- cert1_root.root == root - cert1_root.root == root
@@ -26,7 +26,7 @@
- block: - block:
- name: Find rootchain for cert 1 using intermediate and root PEM - name: Find rootchain for cert 1 using intermediate and root PEM
certificate_complete_chain: community.crypto.certificate_complete_chain:
input_chain: '{{ cert }}' input_chain: '{{ cert }}'
intermediate_certificates: intermediate_certificates:
- '{{ remote_tmp_dir }}/files/cert1-chain.pem' - '{{ remote_tmp_dir }}/files/cert1-chain.pem'
@@ -34,7 +34,7 @@
- '{{ remote_tmp_dir }}/files/roots.pem' - '{{ remote_tmp_dir }}/files/roots.pem'
register: cert1_rootchain register: cert1_rootchain
- name: Verify rootchain for cert 1 - name: Verify rootchain for cert 1
assert: ansible.builtin.assert:
that: that:
- cert1_rootchain.complete_chain | join('') == (cert ~ chain ~ root) - cert1_rootchain.complete_chain | join('') == (cert ~ chain ~ root)
- cert1_rootchain.chain[:-1] | join('') == chain - cert1_rootchain.chain[:-1] | join('') == chain
@@ -46,13 +46,13 @@
- block: - block:
- name: Find root for cert 2 using directory - name: Find root for cert 2 using directory
certificate_complete_chain: community.crypto.certificate_complete_chain:
input_chain: "{{ fullchain | trim }}" input_chain: "{{ fullchain | trim }}"
root_certificates: root_certificates:
- '{{ remote_tmp_dir }}/files/roots/' - '{{ remote_tmp_dir }}/files/roots/'
register: cert2_root register: cert2_root
- name: Verify root for cert 2 - name: Verify root for cert 2
assert: ansible.builtin.assert:
that: that:
- cert2_root.complete_chain | join('') == (fullchain ~ root) - cert2_root.complete_chain | join('') == (fullchain ~ root)
- cert2_root.root == root - cert2_root.root == root
@@ -62,7 +62,7 @@
- block: - block:
- name: Find rootchain for cert 2 using intermediate and root PEM - name: Find rootchain for cert 2 using intermediate and root PEM
certificate_complete_chain: community.crypto.certificate_complete_chain:
input_chain: '{{ cert }}' input_chain: '{{ cert }}'
intermediate_certificates: intermediate_certificates:
- '{{ remote_tmp_dir }}/files/cert2-chain.pem' - '{{ remote_tmp_dir }}/files/cert2-chain.pem'
@@ -70,7 +70,7 @@
- '{{ remote_tmp_dir }}/files/roots.pem' - '{{ remote_tmp_dir }}/files/roots.pem'
register: cert2_rootchain register: cert2_rootchain
- name: Verify rootchain for cert 2 - name: Verify rootchain for cert 2
assert: ansible.builtin.assert:
that: that:
- cert2_rootchain.complete_chain | join('') == (cert ~ chain ~ root) - cert2_rootchain.complete_chain | join('') == (cert ~ chain ~ root)
- cert2_rootchain.chain[:-1] | join('') == chain - cert2_rootchain.chain[:-1] | join('') == chain
@@ -82,7 +82,7 @@
- block: - block:
- name: Find alternate rootchain for cert 2 using intermediate and root PEM - name: Find alternate rootchain for cert 2 using intermediate and root PEM
certificate_complete_chain: community.crypto.certificate_complete_chain:
input_chain: '{{ cert }}' input_chain: '{{ cert }}'
intermediate_certificates: intermediate_certificates:
- '{{ remote_tmp_dir }}/files/cert2-altchain.pem' - '{{ remote_tmp_dir }}/files/cert2-altchain.pem'
@@ -90,7 +90,7 @@
- '{{ remote_tmp_dir }}/files/roots.pem' - '{{ remote_tmp_dir }}/files/roots.pem'
register: cert2_rootchain_alt register: cert2_rootchain_alt
- name: Verify rootchain for cert 2 - name: Verify rootchain for cert 2
assert: ansible.builtin.assert:
that: that:
- cert2_rootchain_alt.complete_chain | join('') == (cert ~ chain ~ root) - cert2_rootchain_alt.complete_chain | join('') == (cert ~ chain ~ root)
- cert2_rootchain_alt.chain[:-1] | join('') == chain - cert2_rootchain_alt.chain[:-1] | join('') == chain
@@ -102,13 +102,13 @@
- block: - block:
- name: Find alternate rootchain for cert 2 when complete chain is already presented to the module - name: Find alternate rootchain for cert 2 when complete chain is already presented to the module
certificate_complete_chain: community.crypto.certificate_complete_chain:
input_chain: '{{ cert ~ chain ~ root }}' input_chain: '{{ cert ~ chain ~ root }}'
root_certificates: root_certificates:
- '{{ remote_tmp_dir }}/files/roots.pem' - '{{ remote_tmp_dir }}/files/roots.pem'
register: cert2_complete_chain register: cert2_complete_chain
- name: Verify rootchain for cert 2 - name: Verify rootchain for cert 2
assert: ansible.builtin.assert:
that: that:
- cert2_complete_chain.complete_chain | join('') == (cert ~ chain ~ root) - cert2_complete_chain.complete_chain | join('') == (cert ~ chain ~ root)
- cert2_complete_chain.chain == [] - cert2_complete_chain.chain == []
@@ -119,7 +119,7 @@
root: "{{ lookup('file', 'cert2-altroot.pem', rstrip=False) }}" root: "{{ lookup('file', 'cert2-altroot.pem', rstrip=False) }}"
- name: Check failure when no intermediate certificate can be found - name: Check failure when no intermediate certificate can be found
certificate_complete_chain: community.crypto.certificate_complete_chain:
input_chain: '{{ lookup("file", "cert2.pem", rstrip=true) }}' input_chain: '{{ lookup("file", "cert2.pem", rstrip=true) }}'
intermediate_certificates: intermediate_certificates:
- '{{ remote_tmp_dir }}/files/cert1-chain.pem' - '{{ remote_tmp_dir }}/files/cert1-chain.pem'
@@ -128,13 +128,13 @@
register: cert2_no_intermediate register: cert2_no_intermediate
ignore_errors: true ignore_errors: true
- name: Verify failure - name: Verify failure
assert: ansible.builtin.assert:
that: that:
- cert2_no_intermediate is failed - cert2_no_intermediate is failed
- "cert2_no_intermediate.msg.startswith('Cannot complete chain. Stuck at certificate ')" - "cert2_no_intermediate.msg.startswith('Cannot complete chain. Stuck at certificate ')"
- name: Check failure when infinite loop is found - name: Check failure when infinite loop is found
certificate_complete_chain: community.crypto.certificate_complete_chain:
input_chain: '{{ lookup("file", "cert1-fullchain.pem", rstrip=true) }}' input_chain: '{{ lookup("file", "cert1-fullchain.pem", rstrip=true) }}'
intermediate_certificates: intermediate_certificates:
- '{{ remote_tmp_dir }}/files/roots.pem' - '{{ remote_tmp_dir }}/files/roots.pem'
@@ -143,7 +143,7 @@
register: cert2_infinite_loop register: cert2_infinite_loop
ignore_errors: true ignore_errors: true
- name: Verify failure - name: Verify failure
assert: ansible.builtin.assert:
that: that:
- cert2_infinite_loop is failed - cert2_infinite_loop is failed
- "cert2_infinite_loop.msg == 'Found cycle while building certificate chain'" - "cert2_infinite_loop.msg == 'Found cycle while building certificate chain'"

8
tests/integration/targets/certificate_complete_chain/tasks/main.yml
View File

@@ -16,17 +16,17 @@
state: directory state: directory
when: ansible_version.string is version('2.10', '<') when: ansible_version.string is version('2.10', '<')
- name: Copy test files to testhost - name: Copy test files to testhost
copy: ansible.builtin.copy:
src: '{{ role_path }}/files/' src: '{{ role_path }}/files/'
dest: '{{ remote_tmp_dir }}/files/' dest: '{{ remote_tmp_dir }}/files/'
- name: Run tests with copied certificates - name: Run tests with copied certificates
import_tasks: existing.yml ansible.builtin.import_tasks: existing.yml
- name: Create more certificates - name: Create more certificates
import_tasks: create.yml ansible.builtin.import_tasks: create.yml
- name: Run tests with created certificates - name: Run tests with created certificates
import_tasks: created.yml ansible.builtin.import_tasks: created.yml
when: cryptography_version.stdout is version('1.5', '>=') when: cryptography_version.stdout is version('1.5', '>=')

16
tests/integration/targets/crypto_info/tasks/main.yml
View File

@@ -9,19 +9,19 @@
#################################################################### ####################################################################
- name: Retrieve information - name: Retrieve information
crypto_info: community.crypto.crypto_info:
register: result register: result
- name: Display information - name: Display information
debug: ansible.builtin.debug:
var: result var: result
- name: Register cryptography version - name: Register cryptography version
command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'" ansible.builtin.command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
register: local_cryptography_version register: local_cryptography_version
- name: Determine complex version-based capabilities - name: Determine complex version-based capabilities
set_fact: ansible.builtin.set_fact:
supports_ed25519: >- supports_ed25519: >-
{{ {{
local_cryptography_version.stdout is version("2.6", ">=") local_cryptography_version.stdout is version("2.6", ">=")
@@ -42,7 +42,7 @@
}} }}
- name: Verify cryptography information - name: Verify cryptography information
assert: ansible.builtin.assert:
that: that:
- result.python_cryptography_installed - result.python_cryptography_installed
- "'python_cryptography_import_error' not in result" - "'python_cryptography_import_error' not in result"
@@ -63,15 +63,15 @@
- result.python_cryptography_capabilities.has_x448 == (local_cryptography_version.stdout is version('2.5', '>=')) - result.python_cryptography_capabilities.has_x448 == (local_cryptography_version.stdout is version('2.5', '>='))
- name: Find OpenSSL binary - name: Find OpenSSL binary
command: which openssl ansible.builtin.command: which openssl
register: local_openssl_path register: local_openssl_path
- name: Find OpenSSL version - name: Find OpenSSL version
command: openssl version ansible.builtin.command: openssl version
register: local_openssl_version_full register: local_openssl_version_full
- name: Verify OpenSSL information - name: Verify OpenSSL information
assert: ansible.builtin.assert:
that: that:
- result.openssl_present - result.openssl_present
- result.openssl.path == local_openssl_path.stdout - result.openssl.path == local_openssl_path.stdout

32
tests/integration/targets/filter_openssl_csr_info/tasks/impl.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: "Get CSR info" - name: "Get CSR info"
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ lookup('file', remote_tmp_dir ~ '/csr_1.csr') | community.crypto.openssl_csr_info }} {{ lookup('file', remote_tmp_dir ~ '/csr_1.csr') | community.crypto.openssl_csr_info }}
result_idna: >- result_idna: >-
@@ -13,7 +13,7 @@
{{ lookup('file', remote_tmp_dir ~ '/csr_1.csr') | community.crypto.openssl_csr_info(name_encoding='unicode') }} {{ lookup('file', remote_tmp_dir ~ '/csr_1.csr') | community.crypto.openssl_csr_info(name_encoding='unicode') }}
- name: "Check whether subject and extensions behaves as expected" - name: "Check whether subject and extensions behaves as expected"
assert: ansible.builtin.assert:
that: that:
- result.subject.organizationalUnitName == 'ACME Department' - result.subject.organizationalUnitName == 'ACME Department'
- "['organizationalUnitName', 'Crypto Department'] in result.subject_ordered" - "['organizationalUnitName', 'Crypto Department'] in result.subject_ordered"
@@ -40,7 +40,7 @@
- result.extensions_by_oid['2.5.29.37'].value == 'MHQGCCsGAQUFBwMBBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBgRVHSUABggrBgEFBQcBAwYIKwYBBQUHAwoGCCsGAQUFBwMHBggrBgEFBQcBAg==' - result.extensions_by_oid['2.5.29.37'].value == 'MHQGCCsGAQUFBwMBBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBgRVHSUABggrBgEFBQcBAwYIKwYBBQUHAwoGCCsGAQUFBwMHBggrBgEFBQcBAg=='
- name: "Check SubjectKeyIdentifier and AuthorityKeyIdentifier" - name: "Check SubjectKeyIdentifier and AuthorityKeyIdentifier"
assert: ansible.builtin.assert:
that: that:
- result.subject_key_identifier == "00:11:22:33" - result.subject_key_identifier == "00:11:22:33"
- result.authority_key_identifier == "44:55:66:77" - result.authority_key_identifier == "44:55:66:77"
@@ -57,17 +57,17 @@
when: cryptography_version.stdout is version('1.3', '>=') when: cryptography_version.stdout is version('1.3', '>=')
- name: "Get CSR info" - name: "Get CSR info"
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ lookup('file', remote_tmp_dir ~ '/csr_2.csr') | community.crypto.openssl_csr_info }} {{ lookup('file', remote_tmp_dir ~ '/csr_2.csr') | community.crypto.openssl_csr_info }}
- name: "Get CSR info" - name: "Get CSR info"
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ lookup('file', remote_tmp_dir ~ '/csr_3.csr') | community.crypto.openssl_csr_info }} {{ lookup('file', remote_tmp_dir ~ '/csr_3.csr') | community.crypto.openssl_csr_info }}
- name: "Check AuthorityKeyIdentifier" - name: "Check AuthorityKeyIdentifier"
assert: ansible.builtin.assert:
that: that:
- result.authority_key_identifier is none - result.authority_key_identifier is none
- result.authority_cert_issuer == expected_authority_cert_issuer - result.authority_cert_issuer == expected_authority_cert_issuer
@@ -79,12 +79,12 @@
when: cryptography_version.stdout is version('1.3', '>=') when: cryptography_version.stdout is version('1.3', '>=')
- name: "Get CSR info" - name: "Get CSR info"
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ lookup('file', remote_tmp_dir ~ '/csr_4.csr') | community.crypto.openssl_csr_info }} {{ lookup('file', remote_tmp_dir ~ '/csr_4.csr') | community.crypto.openssl_csr_info }}
- name: "Check AuthorityKeyIdentifier" - name: "Check AuthorityKeyIdentifier"
assert: ansible.builtin.assert:
that: that:
- result.authority_key_identifier == "44:55:66:77" - result.authority_key_identifier == "44:55:66:77"
- result.authority_cert_issuer is none - result.authority_cert_issuer is none
@@ -92,53 +92,53 @@
when: cryptography_version.stdout is version('1.3', '>=') when: cryptography_version.stdout is version('1.3', '>=')
- name: Get invalid certificate info - name: Get invalid certificate info
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ [] | community.crypto.openssl_csr_info }} {{ [] | community.crypto.openssl_csr_info }}
ignore_errors: true ignore_errors: true
register: output register: output
- name: Check that task failed and error message is OK - name: Check that task failed and error message is OK
assert: ansible.builtin.assert:
that: that:
- output is failed - output is failed
- output.msg is search("The community.crypto.openssl_csr_info input must be a text type, not ") - output.msg is search("The community.crypto.openssl_csr_info input must be a text type, not ")
- name: Get invalid certificate info - name: Get invalid certificate info
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ 'foo' | community.crypto.openssl_csr_info }} {{ 'foo' | community.crypto.openssl_csr_info }}
ignore_errors: true ignore_errors: true
register: output register: output
- name: Check that task failed and error message is OK - name: Check that task failed and error message is OK
assert: ansible.builtin.assert:
that: that:
- output is failed - output is failed
- output.msg is search("Unable to load (?:request|PEM file)(?:\.|$)") - output.msg is search("Unable to load (?:request|PEM file)(?:\.|$)")
- name: Get invalid certificate info - name: Get invalid certificate info
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ 'foo' | community.crypto.openssl_csr_info(name_encoding=[]) }} {{ 'foo' | community.crypto.openssl_csr_info(name_encoding=[]) }}
ignore_errors: true ignore_errors: true
register: output register: output
- name: Check that task failed and error message is OK - name: Check that task failed and error message is OK
assert: ansible.builtin.assert:
that: that:
- output is failed - output is failed
- output.msg is search("The name_encoding option must be of a text type, not ") - output.msg is search("The name_encoding option must be of a text type, not ")
- name: Get invalid name_encoding parameter - name: Get invalid name_encoding parameter
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ 'bar' | community.crypto.openssl_csr_info(name_encoding='foo') }} {{ 'bar' | community.crypto.openssl_csr_info(name_encoding='foo') }}
ignore_errors: true ignore_errors: true
register: output register: output
- name: Check that task failed and error message is OK - name: Check that task failed and error message is OK
assert: ansible.builtin.assert:
that: that:
- output is failed - output is failed
- output.msg is search("The name_encoding option must be one of the values \"ignore\", \"idna\", or \"unicode\", not \"foo\"$") - output.msg is search("The name_encoding option must be one of the values \"ignore\", \"idna\", or \"unicode\", not \"foo\"$")

16
tests/integration/targets/filter_openssl_csr_info/tasks/main.yml
View File

@@ -9,23 +9,23 @@
#################################################################### ####################################################################
- name: Make sure the Python idna library is installed - name: Make sure the Python idna library is installed
pip: ansible.builtin.pip:
name: idna name: idna
state: present state: present
- name: Generate privatekey - name: Generate privatekey
openssl_privatekey: community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey.pem' path: '{{ remote_tmp_dir }}/privatekey.pem'
size: '{{ default_rsa_key_size }}' size: '{{ default_rsa_key_size }}'
- name: Generate privatekey with password - name: Generate privatekey with password
openssl_privatekey: community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem' path: '{{ remote_tmp_dir }}/privatekeypw.pem'
passphrase: hunter2 passphrase: hunter2
size: '{{ default_rsa_key_size }}' size: '{{ default_rsa_key_size }}'
- name: Generate CSR 1 - name: Generate CSR 1
openssl_csr: community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_1.csr' path: '{{ remote_tmp_dir }}/csr_1.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject: subject:
@@ -94,7 +94,7 @@
- "IP:1.2.3.4" - "IP:1.2.3.4"
- name: Generate CSR 2 - name: Generate CSR 2
openssl_csr: community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_2.csr' path: '{{ remote_tmp_dir }}/csr_2.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem' privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
privatekey_passphrase: hunter2 privatekey_passphrase: hunter2
@@ -103,7 +103,7 @@
- "CA:TRUE" - "CA:TRUE"
- name: Generate CSR 3 - name: Generate CSR 3
openssl_csr: community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_3.csr' path: '{{ remote_tmp_dir }}/csr_3.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
useCommonNameForSAN: false useCommonNameForSAN: false
@@ -121,12 +121,12 @@
- "IP:1.2.3.4" - "IP:1.2.3.4"
- name: Generate CSR 4 - name: Generate CSR 4
openssl_csr: community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_4.csr' path: '{{ remote_tmp_dir }}/csr_4.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
useCommonNameForSAN: false useCommonNameForSAN: false
authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}' authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
- name: Running tests - name: Running tests
include_tasks: impl.yml ansible.builtin.include_tasks: impl.yml
when: cryptography_version.stdout is version('1.3', '>=') when: cryptography_version.stdout is version('1.3', '>=')

24
tests/integration/targets/filter_openssl_privatekey_info/tasks/impl.yml
View File

@@ -4,12 +4,12 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Get key 1 info - name: Get key 1 info
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ lookup('file', remote_tmp_dir ~ '/privatekey_1.pem') | community.crypto.openssl_privatekey_info }} {{ lookup('file', remote_tmp_dir ~ '/privatekey_1.pem') | community.crypto.openssl_privatekey_info }}
- name: Check that RSA key info is ok - name: Check that RSA key info is ok
assert: ansible.builtin.assert:
that: that:
- "'public_key' in result" - "'public_key' in result"
- "'public_key_fingerprints' in result" - "'public_key_fingerprints' in result"
@@ -21,12 +21,12 @@
- "'private_data' not in result" - "'private_data' not in result"
- name: Get key 2 info - name: Get key 2 info
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ lookup('file', remote_tmp_dir ~ '/privatekey_2.pem') | community.crypto.openssl_privatekey_info(return_private_key_data=true) }} {{ lookup('file', remote_tmp_dir ~ '/privatekey_2.pem') | community.crypto.openssl_privatekey_info(return_private_key_data=true) }}
- name: Check that RSA key info is ok - name: Check that RSA key info is ok
assert: ansible.builtin.assert:
that: that:
- "'public_key' in result" - "'public_key' in result"
- "'public_key_fingerprints' in result" - "'public_key_fingerprints' in result"
@@ -41,26 +41,26 @@
- "result.private_data.exponent > 5" - "result.private_data.exponent > 5"
- name: Get key 3 info (without passphrase) - name: Get key 3 info (without passphrase)
set_fact: ansible.builtin.set_fact:
result_: >- result_: >-
{{ lookup('file', remote_tmp_dir ~ '/privatekey_3.pem') | community.crypto.openssl_privatekey_info(return_private_key_data=true) }} {{ lookup('file', remote_tmp_dir ~ '/privatekey_3.pem') | community.crypto.openssl_privatekey_info(return_private_key_data=true) }}
ignore_errors: true ignore_errors: true
register: result register: result
- name: Check that loading passphrase protected key without passphrase failed - name: Check that loading passphrase protected key without passphrase failed
assert: ansible.builtin.assert:
that: that:
- result is failed - result is failed
- >- - >-
'Wrong or empty passphrase provided for private key' in result.msg 'Wrong or empty passphrase provided for private key' in result.msg
- name: Get key 3 info (with passphrase) - name: Get key 3 info (with passphrase)
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ lookup('file', remote_tmp_dir ~ '/privatekey_3.pem') | community.crypto.openssl_privatekey_info(passphrase='hunter2', return_private_key_data=true) }} {{ lookup('file', remote_tmp_dir ~ '/privatekey_3.pem') | community.crypto.openssl_privatekey_info(passphrase='hunter2', return_private_key_data=true) }}
- name: Check that RSA key info is ok - name: Check that RSA key info is ok
assert: ansible.builtin.assert:
that: that:
- "'public_key' in result" - "'public_key' in result"
- "'public_key_fingerprints' in result" - "'public_key_fingerprints' in result"
@@ -74,12 +74,12 @@
- "result.private_data.exponent > 5" - "result.private_data.exponent > 5"
- name: Get key 4 info - name: Get key 4 info
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ lookup('file', remote_tmp_dir ~ '/privatekey_4.pem') | community.crypto.openssl_privatekey_info(return_private_key_data=true) }} {{ lookup('file', remote_tmp_dir ~ '/privatekey_4.pem') | community.crypto.openssl_privatekey_info(return_private_key_data=true) }}
- name: Check that ECC key info is ok - name: Check that ECC key info is ok
assert: ansible.builtin.assert:
that: that:
- "'public_key' in result" - "'public_key' in result"
- "'public_key_fingerprints' in result" - "'public_key_fingerprints' in result"
@@ -94,12 +94,12 @@
- "result.private_data.multiplier > 1024" - "result.private_data.multiplier > 1024"
- name: Get key 5 info - name: Get key 5 info
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ lookup('file', remote_tmp_dir ~ '/privatekey_5.pem') | community.crypto.openssl_privatekey_info(return_private_key_data=true) }} {{ lookup('file', remote_tmp_dir ~ '/privatekey_5.pem') | community.crypto.openssl_privatekey_info(return_private_key_data=true) }}
- name: Check that DSA key info is ok - name: Check that DSA key info is ok
assert: ansible.builtin.assert:
that: that:
- "'public_key' in result" - "'public_key' in result"
- "'public_key_fingerprints' in result" - "'public_key_fingerprints' in result"

12
tests/integration/targets/filter_openssl_privatekey_info/tasks/main.yml
View File

@@ -9,34 +9,34 @@
#################################################################### ####################################################################
- name: Generate privatekey 1 - name: Generate privatekey 1
openssl_privatekey: community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_1.pem' path: '{{ remote_tmp_dir }}/privatekey_1.pem'
- name: Generate privatekey 2 (less bits) - name: Generate privatekey 2 (less bits)
openssl_privatekey: community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_2.pem' path: '{{ remote_tmp_dir }}/privatekey_2.pem'
type: RSA type: RSA
size: '{{ default_rsa_key_size }}' size: '{{ default_rsa_key_size }}'
- name: Generate privatekey 3 (with password) - name: Generate privatekey 3 (with password)
openssl_privatekey: community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_3.pem' path: '{{ remote_tmp_dir }}/privatekey_3.pem'
passphrase: hunter2 passphrase: hunter2
size: '{{ default_rsa_key_size }}' size: '{{ default_rsa_key_size }}'
- name: Generate privatekey 4 (ECC) - name: Generate privatekey 4 (ECC)
openssl_privatekey: community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_4.pem' path: '{{ remote_tmp_dir }}/privatekey_4.pem'
type: ECC type: ECC
curve: "{{ (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6') | ternary('secp521r1', 'secp256k1') }}" curve: "{{ (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6') | ternary('secp521r1', 'secp256k1') }}"
# ^ cryptography on CentOS6 doesn't support secp256k1, so we use secp521r1 instead # ^ cryptography on CentOS6 doesn't support secp256k1, so we use secp521r1 instead
- name: Generate privatekey 5 (DSA) - name: Generate privatekey 5 (DSA)
openssl_privatekey: community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_5.pem' path: '{{ remote_tmp_dir }}/privatekey_5.pem'
type: DSA type: DSA
size: 1024 size: 1024
- name: Running tests - name: Running tests
include_tasks: impl.yml ansible.builtin.include_tasks: impl.yml
when: cryptography_version.stdout is version('1.2.3', '>=') when: cryptography_version.stdout is version('1.2.3', '>=')

24
tests/integration/targets/filter_openssl_publickey_info/tasks/impl.yml
View File

@@ -4,12 +4,12 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Get key 1 info - name: Get key 1 info
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ lookup('file', remote_tmp_dir ~ '/publickey_1.pem') | community.crypto.openssl_publickey_info }} {{ lookup('file', remote_tmp_dir ~ '/publickey_1.pem') | community.crypto.openssl_publickey_info }}
- name: Check that RSA key info is ok - name: Check that RSA key info is ok
assert: ansible.builtin.assert:
that: that:
- "'fingerprints' in result" - "'fingerprints' in result"
- "'type' in result" - "'type' in result"
@@ -19,12 +19,12 @@
- "result.public_data.exponent > 5" - "result.public_data.exponent > 5"
- name: Get key 2 info - name: Get key 2 info
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ lookup('file', remote_tmp_dir ~ '/publickey_2.pem') | community.crypto.openssl_publickey_info }} {{ lookup('file', remote_tmp_dir ~ '/publickey_2.pem') | community.crypto.openssl_publickey_info }}
- name: Check that RSA key info is ok - name: Check that RSA key info is ok
assert: ansible.builtin.assert:
that: that:
- "'fingerprints' in result" - "'fingerprints' in result"
- "'type' in result" - "'type' in result"
@@ -35,12 +35,12 @@
- "result.public_data.exponent > 5" - "result.public_data.exponent > 5"
- name: Get key 3 info - name: Get key 3 info
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ lookup('file', remote_tmp_dir ~ '/publickey_3.pem') | community.crypto.openssl_publickey_info }} {{ lookup('file', remote_tmp_dir ~ '/publickey_3.pem') | community.crypto.openssl_publickey_info }}
- name: Check that ECC key info is ok - name: Check that ECC key info is ok
assert: ansible.builtin.assert:
that: that:
- "'fingerprints' in result" - "'fingerprints' in result"
- "'type' in result" - "'type' in result"
@@ -52,12 +52,12 @@
- "result.public_data.exponent_size == (521 if (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6') else 256)" - "result.public_data.exponent_size == (521 if (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6') else 256)"
- name: Get key 4 info - name: Get key 4 info
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ lookup('file', remote_tmp_dir ~ '/publickey_4.pem') | community.crypto.openssl_publickey_info }} {{ lookup('file', remote_tmp_dir ~ '/publickey_4.pem') | community.crypto.openssl_publickey_info }}
- name: Check that DSA key info is ok - name: Check that DSA key info is ok
assert: ansible.builtin.assert:
that: that:
- "'fingerprints' in result" - "'fingerprints' in result"
- "'type' in result" - "'type' in result"
@@ -69,27 +69,27 @@
- "result.public_data.y > 2" - "result.public_data.y > 2"
- name: Get invalid key info - name: Get invalid key info
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ [] | community.crypto.openssl_publickey_info }} {{ [] | community.crypto.openssl_publickey_info }}
ignore_errors: true ignore_errors: true
register: output register: output
- name: Check that task failed and error message is OK - name: Check that task failed and error message is OK
assert: ansible.builtin.assert:
that: that:
- output is failed - output is failed
- output.msg is search("The community.crypto.openssl_publickey_info input must be a text type, not ") - output.msg is search("The community.crypto.openssl_publickey_info input must be a text type, not ")
- name: Get invalid key info - name: Get invalid key info
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ 'foo' | community.crypto.openssl_publickey_info }} {{ 'foo' | community.crypto.openssl_publickey_info }}
ignore_errors: true ignore_errors: true
register: output register: output
- name: Check that task failed and error message is OK - name: Check that task failed and error message is OK
assert: ansible.builtin.assert:
that: that:
- output is failed - output is failed
- 'output.msg is search("Error while deserializing key: ")' - 'output.msg is search("Error while deserializing key: ")'

12
tests/integration/targets/filter_openssl_publickey_info/tasks/main.yml
View File

@@ -9,17 +9,17 @@
#################################################################### ####################################################################
- name: Generate privatekey 1 - name: Generate privatekey 1
openssl_privatekey: community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_1.pem' path: '{{ remote_tmp_dir }}/privatekey_1.pem'
- name: Generate privatekey 2 (less bits) - name: Generate privatekey 2 (less bits)
openssl_privatekey: community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_2.pem' path: '{{ remote_tmp_dir }}/privatekey_2.pem'
type: RSA type: RSA
size: '{{ default_rsa_key_size }}' size: '{{ default_rsa_key_size }}'
- name: Generate privatekey 3 (ECC) - name: Generate privatekey 3 (ECC)
openssl_privatekey: community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_3.pem' path: '{{ remote_tmp_dir }}/privatekey_3.pem'
type: ECC type: ECC
curve: "{{ (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6') | ternary('secp521r1', 'secp256k1') }}" curve: "{{ (ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6') | ternary('secp521r1', 'secp256k1') }}"
@@ -27,13 +27,13 @@
select_crypto_backend: cryptography select_crypto_backend: cryptography
- name: Generate privatekey 4 (DSA) - name: Generate privatekey 4 (DSA)
openssl_privatekey: community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey_4.pem' path: '{{ remote_tmp_dir }}/privatekey_4.pem'
type: DSA type: DSA
size: 1024 size: 1024
- name: Generate public keys - name: Generate public keys
openssl_publickey: community.crypto.openssl_publickey:
privatekey_path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem' privatekey_path: '{{ remote_tmp_dir }}/privatekey_{{ item }}.pem'
path: '{{ remote_tmp_dir }}/publickey_{{ item }}.pem' path: '{{ remote_tmp_dir }}/publickey_{{ item }}.pem'
loop: loop:
@@ -43,5 +43,5 @@
- 4 - 4
- name: Running tests - name: Running tests
include_tasks: impl.yml ansible.builtin.include_tasks: impl.yml
when: cryptography_version.stdout is version('1.2.3', '>=') when: cryptography_version.stdout is version('1.2.3', '>=')

12
tests/integration/targets/filter_parse_serial/tasks/main.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Test parse_serial filter - name: Test parse_serial filter
assert: ansible.builtin.assert:
that: that:
- >- - >-
'0' | community.crypto.parse_serial == 0 '0' | community.crypto.parse_serial == 0
@@ -22,35 +22,35 @@
'1:2:3' | community.crypto.parse_serial == 66051 '1:2:3' | community.crypto.parse_serial == 66051
- name: "Test error 1: empty string" - name: "Test error 1: empty string"
debug: ansible.builtin.debug:
msg: >- msg: >-
{{ '' | community.crypto.parse_serial }} {{ '' | community.crypto.parse_serial }}
ignore_errors: true ignore_errors: true
register: error_1 register: error_1
- name: "Test error 2: invalid type" - name: "Test error 2: invalid type"
debug: ansible.builtin.debug:
msg: >- msg: >-
{{ [] | community.crypto.parse_serial }} {{ [] | community.crypto.parse_serial }}
ignore_errors: true ignore_errors: true
register: error_2 register: error_2
- name: "Test error 3: invalid values (range)" - name: "Test error 3: invalid values (range)"
debug: ansible.builtin.debug:
msg: >- msg: >-
{{ '100' | community.crypto.parse_serial }} {{ '100' | community.crypto.parse_serial }}
ignore_errors: true ignore_errors: true
register: error_3 register: error_3
- name: "Test error 4: invalid values (digits)" - name: "Test error 4: invalid values (digits)"
debug: ansible.builtin.debug:
msg: >- msg: >-
{{ 'abcdefg' | community.crypto.parse_serial }} {{ 'abcdefg' | community.crypto.parse_serial }}
ignore_errors: true ignore_errors: true
register: error_4 register: error_4
- name: Validate errors - name: Validate errors
assert: ansible.builtin.assert:
that: that:
- >- - >-
error_1 is failed and "The 1st part '' is not a hexadecimal number in range [0, 255]: invalid literal" in error_1.msg error_1 is failed and "The 1st part '' is not a hexadecimal number in range [0, 255]: invalid literal" in error_1.msg

6
tests/integration/targets/filter_split_pem/tasks/main.yml
View File

@@ -9,7 +9,7 @@
#################################################################### ####################################################################
- name: Run tests that raise no errors - name: Run tests that raise no errors
assert: ansible.builtin.assert:
that: that:
- >- - >-
'' | community.crypto.split_pem == [] '' | community.crypto.split_pem == []
@@ -49,13 +49,13 @@
AAb= AAb=
- name: Invalid input - name: Invalid input
debug: ansible.builtin.debug:
msg: "{{ [] | community.crypto.split_pem }}" msg: "{{ [] | community.crypto.split_pem }}"
ignore_errors: true ignore_errors: true
register: output register: output
- name: Validate error - name: Validate error
assert: ansible.builtin.assert:
that: that:
- output is failed - output is failed
- output.msg is search("The community.crypto.split_pem input must be a text type, not ") - output.msg is search("The community.crypto.split_pem input must be a text type, not ")

8
tests/integration/targets/filter_to_serial/tasks/main.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Test to_serial filter - name: Test to_serial filter
assert: ansible.builtin.assert:
that: that:
- 0 | community.crypto.to_serial == '00' - 0 | community.crypto.to_serial == '00'
- 1 | community.crypto.to_serial == '01' - 1 | community.crypto.to_serial == '01'
@@ -13,21 +13,21 @@
- 65536 | community.crypto.to_serial == '01:00:00' - 65536 | community.crypto.to_serial == '01:00:00'
- name: "Test error 1: negative number" - name: "Test error 1: negative number"
debug: ansible.builtin.debug:
msg: >- msg: >-
{{ (-1) | community.crypto.to_serial }} {{ (-1) | community.crypto.to_serial }}
ignore_errors: true ignore_errors: true
register: error_1 register: error_1
- name: "Test error 2: invalid type" - name: "Test error 2: invalid type"
debug: ansible.builtin.debug:
msg: >- msg: >-
{{ [] | community.crypto.to_serial }} {{ [] | community.crypto.to_serial }}
ignore_errors: true ignore_errors: true
register: error_2 register: error_2
- name: Validate error - name: Validate error
assert: ansible.builtin.assert:
that: that:
- >- - >-
error_1 is failed and "The input for the community.crypto.to_serial filter must not be negative" in error_1.msg error_1 is failed and "The input for the community.crypto.to_serial filter must not be negative" in error_1.msg

38
tests/integration/targets/filter_x509_certificate_info/tasks/impl.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Get certificate info - name: Get certificate info
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ lookup('file', remote_tmp_dir ~ '/cert_1.pem') | community.crypto.x509_certificate_info }} {{ lookup('file', remote_tmp_dir ~ '/cert_1.pem') | community.crypto.x509_certificate_info }}
result_idna: >- result_idna: >-
@@ -13,7 +13,7 @@
{{ lookup('file', remote_tmp_dir ~ '/cert_1.pem') | community.crypto.x509_certificate_info(name_encoding='unicode') }} {{ lookup('file', remote_tmp_dir ~ '/cert_1.pem') | community.crypto.x509_certificate_info(name_encoding='unicode') }}
- name: Check whether issuer and subject and extensions behave as expected - name: Check whether issuer and subject and extensions behave as expected
assert: ansible.builtin.assert:
that: that:
- result.issuer.organizationalUnitName == 'ACME Department' - result.issuer.organizationalUnitName == 'ACME Department'
- "['organizationalUnitName', 'Crypto Department'] in result.issuer_ordered" - "['organizationalUnitName', 'Crypto Department'] in result.issuer_ordered"
@@ -72,7 +72,7 @@
- result.extensions_by_oid['2.5.29.37'].value == 'MHQGCCsGAQUFBwMBBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBgRVHSUABggrBgEFBQcBAwYIKwYBBQUHAwoGCCsGAQUFBwMHBggrBgEFBQcBAg==' - result.extensions_by_oid['2.5.29.37'].value == 'MHQGCCsGAQUFBwMBBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBgRVHSUABggrBgEFBQcBAwYIKwYBBQUHAwoGCCsGAQUFBwMHBggrBgEFBQcBAg=='
- name: Check SubjectKeyIdentifier and AuthorityKeyIdentifier - name: Check SubjectKeyIdentifier and AuthorityKeyIdentifier
assert: ansible.builtin.assert:
that: that:
- result.subject_key_identifier == "00:11:22:33" - result.subject_key_identifier == "00:11:22:33"
- result.authority_key_identifier == "44:55:66:77" - result.authority_key_identifier == "44:55:66:77"
@@ -89,17 +89,17 @@
when: cryptography_version.stdout is version('1.3', '>=') when: cryptography_version.stdout is version('1.3', '>=')
- name: Get certificate info - name: Get certificate info
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ lookup('file', remote_tmp_dir ~ '/cert_2.pem') | community.crypto.x509_certificate_info }} {{ lookup('file', remote_tmp_dir ~ '/cert_2.pem') | community.crypto.x509_certificate_info }}
- name: Get certificate info - name: Get certificate info
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ lookup('file', remote_tmp_dir ~ '/cert_3.pem') | community.crypto.x509_certificate_info }} {{ lookup('file', remote_tmp_dir ~ '/cert_3.pem') | community.crypto.x509_certificate_info }}
- name: Check AuthorityKeyIdentifier - name: Check AuthorityKeyIdentifier
assert: ansible.builtin.assert:
that: that:
- result.authority_key_identifier is none - result.authority_key_identifier is none
- result.authority_cert_issuer == expected_authority_cert_issuer - result.authority_cert_issuer == expected_authority_cert_issuer
@@ -111,12 +111,12 @@
when: cryptography_version.stdout is version('1.3', '>=') when: cryptography_version.stdout is version('1.3', '>=')
- name: Get certificate info - name: Get certificate info
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ lookup('file', remote_tmp_dir ~ '/cert_4.pem') | community.crypto.x509_certificate_info }} {{ lookup('file', remote_tmp_dir ~ '/cert_4.pem') | community.crypto.x509_certificate_info }}
- name: Check AuthorityKeyIdentifier - name: Check AuthorityKeyIdentifier
assert: ansible.builtin.assert:
that: that:
- result.authority_key_identifier == "44:55:66:77" - result.authority_key_identifier == "44:55:66:77"
- result.authority_cert_issuer is none - result.authority_cert_issuer is none
@@ -124,11 +124,11 @@
when: cryptography_version.stdout is version('1.3', '>=') when: cryptography_version.stdout is version('1.3', '>=')
- name: Get certificate info for packaged cert 1 - name: Get certificate info for packaged cert 1
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ lookup('file', role_path ~ '/../x509_certificate_info/files/cert1.pem') | community.crypto.x509_certificate_info }} {{ lookup('file', role_path ~ '/../x509_certificate_info/files/cert1.pem') | community.crypto.x509_certificate_info }}
- name: Check extensions - name: Check extensions
assert: ansible.builtin.assert:
that: that:
- "'ocsp_uri' in result" - "'ocsp_uri' in result"
- "result.ocsp_uri == 'http://ocsp.foobarbaz.example.com'" - "result.ocsp_uri == 'http://ocsp.foobarbaz.example.com'"
@@ -165,59 +165,59 @@
- result.extensions_by_oid['2.5.29.37'].critical == false - result.extensions_by_oid['2.5.29.37'].critical == false
- result.extensions_by_oid['2.5.29.37'].value == 'MBQGCCsGAQUFBwMBBggrBgEFBQcDAg==' - result.extensions_by_oid['2.5.29.37'].value == 'MBQGCCsGAQUFBwMBBggrBgEFBQcDAg=='
- name: Check fingerprints - name: Check fingerprints
assert: ansible.builtin.assert:
that: that:
- (result.fingerprints.sha256 == '08:26:60:3d:29:11:f2:88:09:3f:40:71:bb:67:cb:59:9c:6e:cf:e0:49:22:ab:e8:60:bd:f6:9a:01:e3:0e:2c' if result.fingerprints.sha256 is defined else true) - (result.fingerprints.sha256 == '08:26:60:3d:29:11:f2:88:09:3f:40:71:bb:67:cb:59:9c:6e:cf:e0:49:22:ab:e8:60:bd:f6:9a:01:e3:0e:2c' if result.fingerprints.sha256 is defined else true)
- (result.fingerprints.sha1 == '5a:32:7f:22:61:f3:2e:ad:a7:d8:77:07:1c:7f:08:cd:ab:7f:bc:11' if result.fingerprints.sha1 is defined else true) - (result.fingerprints.sha1 == '5a:32:7f:22:61:f3:2e:ad:a7:d8:77:07:1c:7f:08:cd:ab:7f:bc:11' if result.fingerprints.sha1 is defined else true)
- name: Get invalid certificate info - name: Get invalid certificate info
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ [] | community.crypto.x509_certificate_info }} {{ [] | community.crypto.x509_certificate_info }}
ignore_errors: true ignore_errors: true
register: output register: output
- name: Check that task failed and error message is OK - name: Check that task failed and error message is OK
assert: ansible.builtin.assert:
that: that:
- output is failed - output is failed
- output.msg is search("The community.crypto.x509_certificate_info input must be a text type, not ") - output.msg is search("The community.crypto.x509_certificate_info input must be a text type, not ")
- name: Get invalid certificate info - name: Get invalid certificate info
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ 'foo' | community.crypto.x509_certificate_info }} {{ 'foo' | community.crypto.x509_certificate_info }}
ignore_errors: true ignore_errors: true
register: output register: output
- name: Check that task failed and error message is OK - name: Check that task failed and error message is OK
assert: ansible.builtin.assert:
that: that:
- output is failed - output is failed
- output.msg is search("Unable to load (?:certificate|PEM file)(?:\.|$)") - output.msg is search("Unable to load (?:certificate|PEM file)(?:\.|$)")
- name: Get invalid certificate info - name: Get invalid certificate info
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ 'foo' | community.crypto.x509_certificate_info(name_encoding=[]) }} {{ 'foo' | community.crypto.x509_certificate_info(name_encoding=[]) }}
ignore_errors: true ignore_errors: true
register: output register: output
- name: Check that task failed and error message is OK - name: Check that task failed and error message is OK
assert: ansible.builtin.assert:
that: that:
- output is failed - output is failed
- output.msg is search("The name_encoding option must be of a text type, not ") - output.msg is search("The name_encoding option must be of a text type, not ")
- name: Get invalid name_encoding parameter - name: Get invalid name_encoding parameter
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ 'bar' | community.crypto.x509_certificate_info(name_encoding='foo') }} {{ 'bar' | community.crypto.x509_certificate_info(name_encoding='foo') }}
ignore_errors: true ignore_errors: true
register: output register: output
- name: Check that task failed and error message is OK - name: Check that task failed and error message is OK
assert: ansible.builtin.assert:
that: that:
- output is failed - output is failed
- output.msg is search("The name_encoding option must be one of the values \"ignore\", \"idna\", or \"unicode\", not \"foo\"$") - output.msg is search("The name_encoding option must be one of the values \"ignore\", \"idna\", or \"unicode\", not \"foo\"$")

18
tests/integration/targets/filter_x509_certificate_info/tasks/main.yml
View File

@@ -9,24 +9,24 @@
#################################################################### ####################################################################
- name: Make sure the Python idna library is installed - name: Make sure the Python idna library is installed
pip: ansible.builtin.pip:
name: idna name: idna
state: present state: present
- name: Generate privatekey - name: Generate privatekey
openssl_privatekey: community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekey.pem' path: '{{ remote_tmp_dir }}/privatekey.pem'
size: '{{ default_rsa_key_size_certificates }}' size: '{{ default_rsa_key_size_certificates }}'
- name: Generate privatekey with password - name: Generate privatekey with password
openssl_privatekey: community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/privatekeypw.pem' path: '{{ remote_tmp_dir }}/privatekeypw.pem'
passphrase: hunter2 passphrase: hunter2
select_crypto_backend: cryptography select_crypto_backend: cryptography
size: '{{ default_rsa_key_size_certificates }}' size: '{{ default_rsa_key_size_certificates }}'
- name: Generate CSR 1 - name: Generate CSR 1
openssl_csr: community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_1.csr' path: '{{ remote_tmp_dir }}/csr_1.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
subject: subject:
@@ -97,7 +97,7 @@
- "IP:1.2.3.4" - "IP:1.2.3.4"
- name: Generate CSR 2 - name: Generate CSR 2
openssl_csr: community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_2.csr' path: '{{ remote_tmp_dir }}/csr_2.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem' privatekey_path: '{{ remote_tmp_dir }}/privatekeypw.pem'
privatekey_passphrase: hunter2 privatekey_passphrase: hunter2
@@ -106,7 +106,7 @@
- "CA:TRUE" - "CA:TRUE"
- name: Generate CSR 3 - name: Generate CSR 3
openssl_csr: community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_3.csr' path: '{{ remote_tmp_dir }}/csr_3.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
useCommonNameForSAN: false useCommonNameForSAN: false
@@ -124,14 +124,14 @@
- "IP:1.2.3.4" - "IP:1.2.3.4"
- name: Generate CSR 4 - name: Generate CSR 4
openssl_csr: community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/csr_4.csr' path: '{{ remote_tmp_dir }}/csr_4.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
useCommonNameForSAN: false useCommonNameForSAN: false
authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}' authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
- name: Generate selfsigned certificates - name: Generate selfsigned certificates
x509_certificate: community.crypto.x509_certificate:
path: '{{ remote_tmp_dir }}/cert_{{ item }}.pem' path: '{{ remote_tmp_dir }}/cert_{{ item }}.pem'
csr_path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr' csr_path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem' privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
@@ -146,5 +146,5 @@
- 4 - 4
- name: Running tests - name: Running tests
include_tasks: impl.yml ansible.builtin.include_tasks: impl.yml
when: cryptography_version.stdout is version('1.6', '>=') when: cryptography_version.stdout is version('1.6', '>=')

56
tests/integration/targets/filter_x509_crl_info/tasks/impl.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Create CRL 1 - name: Create CRL 1
x509_crl: community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl1.crl' path: '{{ remote_tmp_dir }}/ca-crl1.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key' privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer: issuer:
@@ -23,17 +23,17 @@
revocation_date: 20191001000000Z revocation_date: 20191001000000Z
- name: Retrieve CRL 1 infos - name: Retrieve CRL 1 infos
set_fact: ansible.builtin.set_fact:
crl_1_info_1: >- crl_1_info_1: >-
{{ lookup('file', remote_tmp_dir ~ '/ca-crl1.crl') | community.crypto.x509_crl_info }} {{ lookup('file', remote_tmp_dir ~ '/ca-crl1.crl') | community.crypto.x509_crl_info }}
- name: Retrieve CRL 1 infos - name: Retrieve CRL 1 infos
set_fact: ansible.builtin.set_fact:
crl_1_info_2: >- crl_1_info_2: >-
{{ lookup('file', remote_tmp_dir ~ '/ca-crl1.crl') | b64encode | community.crypto.x509_crl_info }} {{ lookup('file', remote_tmp_dir ~ '/ca-crl1.crl') | b64encode | community.crypto.x509_crl_info }}
- name: Validate CRL 1 info - name: Validate CRL 1 info
assert: ansible.builtin.assert:
that: that:
- crl_1_info_1.format == 'pem' - crl_1_info_1.format == 'pem'
- crl_1_info_1.digest == 'ecdsa-with-SHA256' - crl_1_info_1.digest == 'ecdsa-with-SHA256'
@@ -70,7 +70,7 @@
- crl_1_info_1 == crl_1_info_2 - crl_1_info_1 == crl_1_info_2
- name: Recreate CRL 1 as DER file - name: Recreate CRL 1 as DER file
x509_crl: community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl1.crl' path: '{{ remote_tmp_dir }}/ca-crl1.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key' privatekey_path: '{{ remote_tmp_dir }}/ca.key'
format: der format: der
@@ -90,7 +90,7 @@
revocation_date: 20191001000000Z revocation_date: 20191001000000Z
- name: Read ca-crl1.crl - name: Read ca-crl1.crl
slurp: ansible.builtin.slurp:
src: "{{ remote_tmp_dir }}/ca-crl1.crl" src: "{{ remote_tmp_dir }}/ca-crl1.crl"
register: content register: content
@@ -102,19 +102,19 @@
when: ansible_version.string is version('2.11', '>=') or ansible_python.version.major > 2 when: ansible_version.string is version('2.11', '>=') or ansible_python.version.major > 2
- name: Retrieve CRL 1 infos from DER (Base64 encoded) - name: Retrieve CRL 1 infos from DER (Base64 encoded)
set_fact: ansible.builtin.set_fact:
crl_1_info_5: >- crl_1_info_5: >-
{{ content.content | community.crypto.x509_crl_info }} {{ content.content | community.crypto.x509_crl_info }}
- name: Validate CRL 1 - name: Validate CRL 1
assert: ansible.builtin.assert:
that: that:
- crl_1_info_4 is not defined or crl_1_info_4.format == 'der' - crl_1_info_4 is not defined or crl_1_info_4.format == 'der'
- crl_1_info_5.format == 'der' - crl_1_info_5.format == 'der'
- crl_1_info_4 is not defined or crl_1_info_4 == crl_1_info_5 - crl_1_info_4 is not defined or crl_1_info_4 == crl_1_info_5
- name: Create CRL 2 - name: Create CRL 2
x509_crl: community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl2.crl' path: '{{ remote_tmp_dir }}/ca-crl2.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key' privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer_ordered: issuer_ordered:
@@ -135,12 +135,12 @@
register: crl_2_change register: crl_2_change
- name: Retrieve CRL 2 infos - name: Retrieve CRL 2 infos
set_fact: ansible.builtin.set_fact:
crl_2_info_1: >- crl_2_info_1: >-
{{ lookup('file', remote_tmp_dir ~ '/ca-crl2.crl') | community.crypto.x509_crl_info(list_revoked_certificates=false) }} {{ lookup('file', remote_tmp_dir ~ '/ca-crl2.crl') | community.crypto.x509_crl_info(list_revoked_certificates=false) }}
- name: Create CRL 2 (changed order) - name: Create CRL 2 (changed order)
x509_crl: community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl2.crl' path: '{{ remote_tmp_dir }}/ca-crl2.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key' privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer_ordered: issuer_ordered:
@@ -161,12 +161,12 @@
register: crl_2_change_order register: crl_2_change_order
- name: Retrieve CRL 2 infos again - name: Retrieve CRL 2 infos again
set_fact: ansible.builtin.set_fact:
crl_2_info_2: >- crl_2_info_2: >-
{{ lookup('file', remote_tmp_dir ~ '/ca-crl2.crl') | community.crypto.x509_crl_info(list_revoked_certificates=false) }} {{ lookup('file', remote_tmp_dir ~ '/ca-crl2.crl') | community.crypto.x509_crl_info(list_revoked_certificates=false) }}
- name: Validate CRL 2 info - name: Validate CRL 2 info
assert: ansible.builtin.assert:
that: that:
- "'revoked_certificates' not in crl_2_info_1" - "'revoked_certificates' not in crl_2_info_1"
- > - >
@@ -185,7 +185,7 @@
] ]
- name: Create CRL 3 - name: Create CRL 3
x509_crl: community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl3.crl' path: '{{ remote_tmp_dir }}/ca-crl3.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key' privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer: issuer:
@@ -215,7 +215,7 @@
register: crl_3 register: crl_3
- name: Create CRL 3 (IDNA encoding) - name: Create CRL 3 (IDNA encoding)
x509_crl: community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl3.crl' path: '{{ remote_tmp_dir }}/ca-crl3.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key' privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer: issuer:
@@ -240,7 +240,7 @@
register: crl_3_idna register: crl_3_idna
- name: Create CRL 3 (Unicode encoding) - name: Create CRL 3 (Unicode encoding)
x509_crl: community.crypto.x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl3.crl' path: '{{ remote_tmp_dir }}/ca-crl3.crl'
privatekey_path: '{{ remote_tmp_dir }}/ca.key' privatekey_path: '{{ remote_tmp_dir }}/ca.key'
issuer: issuer:
@@ -265,7 +265,7 @@
register: crl_3_unicode register: crl_3_unicode
- name: Retrieve CRL 3 infos - name: Retrieve CRL 3 infos
set_fact: ansible.builtin.set_fact:
crl_3_info: >- crl_3_info: >-
{{ lookup('file', remote_tmp_dir ~ '/ca-crl3.crl') | community.crypto.x509_crl_info(list_revoked_certificates=true) }} {{ lookup('file', remote_tmp_dir ~ '/ca-crl3.crl') | community.crypto.x509_crl_info(list_revoked_certificates=true) }}
crl_3_info_idna: >- crl_3_info_idna: >-
@@ -274,73 +274,73 @@
{{ lookup('file', remote_tmp_dir ~ '/ca-crl3.crl') | community.crypto.x509_crl_info(list_revoked_certificates=true, name_encoding='unicode') }} {{ lookup('file', remote_tmp_dir ~ '/ca-crl3.crl') | community.crypto.x509_crl_info(list_revoked_certificates=true, name_encoding='unicode') }}
- name: Validate CRL 3 info - name: Validate CRL 3 info
assert: ansible.builtin.assert:
that: that:
- crl_3.revoked_certificates == crl_3_info.revoked_certificates - crl_3.revoked_certificates == crl_3_info.revoked_certificates
- crl_3_idna.revoked_certificates == crl_3_info_idna.revoked_certificates - crl_3_idna.revoked_certificates == crl_3_info_idna.revoked_certificates
- crl_3_unicode.revoked_certificates == crl_3_info_unicode.revoked_certificates - crl_3_unicode.revoked_certificates == crl_3_info_unicode.revoked_certificates
- name: Get invalid CRL info - name: Get invalid CRL info
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ [] | community.crypto.x509_crl_info }} {{ [] | community.crypto.x509_crl_info }}
ignore_errors: true ignore_errors: true
register: output register: output
- name: Check that task failed and error message is OK - name: Check that task failed and error message is OK
assert: ansible.builtin.assert:
that: that:
- output is failed - output is failed
- output.msg is search("The community.crypto.x509_crl_info input must be a text type, not ") - output.msg is search("The community.crypto.x509_crl_info input must be a text type, not ")
- name: Get invalid CRL info - name: Get invalid CRL info
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ 'foo' | community.crypto.x509_crl_info }} {{ 'foo' | community.crypto.x509_crl_info }}
ignore_errors: true ignore_errors: true
register: output register: output
- name: Check that task failed and error message is OK - name: Check that task failed and error message is OK
assert: ansible.builtin.assert:
that: that:
- output is failed - output is failed
- output.msg is search("Error while decoding CRL") - output.msg is search("Error while decoding CRL")
- name: Get invalid CRL info - name: Get invalid CRL info
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ 'foo' | community.crypto.x509_crl_info(name_encoding=[]) }} {{ 'foo' | community.crypto.x509_crl_info(name_encoding=[]) }}
ignore_errors: true ignore_errors: true
register: output register: output
- name: Check that task failed and error message is OK - name: Check that task failed and error message is OK
assert: ansible.builtin.assert:
that: that:
- output is failed - output is failed
- output.msg is search("The name_encoding option must be of a text type, not ") - output.msg is search("The name_encoding option must be of a text type, not ")
- name: Get invalid name_encoding parameter - name: Get invalid name_encoding parameter
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ 'bar' | community.crypto.x509_crl_info(name_encoding='foo') }} {{ 'bar' | community.crypto.x509_crl_info(name_encoding='foo') }}
ignore_errors: true ignore_errors: true
register: output register: output
- name: Check that task failed and error message is OK - name: Check that task failed and error message is OK
assert: ansible.builtin.assert:
that: that:
- output is failed - output is failed
- output.msg is search("The name_encoding option must be one of the values \"ignore\", \"idna\", or \"unicode\", not \"foo\"$") - output.msg is search("The name_encoding option must be one of the values \"ignore\", \"idna\", or \"unicode\", not \"foo\"$")
- name: Get invalid list_revoked_certificates parameter - name: Get invalid list_revoked_certificates parameter
set_fact: ansible.builtin.set_fact:
result: >- result: >-
{{ 'bar' | community.crypto.x509_crl_info(list_revoked_certificates=[]) }} {{ 'bar' | community.crypto.x509_crl_info(list_revoked_certificates=[]) }}
ignore_errors: true ignore_errors: true
register: output register: output
- name: Check that task failed and error message is OK - name: Check that task failed and error message is OK
assert: ansible.builtin.assert:
that: that:
- output is failed - output is failed
- output.msg is search("The list_revoked_certificates option must be a boolean, not ") - output.msg is search("The list_revoked_certificates option must be a boolean, not ")

16
tests/integration/targets/filter_x509_crl_info/tasks/main.yml
View File

@@ -9,11 +9,11 @@
#################################################################### ####################################################################
- name: Make sure the Python idna library is installed - name: Make sure the Python idna library is installed
pip: ansible.builtin.pip:
name: idna name: idna
state: present state: present
- set_fact: - ansible.builtin.set_fact:
certificates: certificates:
- name: ca - name: ca
subject: subject:
@@ -39,14 +39,14 @@
- DNS:b64.ansible.com - DNS:b64.ansible.com
- name: Generate private keys - name: Generate private keys
openssl_privatekey: community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/{{ item.name }}.key' path: '{{ remote_tmp_dir }}/{{ item.name }}.key'
type: ECC type: ECC
curve: secp256r1 curve: secp256r1
loop: "{{ certificates }}" loop: "{{ certificates }}"
- name: Generate CSRs - name: Generate CSRs
openssl_csr: community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/{{ item.name }}.csr' path: '{{ remote_tmp_dir }}/{{ item.name }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/{{ item.name }}.key' privatekey_path: '{{ remote_tmp_dir }}/{{ item.name }}.key'
subject: "{{ item.subject | default(omit) }}" subject: "{{ item.subject | default(omit) }}"
@@ -56,7 +56,7 @@
loop: "{{ certificates }}" loop: "{{ certificates }}"
- name: Generate CA certificates - name: Generate CA certificates
x509_certificate: community.crypto.x509_certificate:
path: '{{ remote_tmp_dir }}/{{ item.name }}.pem' path: '{{ remote_tmp_dir }}/{{ item.name }}.pem'
csr_path: '{{ remote_tmp_dir }}/{{ item.name }}.csr' csr_path: '{{ remote_tmp_dir }}/{{ item.name }}.csr'
privatekey_path: '{{ remote_tmp_dir }}/{{ item.name }}.key' privatekey_path: '{{ remote_tmp_dir }}/{{ item.name }}.key'
@@ -65,7 +65,7 @@
when: item.is_ca | default(false) when: item.is_ca | default(false)
- name: Generate other certificates - name: Generate other certificates
x509_certificate: community.crypto.x509_certificate:
path: '{{ remote_tmp_dir }}/{{ item.name }}.pem' path: '{{ remote_tmp_dir }}/{{ item.name }}.pem'
csr_path: '{{ remote_tmp_dir }}/{{ item.name }}.csr' csr_path: '{{ remote_tmp_dir }}/{{ item.name }}.csr'
provider: ownca provider: ownca
@@ -75,7 +75,7 @@
when: not (item.is_ca | default(false)) when: not (item.is_ca | default(false))
- name: Get certificate infos - name: Get certificate infos
x509_certificate_info: community.crypto.x509_certificate_info:
path: '{{ remote_tmp_dir }}/{{ item }}.pem' path: '{{ remote_tmp_dir }}/{{ item }}.pem'
loop: loop:
- cert-1 - cert-1
@@ -86,6 +86,6 @@
- block: - block:
- name: Running tests - name: Running tests
include_tasks: impl.yml ansible.builtin.include_tasks: impl.yml
when: cryptography_version.stdout is version('1.2', '>=') when: cryptography_version.stdout is version('1.2', '>=')

10
tests/integration/targets/get_certificate/tasks/main.yml
View File

@@ -8,7 +8,7 @@
# and should not be used as examples of how to write Ansible roles # # and should not be used as examples of how to write Ansible roles #
#################################################################### ####################################################################
- set_fact: - ansible.builtin.set_fact:
skip_tests: false skip_tests: false
has_get_certificate_chain: >- has_get_certificate_chain: >-
{{ ansible_facts.python_version is version('3.10.0', '>=') }} {{ ansible_facts.python_version is version('3.10.0', '>=') }}
@@ -16,14 +16,14 @@
- block: - block:
- name: Get servers certificate with backend auto-detection - name: Get servers certificate with backend auto-detection
get_certificate: community.crypto.get_certificate:
host: "{{ httpbin_host }}" host: "{{ httpbin_host }}"
port: 443 port: 443
asn1_base64: "{{ true if ansible_version.full is version('2.18', '>=') else omit }}" asn1_base64: "{{ true if ansible_version.full is version('2.18', '>=') else omit }}"
ignore_errors: true ignore_errors: true
register: result register: result
- set_fact: - ansible.builtin.set_fact:
skip_tests: | skip_tests: |
{{ {{
result is failed and ( result is failed and (
@@ -33,7 +33,7 @@
) )
}} }}
- assert: - ansible.builtin.assert:
that: that:
- result is success or skip_tests - result is success or skip_tests
@@ -41,7 +41,7 @@
- block: - block:
- include_tasks: ../tests/validate.yml - ansible.builtin.include_tasks: ../tests/validate.yml
vars: vars:
select_crypto_backend: cryptography select_crypto_backend: cryptography

52
tests/integration/targets/get_certificate/tests/validate.yml
View File

@@ -4,16 +4,16 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Get servers certificate for SNI test part 1 - name: Get servers certificate for SNI test part 1
get_certificate: community.crypto.get_certificate:
host: "{{ httpbin_host }}" host: "{{ httpbin_host }}"
port: 443 port: 443
server_name: "{{ sni_host }}" server_name: "{{ sni_host }}"
asn1_base64: true asn1_base64: true
register: result register: result
- debug: var=result - ansible.builtin.debug: var=result
- assert: - ansible.builtin.assert:
that: that:
# This module should never change anything # This module should never change anything
- result is not changed - result is not changed
@@ -22,16 +22,16 @@
- "'{{ sni_host }}' == result.subject.CN" - "'{{ sni_host }}' == result.subject.CN"
- name: Get servers certificate for SNI test part 2 - name: Get servers certificate for SNI test part 2
get_certificate: community.crypto.get_certificate:
host: "{{ sni_host }}" host: "{{ sni_host }}"
port: 443 port: 443
server_name: "{{ httpbin_host }}" server_name: "{{ httpbin_host }}"
asn1_base64: true asn1_base64: true
register: result register: result
- debug: var=result - ansible.builtin.debug: var=result
- assert: - ansible.builtin.assert:
that: that:
# This module should never change anything # This module should never change anything
- result is not changed - result is not changed
@@ -40,16 +40,16 @@
- "'{{ httpbin_host }}' == result.subject.CN" - "'{{ httpbin_host }}' == result.subject.CN"
- name: Get servers certificate - name: Get servers certificate
get_certificate: community.crypto.get_certificate:
host: "{{ httpbin_host }}" host: "{{ httpbin_host }}"
port: 443 port: 443
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
asn1_base64: true asn1_base64: true
register: result register: result
- debug: var=result - ansible.builtin.debug: var=result
- assert: - ansible.builtin.assert:
that: that:
# This module should never change anything # This module should never change anything
- result is not changed - result is not changed
@@ -58,7 +58,7 @@
- "'North Carolina' == result.subject.ST" - "'North Carolina' == result.subject.ST"
- name: Connect to http port (will fail because there is no SSL cert to get) - name: Connect to http port (will fail because there is no SSL cert to get)
get_certificate: community.crypto.get_certificate:
host: "{{ httpbin_host }}" host: "{{ httpbin_host }}"
port: 80 port: 80
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
@@ -66,7 +66,7 @@
register: result register: result
ignore_errors: true ignore_errors: true
- assert: - ansible.builtin.assert:
that: that:
- result is not changed - result is not changed
- result is failed - result is failed
@@ -78,7 +78,7 @@
or 'record layer failure' in result.msg or 'record layer failure' in result.msg
- name: Test timeout option - name: Test timeout option
get_certificate: community.crypto.get_certificate:
host: "{{ httpbin_host }}" host: "{{ httpbin_host }}"
port: 1234 port: 1234
timeout: 1 timeout: 1
@@ -87,7 +87,7 @@
register: result register: result
ignore_errors: true ignore_errors: true
- assert: - ansible.builtin.assert:
that: that:
- result is not changed - result is not changed
- result is failed - result is failed
@@ -95,7 +95,7 @@
- "'Failed to get cert from port with error: timed out' == result.msg or 'Connection refused' in result.msg" - "'Failed to get cert from port with error: timed out' == result.msg or 'Connection refused' in result.msg"
- name: Test failure if ca_cert is not a valid file - name: Test failure if ca_cert is not a valid file
get_certificate: community.crypto.get_certificate:
host: "{{ httpbin_host }}" host: "{{ httpbin_host }}"
port: 443 port: 443
ca_cert: dn.e ca_cert: dn.e
@@ -104,7 +104,7 @@
register: result register: result
ignore_errors: true ignore_errors: true
- assert: - ansible.builtin.assert:
that: that:
- result is not changed - result is not changed
- result is failed - result is failed
@@ -112,12 +112,12 @@
- "'ca_cert file does not exist' == result.msg" - "'ca_cert file does not exist' == result.msg"
- name: Download CA Cert as pem from server - name: Download CA Cert as pem from server
get_url: ansible.builtin.get_url:
url: "http://ansible.http.tests/cacert.pem" url: "http://ansible.http.tests/cacert.pem"
dest: "{{ remote_tmp_dir }}/temp.pem" dest: "{{ remote_tmp_dir }}/temp.pem"
- name: Get servers certificate comparing it to its own ca_cert file - name: Get servers certificate comparing it to its own ca_cert file
get_certificate: community.crypto.get_certificate:
ca_cert: '{{ remote_tmp_dir }}/temp.pem' ca_cert: '{{ remote_tmp_dir }}/temp.pem'
host: "{{ httpbin_host }}" host: "{{ httpbin_host }}"
port: 443 port: 443
@@ -126,19 +126,19 @@
get_certificate_chain: "{{ has_get_certificate_chain }}" get_certificate_chain: "{{ has_get_certificate_chain }}"
register: result register: result
- assert: - ansible.builtin.assert:
that: that:
- result is not changed - result is not changed
- result is not failed - result is not failed
- name: Read CA cert - name: Read CA cert
slurp: ansible.builtin.slurp:
src: '{{ remote_tmp_dir }}/temp.pem' src: '{{ remote_tmp_dir }}/temp.pem'
register: cacert register: cacert
when: has_get_certificate_chain when: has_get_certificate_chain
- name: Validate get_certificate_chain=true results - name: Validate get_certificate_chain=true results
assert: ansible.builtin.assert:
that: that:
- result.verified_chain is sequence - result.verified_chain is sequence
- result.unverified_chain is sequence - result.unverified_chain is sequence
@@ -149,20 +149,20 @@
when: has_get_certificate_chain when: has_get_certificate_chain
- name: Validate get_certificate_chain=false results - name: Validate get_certificate_chain=false results
assert: ansible.builtin.assert:
that: that:
- result.verified_chain is undefined - result.verified_chain is undefined
- result.unverified_chain is undefined - result.unverified_chain is undefined
when: not has_get_certificate_chain when: not has_get_certificate_chain
- name: Generate bogus CA privatekey - name: Generate bogus CA privatekey
openssl_privatekey: community.crypto.openssl_privatekey:
path: '{{ remote_tmp_dir }}/bogus_ca.key' path: '{{ remote_tmp_dir }}/bogus_ca.key'
type: ECC type: ECC
curve: secp256r1 curve: secp256r1
- name: Generate bogus CA CSR - name: Generate bogus CA CSR
openssl_csr: community.crypto.openssl_csr:
path: '{{ remote_tmp_dir }}/bogus_ca.csr' path: '{{ remote_tmp_dir }}/bogus_ca.csr'
privatekey_path: '{{ remote_tmp_dir }}/bogus_ca.key' privatekey_path: '{{ remote_tmp_dir }}/bogus_ca.key'
subject: subject:
@@ -173,7 +173,7 @@
basic_constraints_critical: true basic_constraints_critical: true
- name: Generate selfsigned bogus CA certificate - name: Generate selfsigned bogus CA certificate
x509_certificate: community.crypto.x509_certificate:
path: '{{ remote_tmp_dir }}/bogus_ca.pem' path: '{{ remote_tmp_dir }}/bogus_ca.pem'
csr_path: '{{ remote_tmp_dir }}/bogus_ca.csr' csr_path: '{{ remote_tmp_dir }}/bogus_ca.csr'
privatekey_path: '{{ remote_tmp_dir }}/bogus_ca.key' privatekey_path: '{{ remote_tmp_dir }}/bogus_ca.key'
@@ -181,7 +181,7 @@
selfsigned_digest: sha256 selfsigned_digest: sha256
- name: Get servers certificate comparing it to an invalid ca_cert file - name: Get servers certificate comparing it to an invalid ca_cert file
get_certificate: community.crypto.get_certificate:
ca_cert: '{{ remote_tmp_dir }}/bogus_ca.pem' ca_cert: '{{ remote_tmp_dir }}/bogus_ca.pem'
host: "{{ httpbin_host }}" host: "{{ httpbin_host }}"
port: 443 port: 443
@@ -190,7 +190,7 @@
register: result register: result
ignore_errors: true ignore_errors: true
- assert: - ansible.builtin.assert:
that: that:
- result is not changed - result is not changed
- result is failed - result is failed

28
tests/integration/targets/luks_device/tasks/main.yml
View File

@@ -9,7 +9,7 @@
#################################################################### ####################################################################
- name: Copy keyfiles - name: Copy keyfiles
copy: ansible.builtin.copy:
src: '{{ item }}' src: '{{ item }}'
dest: '{{ remote_tmp_dir }}/{{ item }}' dest: '{{ remote_tmp_dir }}/{{ item }}'
loop: loop:
@@ -17,7 +17,7 @@
- keyfile2 - keyfile2
- name: Include OS-specific variables - name: Include OS-specific variables
include_vars: '{{ lookup("first_found", search) }}' ansible.builtin.include_vars: '{{ lookup("first_found", search) }}'
vars: vars:
search: search:
files: files:
@@ -30,62 +30,62 @@
- vars - vars
- name: Make sure cryptsetup is installed - name: Make sure cryptsetup is installed
package: ansible.builtin.package:
name: '{{ cryptsetup_package }}' name: '{{ cryptsetup_package }}'
state: present state: present
become: true become: true
- name: Install additionally required packages - name: Install additionally required packages
package: ansible.builtin.package:
name: '{{ luks_extra_packages }}' name: '{{ luks_extra_packages }}'
state: present state: present
become: true become: true
when: luks_extra_packages | length > 0 when: luks_extra_packages | length > 0
- name: Determine cryptsetup version - name: Determine cryptsetup version
command: cryptsetup --version ansible.builtin.command: cryptsetup --version
register: cryptsetup_version register: cryptsetup_version
- name: Extract cryptsetup version - name: Extract cryptsetup version
set_fact: ansible.builtin.set_fact:
cryptsetup_version: >- cryptsetup_version: >-
{{ cryptsetup_version.stdout_lines[0] | regex_search('cryptsetup ([0-9]+\.[0-9]+\.[0-9]+)') | split | last }} {{ cryptsetup_version.stdout_lines[0] | regex_search('cryptsetup ([0-9]+\.[0-9]+\.[0-9]+)') | split | last }}
- name: Create cryptfile - name: Create cryptfile
command: dd if=/dev/zero of={{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile bs=1M count=32 ansible.builtin.command: dd if=/dev/zero of={{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile bs=1M count=32
- name: Figure out next loopback device - name: Figure out next loopback device
command: losetup -f ansible.builtin.command: losetup -f
become: true become: true
register: cryptfile_device_output register: cryptfile_device_output
- name: Create lookback device - name: Create lookback device
command: losetup -f {{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile ansible.builtin.command: losetup -f {{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile
become: true become: true
- name: Store some common data for tests - name: Store some common data for tests
set_fact: ansible.builtin.set_fact:
cryptfile_device: "{{ cryptfile_device_output.stdout_lines[0] }}" cryptfile_device: "{{ cryptfile_device_output.stdout_lines[0] }}"
cryptfile_passphrase1: "uNiJ9vKG2mUOEWDiQVuBHJlfMHE" cryptfile_passphrase1: "uNiJ9vKG2mUOEWDiQVuBHJlfMHE"
cryptfile_passphrase2: "HW4Ak2HtE2vvne0qjJMPTtmbV4M" cryptfile_passphrase2: "HW4Ak2HtE2vvne0qjJMPTtmbV4M"
cryptfile_passphrase3: "qQJqsjabO9pItV792k90VvX84MM" cryptfile_passphrase3: "qQJqsjabO9pItV792k90VvX84MM"
- block: - block:
- include_tasks: run-test.yml - ansible.builtin.include_tasks: run-test.yml
with_fileglob: with_fileglob:
- "tests/*.yml" - "tests/*.yml"
always: always:
- name: Make sure LUKS device is gone - name: Make sure LUKS device is gone
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: absent state: absent
become: true become: true
ignore_errors: true ignore_errors: true
- command: losetup -d "{{ cryptfile_device }}" - ansible.builtin.command: losetup -d "{{ cryptfile_device }}"
become: true become: true
- file: - ansible.builtin.file:
dest: "{{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile" dest: "{{ remote_tmp_dir.replace('~', ansible_env.HOME) }}/cryptfile"
state: absent state: absent

4
tests/integration/targets/luks_device/tasks/run-test.yml
View File

@@ -4,9 +4,9 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Make sure LUKS device is gone - name: Make sure LUKS device is gone
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: absent state: absent
become: true become: true
- name: "Loading tasks from {{ item }}" - name: "Loading tasks from {{ item }}"
include_tasks: "{{ item }}" ansible.builtin.include_tasks: "{{ item }}"

54
tests/integration/targets/luks_device/tasks/tests/create-destroy.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Create (check) - name: Create (check)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -14,7 +14,7 @@
become: true become: true
register: create_check register: create_check
- name: Create - name: Create
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -23,7 +23,7 @@
become: true become: true
register: create register: create
- name: Create (idempotent) - name: Create (idempotent)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -32,7 +32,7 @@
become: true become: true
register: create_idem register: create_idem
- name: Create (idempotent, check) - name: Create (idempotent, check)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -41,7 +41,7 @@
check_mode: true check_mode: true
become: true become: true
register: create_idem_check register: create_idem_check
- assert: - ansible.builtin.assert:
that: that:
- create_check is changed - create_check is changed
- create is changed - create is changed
@@ -49,7 +49,7 @@
- create_idem_check is not changed - create_idem_check is not changed
- name: Open (check) - name: Open (check)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -57,28 +57,28 @@
become: true become: true
register: open_check register: open_check
- name: Open - name: Open
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true become: true
register: open register: open
- name: Open (idempotent) - name: Open (idempotent)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true become: true
register: open_idem register: open_idem
- name: Open (idempotent, check) - name: Open (idempotent, check)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
check_mode: true check_mode: true
become: true become: true
register: open_idem_check register: open_idem_check
- assert: - ansible.builtin.assert:
that: that:
- open_check is changed - open_check is changed
- open is changed - open is changed
@@ -86,32 +86,32 @@
- open_idem_check is not changed - open_idem_check is not changed
- name: Closed (via name, check) - name: Closed (via name, check)
luks_device: community.crypto.luks_device:
name: "{{ open.name }}" name: "{{ open.name }}"
state: closed state: closed
check_mode: true check_mode: true
become: true become: true
register: close_check register: close_check
- name: Closed (via name) - name: Closed (via name)
luks_device: community.crypto.luks_device:
name: "{{ open.name }}" name: "{{ open.name }}"
state: closed state: closed
become: true become: true
register: close register: close
- name: Closed (via name, idempotent) - name: Closed (via name, idempotent)
luks_device: community.crypto.luks_device:
name: "{{ open.name }}" name: "{{ open.name }}"
state: closed state: closed
become: true become: true
register: close_idem register: close_idem
- name: Closed (via name, idempotent, check) - name: Closed (via name, idempotent, check)
luks_device: community.crypto.luks_device:
name: "{{ open.name }}" name: "{{ open.name }}"
state: closed state: closed
check_mode: true check_mode: true
become: true become: true
register: close_idem_check register: close_idem_check
- assert: - ansible.builtin.assert:
that: that:
- close_check is changed - close_check is changed
- close is changed - close is changed
@@ -119,39 +119,39 @@
- close_idem_check is not changed - close_idem_check is not changed
- name: Re-open - name: Re-open
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true become: true
- name: Closed (via device, check) - name: Closed (via device, check)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
check_mode: true check_mode: true
become: true become: true
register: close_check register: close_check
- name: Closed (via device) - name: Closed (via device)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
become: true become: true
register: close register: close
- name: Closed (via device, idempotent) - name: Closed (via device, idempotent)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
become: true become: true
register: close_idem register: close_idem
- name: Closed (via device, idempotent, check) - name: Closed (via device, idempotent, check)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
check_mode: true check_mode: true
become: true become: true
register: close_idem_check register: close_idem_check
- assert: - ansible.builtin.assert:
that: that:
- close_check is changed - close_check is changed
- close is changed - close is changed
@@ -159,39 +159,39 @@
- close_idem_check is not changed - close_idem_check is not changed
- name: Re-opened - name: Re-opened
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true become: true
- name: Absent (check) - name: Absent (check)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: absent state: absent
check_mode: true check_mode: true
become: true become: true
register: absent_check register: absent_check
- name: Absent - name: Absent
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: absent state: absent
become: true become: true
register: absent register: absent
- name: Absent (idempotence) - name: Absent (idempotence)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: absent state: absent
become: true become: true
register: absent_idem register: absent_idem
- name: Absent (idempotence, check) - name: Absent (idempotence, check)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: absent state: absent
check_mode: true check_mode: true
become: true become: true
register: absent_idem_check register: absent_idem_check
- assert: - ansible.builtin.assert:
that: that:
- absent_check is changed - absent_check is changed
- absent is changed - absent is changed

16
tests/integration/targets/luks_device/tasks/tests/cryptname.yml
View File

@@ -4,11 +4,11 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Fix name - name: Fix name
set_fact: ansible.builtin.set_fact:
cryptname: "crypt{{ '%0x' % ((2**32) | random) }}" cryptname: "crypt{{ '%0x' % ((2**32) | random) }}"
- name: Create - name: Create
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
name: "{{ cryptname }}" name: "{{ cryptname }}"
state: present state: present
@@ -18,7 +18,7 @@
become: true become: true
register: create register: create
- name: Open - name: Open
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
name: "{{ cryptname }}" name: "{{ cryptname }}"
state: opened state: opened
@@ -26,7 +26,7 @@
become: true become: true
register: open register: open
- name: Open (idempotent) - name: Open (idempotent)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
name: "{{ cryptname }}" name: "{{ cryptname }}"
state: opened state: opened
@@ -34,25 +34,25 @@
become: true become: true
register: open_idem register: open_idem
- name: Closed (via name) - name: Closed (via name)
luks_device: community.crypto.luks_device:
name: "{{ cryptname }}" name: "{{ cryptname }}"
state: closed state: closed
become: true become: true
register: close register: close
- name: Closed (via name, idempotent) - name: Closed (via name, idempotent)
luks_device: community.crypto.luks_device:
name: "{{ cryptname }}" name: "{{ cryptname }}"
state: closed state: closed
become: true become: true
register: close_idem register: close_idem
- name: Absent - name: Absent
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
name: "{{ cryptname }}" name: "{{ cryptname }}"
state: absent state: absent
become: true become: true
register: absent register: absent
- assert: - ansible.builtin.assert:
that: that:
- create is changed - create is changed
- open is changed - open is changed

12
tests/integration/targets/luks_device/tasks/tests/device-check.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Create with invalid device name (check) - name: Create with invalid device name (check)
luks_device: community.crypto.luks_device:
device: /dev/asdfasdfasdf device: /dev/asdfasdfasdf
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -15,7 +15,7 @@
become: true become: true
register: create_check register: create_check
- name: Create with invalid device name - name: Create with invalid device name
luks_device: community.crypto.luks_device:
device: /dev/asdfasdfasdf device: /dev/asdfasdfasdf
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -24,7 +24,7 @@
ignore_errors: true ignore_errors: true
become: true become: true
register: create register: create
- assert: - ansible.builtin.assert:
that: that:
- create_check is failed - create_check is failed
- create is failed - create is failed
@@ -32,7 +32,7 @@
- "'o such file or directory' in create.msg" - "'o such file or directory' in create.msg"
- name: Create with something which is not a device (check) - name: Create with something which is not a device (check)
luks_device: community.crypto.luks_device:
device: /tmp/ device: /tmp/
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -43,7 +43,7 @@
become: true become: true
register: create_check register: create_check
- name: Create with something which is not a device - name: Create with something which is not a device
luks_device: community.crypto.luks_device:
device: /tmp/ device: /tmp/
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -52,7 +52,7 @@
ignore_errors: true ignore_errors: true
become: true become: true
register: create register: create
- assert: - ansible.builtin.assert:
that: that:
- create_check is failed - create_check is failed
- create is failed - create is failed

60
tests/integration/targets/luks_device/tasks/tests/key-management.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Create with keyfile1 - name: Create with keyfile1
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -15,36 +15,36 @@
# Access: keyfile1 # Access: keyfile1
- name: Try to open with keyfile1 - name: Try to open with keyfile1
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true become: true
ignore_errors: true ignore_errors: true
register: open_try register: open_try
- assert: - ansible.builtin.assert:
that: that:
- open_try is not failed - open_try is not failed
- name: Close - name: Close
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
become: true become: true
- name: Try to open with keyfile2 - name: Try to open with keyfile2
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile2" keyfile: "{{ remote_tmp_dir }}/keyfile2"
become: true become: true
ignore_errors: true ignore_errors: true
register: open_try register: open_try
- assert: - ansible.builtin.assert:
that: that:
- open_try is failed - open_try is failed
- name: Give access to keyfile2 - name: Give access to keyfile2
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -55,7 +55,7 @@
register: result_1 register: result_1
- name: Give access to keyfile2 (idempotent) - name: Give access to keyfile2 (idempotent)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -63,7 +63,7 @@
become: true become: true
register: result_2 register: result_2
- assert: - ansible.builtin.assert:
that: that:
- result_1 is changed - result_1 is changed
- result_2 is not changed - result_2 is not changed
@@ -71,28 +71,28 @@
# Access: keyfile1 and keyfile2 # Access: keyfile1 and keyfile2
- name: Try to open with keyfile2 - name: Try to open with keyfile2
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile2" keyfile: "{{ remote_tmp_dir }}/keyfile2"
become: true become: true
ignore_errors: true ignore_errors: true
register: open_try register: open_try
- assert: - ansible.builtin.assert:
that: that:
- open_try is not failed - open_try is not failed
- name: Close - name: Close
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
become: true become: true
- name: Dump LUKS header - name: Dump LUKS header
command: "cryptsetup luksDump {{ cryptfile_device }}" ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true become: true
- name: Remove access from keyfile1 - name: Remove access from keyfile1
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -101,7 +101,7 @@
register: result_1 register: result_1
- name: Remove access from keyfile1 (idempotent) - name: Remove access from keyfile1 (idempotent)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -109,7 +109,7 @@
become: true become: true
register: result_2 register: result_2
- assert: - ansible.builtin.assert:
that: that:
- result_1 is changed - result_1 is changed
- result_2 is not changed - result_2 is not changed
@@ -117,40 +117,40 @@
# Access: keyfile2 # Access: keyfile2
- name: Try to open with keyfile1 - name: Try to open with keyfile1
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true become: true
ignore_errors: true ignore_errors: true
register: open_try register: open_try
- assert: - ansible.builtin.assert:
that: that:
- open_try is failed - open_try is failed
- name: Try to open with keyfile2 - name: Try to open with keyfile2
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile2" keyfile: "{{ remote_tmp_dir }}/keyfile2"
become: true become: true
ignore_errors: true ignore_errors: true
register: open_try register: open_try
- assert: - ansible.builtin.assert:
that: that:
- open_try is not failed - open_try is not failed
- name: Close - name: Close
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
become: true become: true
- name: Dump LUKS header - name: Dump LUKS header
command: "cryptsetup luksDump {{ cryptfile_device }}" ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true become: true
- name: Remove access from keyfile2 - name: Remove access from keyfile2
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile2" keyfile: "{{ remote_tmp_dir }}/keyfile2"
@@ -158,7 +158,7 @@
become: true become: true
ignore_errors: true ignore_errors: true
register: remove_last_key register: remove_last_key
- assert: - ansible.builtin.assert:
that: that:
- remove_last_key is failed - remove_last_key is failed
- "'force_remove_last_key' in remove_last_key.msg" - "'force_remove_last_key' in remove_last_key.msg"
@@ -166,24 +166,24 @@
# Access: keyfile2 # Access: keyfile2
- name: Try to open with keyfile2 - name: Try to open with keyfile2
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile2" keyfile: "{{ remote_tmp_dir }}/keyfile2"
become: true become: true
ignore_errors: true ignore_errors: true
register: open_try register: open_try
- assert: - ansible.builtin.assert:
that: that:
- open_try is not failed - open_try is not failed
- name: Close - name: Close
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
become: true become: true
- name: Remove access from keyfile2 - name: Remove access from keyfile2
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile2" keyfile: "{{ remote_tmp_dir }}/keyfile2"
@@ -194,13 +194,13 @@
# Access: none # Access: none
- name: Try to open with keyfile2 - name: Try to open with keyfile2
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile2" keyfile: "{{ remote_tmp_dir }}/keyfile2"
become: true become: true
ignore_errors: true ignore_errors: true
register: open_try register: open_try
- assert: - ansible.builtin.assert:
that: that:
- open_try is failed - open_try is failed

26
tests/integration/targets/luks_device/tasks/tests/keyfile_binary_nocopy.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Create with keyfile3 - name: Create with keyfile3
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
passphrase: "{{ keyfile3 }}" passphrase: "{{ keyfile3 }}"
@@ -21,7 +21,7 @@
register: create_passphrase_1 register: create_passphrase_1
- name: Create with keyfile3 (without argon2i) - name: Create with keyfile3 (without argon2i)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
passphrase: "{{ keyfile3 }}" passphrase: "{{ keyfile3 }}"
@@ -32,7 +32,7 @@
when: create_passphrase_1 is failed when: create_passphrase_1 is failed
- name: Open with keyfile3 - name: Open with keyfile3
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
passphrase: "{{ keyfile3 }}" passphrase: "{{ keyfile3 }}"
@@ -40,29 +40,29 @@
become: true become: true
ignore_errors: true ignore_errors: true
register: open_try register: open_try
- assert: - ansible.builtin.assert:
that: that:
- open_try is not failed - open_try is not failed
- name: Close - name: Close
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
become: true become: true
- name: Try to open with passphrase1 - name: Try to open with passphrase1
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
passphrase: "{{ cryptfile_passphrase1 }}" passphrase: "{{ cryptfile_passphrase1 }}"
become: true become: true
ignore_errors: true ignore_errors: true
register: open_try register: open_try
- assert: - ansible.builtin.assert:
that: that:
- open_try is failed - open_try is failed
- name: Give access to passphrase1 - name: Give access to passphrase1
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
passphrase: "{{ keyfile3 }}" passphrase: "{{ keyfile3 }}"
@@ -73,7 +73,7 @@
become: true become: true
- name: Remove access for keyfile3 - name: Remove access for keyfile3
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
remove_passphrase: "{{ keyfile3 }}" remove_passphrase: "{{ keyfile3 }}"
@@ -81,25 +81,25 @@
become: true become: true
- name: Try to open with keyfile3 - name: Try to open with keyfile3
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
passphrase: "{{ keyfile3 }}" passphrase: "{{ keyfile3 }}"
become: true become: true
ignore_errors: true ignore_errors: true
register: open_try register: open_try
- assert: - ansible.builtin.assert:
that: that:
- open_try is failed - open_try is failed
- name: Open with passphrase1 - name: Open with passphrase1
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
passphrase: "{{ cryptfile_passphrase1 }}" passphrase: "{{ cryptfile_passphrase1 }}"
become: true become: true
ignore_errors: true ignore_errors: true
register: open_try register: open_try
- assert: - ansible.builtin.assert:
that: that:
- open_try is not failed - open_try is not failed

50
tests/integration/targets/luks_device/tasks/tests/keyslot-create-destroy.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Create luks with keyslot 4 (check) - name: Create luks with keyslot 4 (check)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -15,7 +15,7 @@
become: true become: true
register: create_luks_slot4_check register: create_luks_slot4_check
- name: Create luks with keyslot 4 - name: Create luks with keyslot 4
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -25,7 +25,7 @@
become: true become: true
register: create_luks_slot4 register: create_luks_slot4
- name: Create luks with keyslot 4 (idempotent) - name: Create luks with keyslot 4 (idempotent)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -35,7 +35,7 @@
become: true become: true
register: create_luks_slot4_idem register: create_luks_slot4_idem
- name: Create luks with keyslot 4 (idempotent, check) - name: Create luks with keyslot 4 (idempotent, check)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -46,10 +46,10 @@
become: true become: true
register: create_luks_slot4_idem_check register: create_luks_slot4_idem_check
- name: Dump luks header - name: Dump luks header
command: "cryptsetup luksDump {{ cryptfile_device }}" ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true become: true
register: luks_header_slot4 register: luks_header_slot4
- assert: - ansible.builtin.assert:
that: that:
- create_luks_slot4_check is changed - create_luks_slot4_check is changed
- create_luks_slot4 is changed - create_luks_slot4 is changed
@@ -58,7 +58,7 @@
- "'Key Slot 4: ENABLED' in luks_header_slot4.stdout or '4: luks2' in luks_header_slot4.stdout" - "'Key Slot 4: ENABLED' in luks_header_slot4.stdout or '4: luks2' in luks_header_slot4.stdout"
- name: Add key in slot 2 (check) - name: Add key in slot 2 (check)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -70,7 +70,7 @@
become: true become: true
register: add_luks_slot2_check register: add_luks_slot2_check
- name: Add key in slot 2 - name: Add key in slot 2
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -81,7 +81,7 @@
become: true become: true
register: add_luks_slot2 register: add_luks_slot2
- name: Add key in slot 2 (idempotent) - name: Add key in slot 2 (idempotent)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -92,7 +92,7 @@
become: true become: true
register: add_luks_slot2_idem register: add_luks_slot2_idem
- name: Add key in slot 2 (idempotent, check) - name: Add key in slot 2 (idempotent, check)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -104,10 +104,10 @@
become: true become: true
register: add_luks_slot2_idem_check register: add_luks_slot2_idem_check
- name: Dump luks header - name: Dump luks header
command: "cryptsetup luksDump {{ cryptfile_device }}" ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true become: true
register: luks_header_slot2 register: luks_header_slot2
- assert: - ansible.builtin.assert:
that: that:
- add_luks_slot2_check is changed - add_luks_slot2_check is changed
- add_luks_slot2 is changed - add_luks_slot2 is changed
@@ -116,27 +116,27 @@
- "'Key Slot 2: ENABLED' in luks_header_slot2.stdout or '2: luks2' in luks_header_slot2.stdout" - "'Key Slot 2: ENABLED' in luks_header_slot2.stdout or '2: luks2' in luks_header_slot2.stdout"
- name: Check remove slot 4 without key - name: Check remove slot 4 without key
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
remove_keyslot: 4 remove_keyslot: 4
ignore_errors: true ignore_errors: true
become: true become: true
register: kill_slot4_nokey register: kill_slot4_nokey
- name: Check remove slot 4 with slot 4 key - name: Check remove slot 4 with slot 4 key
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
remove_keyslot: 4 remove_keyslot: 4
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
ignore_errors: true ignore_errors: true
become: true become: true
register: kill_slot4_key_slot4 register: kill_slot4_key_slot4
- assert: - ansible.builtin.assert:
that: that:
- kill_slot4_nokey is failed - kill_slot4_nokey is failed
- kill_slot4_key_slot4 is failed - kill_slot4_key_slot4 is failed
- name: Remove key in slot 4 (check) - name: Remove key in slot 4 (check)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
keyfile: "{{ remote_tmp_dir }}/keyfile2" keyfile: "{{ remote_tmp_dir }}/keyfile2"
remove_keyslot: 4 remove_keyslot: 4
@@ -144,21 +144,21 @@
become: true become: true
register: kill_luks_slot4_check register: kill_luks_slot4_check
- name: Remove key in slot 4 - name: Remove key in slot 4
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
keyfile: "{{ remote_tmp_dir }}/keyfile2" keyfile: "{{ remote_tmp_dir }}/keyfile2"
remove_keyslot: 4 remove_keyslot: 4
become: true become: true
register: kill_luks_slot4 register: kill_luks_slot4
- name: Remove key in slot 4 (idempotent) - name: Remove key in slot 4 (idempotent)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
keyfile: "{{ remote_tmp_dir }}/keyfile2" keyfile: "{{ remote_tmp_dir }}/keyfile2"
remove_keyslot: 4 remove_keyslot: 4
become: true become: true
register: kill_luks_slot4_idem register: kill_luks_slot4_idem
- name: Remove key in slot 4 (idempotent) - name: Remove key in slot 4 (idempotent)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
keyfile: "{{ remote_tmp_dir }}/keyfile2" keyfile: "{{ remote_tmp_dir }}/keyfile2"
remove_keyslot: 4 remove_keyslot: 4
@@ -166,10 +166,10 @@
become: true become: true
register: kill_luks_slot4_idem_check register: kill_luks_slot4_idem_check
- name: Dump luks header - name: Dump luks header
command: "cryptsetup luksDump {{ cryptfile_device }}" ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true become: true
register: luks_header_slot4_removed register: luks_header_slot4_removed
- assert: - ansible.builtin.assert:
that: that:
- kill_luks_slot4_check is changed - kill_luks_slot4_check is changed
- kill_luks_slot4 is changed - kill_luks_slot4 is changed
@@ -178,7 +178,7 @@
- "'Key Slot 4: DISABLED' in luks_header_slot4_removed.stdout or not '4: luks' in luks_header_slot4_removed.stdout" - "'Key Slot 4: DISABLED' in luks_header_slot4_removed.stdout or not '4: luks' in luks_header_slot4_removed.stdout"
- name: Add key in slot 0 - name: Add key in slot 0
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile2" keyfile: "{{ remote_tmp_dir }}/keyfile2"
@@ -189,17 +189,17 @@
become: true become: true
register: add_luks_slot0 register: add_luks_slot0
- name: Remove key in slot 0 - name: Remove key in slot 0
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
keyfile: "{{ remote_tmp_dir }}/keyfile2" keyfile: "{{ remote_tmp_dir }}/keyfile2"
remove_keyslot: 0 remove_keyslot: 0
become: true become: true
register: kill_luks_slot0 register: kill_luks_slot0
- name: Dump luks header - name: Dump luks header
command: "cryptsetup luksDump {{ cryptfile_device }}" ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true become: true
register: luks_header_slot0_removed register: luks_header_slot0_removed
- assert: - ansible.builtin.assert:
that: that:
- add_luks_slot0 is changed - add_luks_slot0 is changed
- kill_luks_slot0 is changed - kill_luks_slot0 is changed

8
tests/integration/targets/luks_device/tasks/tests/keyslot-duplicate.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Create new luks - name: Create new luks
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -12,7 +12,7 @@
iteration_time: 0.1 iteration_time: 0.1
become: true become: true
- name: Add new keyslot with same keyfile (check) - name: Add new keyslot with same keyfile (check)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
new_keyslot: 1 new_keyslot: 1
@@ -23,7 +23,7 @@
check_mode: true check_mode: true
register: keyslot_duplicate_check register: keyslot_duplicate_check
- name: Add new keyslot with same keyfile - name: Add new keyslot with same keyfile
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
new_keyslot: 1 new_keyslot: 1
@@ -32,7 +32,7 @@
become: true become: true
ignore_errors: true ignore_errors: true
register: keyslot_duplicate register: keyslot_duplicate
- assert: - ansible.builtin.assert:
that: that:
- keyslot_duplicate_check is failed - keyslot_duplicate_check is failed
- "'Trying to add key that is already present in another slot' in keyslot_duplicate_check.msg" - "'Trying to add key that is already present in another slot' in keyslot_duplicate_check.msg"

16
tests/integration/targets/luks_device/tasks/tests/keyslot-options.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Check invalid slot (luks1, 8) - name: Check invalid slot (luks1, 8)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
type: luks1 type: luks1
@@ -16,7 +16,7 @@
become: true become: true
register: create_luks1_slot8 register: create_luks1_slot8
- name: Check invalid slot (luks2, 32) - name: Check invalid slot (luks2, 32)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
type: luks2 type: luks2
@@ -28,7 +28,7 @@
become: true become: true
register: create_luks2_slot32 register: create_luks2_slot32
- name: Check invalid slot (no luks type, 8) - name: Check invalid slot (no luks type, 8)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -38,14 +38,14 @@
ignore_errors: true ignore_errors: true
become: true become: true
register: create_luks_slot8 register: create_luks_slot8
- assert: - ansible.builtin.assert:
that: that:
- create_luks1_slot8 is failed - create_luks1_slot8 is failed
- create_luks2_slot32 is failed - create_luks2_slot32 is failed
- create_luks_slot8 is failed - create_luks_slot8 is failed
- name: Check valid slot (luks2, 8) - name: Check valid slot (luks2, 8)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
type: luks2 type: luks2
@@ -57,12 +57,12 @@
ignore_errors: true ignore_errors: true
register: create_luks2_slot8 register: create_luks2_slot8
- name: Make sure that the previous task only fails if LUKS2 is not supported - name: Make sure that the previous task only fails if LUKS2 is not supported
assert: ansible.builtin.assert:
that: that:
- "'Unknown option --type' in create_luks2_slot8.msg" - "'Unknown option --type' in create_luks2_slot8.msg"
when: create_luks2_slot8 is failed when: create_luks2_slot8 is failed
- name: Check add valid slot (no luks type, 10) - name: Check add valid slot (no luks type, 10)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -73,7 +73,7 @@
become: true become: true
register: create_luks_slot10 register: create_luks_slot10
when: create_luks2_slot8 is changed when: create_luks2_slot8 is changed
- assert: - ansible.builtin.assert:
that: that:
- create_luks_slot10 is changed - create_luks_slot10 is changed
when: create_luks2_slot8 is changed when: create_luks2_slot8 is changed

10
tests/integration/targets/luks_device/tasks/tests/options.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Create with keysize - name: Create with keysize
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -15,7 +15,7 @@
become: true become: true
register: create_with_keysize register: create_with_keysize
- name: Create with keysize (idempotent) - name: Create with keysize (idempotent)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -26,7 +26,7 @@
become: true become: true
register: create_idem_with_keysize register: create_idem_with_keysize
- name: Create with different keysize (idempotent since we do not update keysize) - name: Create with different keysize (idempotent since we do not update keysize)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -37,7 +37,7 @@
become: true become: true
register: create_idem_with_diff_keysize register: create_idem_with_diff_keysize
- name: Create with ambiguous arguments - name: Create with ambiguous arguments
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -49,7 +49,7 @@
become: true become: true
register: create_with_ambiguous register: create_with_ambiguous
- assert: - ansible.builtin.assert:
that: that:
- create_with_keysize is changed - create_with_keysize is changed
- create_idem_with_keysize is not changed - create_idem_with_keysize is not changed

70
tests/integration/targets/luks_device/tasks/tests/passphrase.yml
View File

@@ -4,7 +4,7 @@
# SPDX-License-Identifier: GPL-3.0-or-later # SPDX-License-Identifier: GPL-3.0-or-later
- name: Create with passphrase1 - name: Create with passphrase1
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
passphrase: "{{ cryptfile_passphrase1 }}" passphrase: "{{ cryptfile_passphrase1 }}"
@@ -20,13 +20,13 @@
register: create_passphrase_1 register: create_passphrase_1
- name: Make sure that the previous task only fails if LUKS2 is not supported - name: Make sure that the previous task only fails if LUKS2 is not supported
assert: ansible.builtin.assert:
that: that:
- "'Unknown option --type' in create_passphrase_1.msg" - "'Unknown option --type' in create_passphrase_1.msg"
when: create_passphrase_1 is failed when: create_passphrase_1 is failed
- name: Create with passphrase1 (without argon2i) - name: Create with passphrase1 (without argon2i)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
passphrase: "{{ cryptfile_passphrase1 }}" passphrase: "{{ cryptfile_passphrase1 }}"
@@ -36,7 +36,7 @@
when: create_passphrase_1 is failed when: create_passphrase_1 is failed
- name: Open with passphrase1 - name: Open with passphrase1
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
# Encode passphrase with Base64 to test passphrase_encoding # Encode passphrase with Base64 to test passphrase_encoding
@@ -45,17 +45,17 @@
become: true become: true
ignore_errors: true ignore_errors: true
register: open_try register: open_try
- assert: - ansible.builtin.assert:
that: that:
- open_try is not failed - open_try is not failed
- name: Close - name: Close
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
become: true become: true
- name: Give access with ambiguous new_ arguments - name: Give access with ambiguous new_ arguments
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
passphrase: "{{ cryptfile_passphrase1 }}" passphrase: "{{ cryptfile_passphrase1 }}"
@@ -66,24 +66,24 @@
become: true become: true
ignore_errors: true ignore_errors: true
register: new_try register: new_try
- assert: - ansible.builtin.assert:
that: that:
- new_try is failed - new_try is failed
- name: Try to open with passphrase2 - name: Try to open with passphrase2
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
passphrase: "{{ cryptfile_passphrase2 }}" passphrase: "{{ cryptfile_passphrase2 }}"
become: true become: true
ignore_errors: true ignore_errors: true
register: open_try register: open_try
- assert: - ansible.builtin.assert:
that: that:
- open_try is failed - open_try is failed
- name: Give access to passphrase2 - name: Give access to passphrase2
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
passphrase: "{{ cryptfile_passphrase1 }}" passphrase: "{{ cryptfile_passphrase1 }}"
@@ -94,7 +94,7 @@
register: result_1 register: result_1
- name: Give access to passphrase2 (idempotent) - name: Give access to passphrase2 (idempotent)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
passphrase: "{{ cryptfile_passphrase1 }}" passphrase: "{{ cryptfile_passphrase1 }}"
@@ -102,42 +102,42 @@
become: true become: true
register: result_2 register: result_2
- assert: - ansible.builtin.assert:
that: that:
- result_1 is changed - result_1 is changed
- result_2 is not changed - result_2 is not changed
- name: Open with passphrase2 - name: Open with passphrase2
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
passphrase: "{{ cryptfile_passphrase2 }}" passphrase: "{{ cryptfile_passphrase2 }}"
become: true become: true
ignore_errors: true ignore_errors: true
register: open_try register: open_try
- assert: - ansible.builtin.assert:
that: that:
- open_try is not failed - open_try is not failed
- name: Close - name: Close
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
become: true become: true
- name: Try to open with keyfile1 - name: Try to open with keyfile1
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true become: true
ignore_errors: true ignore_errors: true
register: open_try register: open_try
- assert: - ansible.builtin.assert:
that: that:
- open_try is failed - open_try is failed
- name: Give access to keyfile1 from passphrase1 - name: Give access to keyfile1 from passphrase1
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
passphrase: "{{ cryptfile_passphrase1 }}" passphrase: "{{ cryptfile_passphrase1 }}"
@@ -147,7 +147,7 @@
become: true become: true
- name: Remove access with ambiguous remove_ arguments - name: Remove access with ambiguous remove_ arguments
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
remove_keyfile: "{{ remote_tmp_dir }}/keyfile1" remove_keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -155,29 +155,29 @@
become: true become: true
ignore_errors: true ignore_errors: true
register: remove_try register: remove_try
- assert: - ansible.builtin.assert:
that: that:
- remove_try is failed - remove_try is failed
- name: Open with keyfile1 - name: Open with keyfile1
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
become: true become: true
ignore_errors: true ignore_errors: true
register: open_try register: open_try
- assert: - ansible.builtin.assert:
that: that:
- open_try is not failed - open_try is not failed
- name: Close - name: Close
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
become: true become: true
- name: Remove access for passphrase1 - name: Remove access for passphrase1
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
remove_passphrase: "{{ cryptfile_passphrase1 }}" remove_passphrase: "{{ cryptfile_passphrase1 }}"
@@ -185,44 +185,44 @@
register: result_1 register: result_1
- name: Remove access for passphrase1 (idempotent) - name: Remove access for passphrase1 (idempotent)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
remove_passphrase: "{{ cryptfile_passphrase1 }}" remove_passphrase: "{{ cryptfile_passphrase1 }}"
become: true become: true
register: result_2 register: result_2
- assert: - ansible.builtin.assert:
that: that:
- result_1 is changed - result_1 is changed
- result_2 is not changed - result_2 is not changed
- name: Try to open with passphrase1 - name: Try to open with passphrase1
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
passphrase: "{{ cryptfile_passphrase1 }}" passphrase: "{{ cryptfile_passphrase1 }}"
become: true become: true
ignore_errors: true ignore_errors: true
register: open_try register: open_try
- assert: - ansible.builtin.assert:
that: that:
- open_try is failed - open_try is failed
- name: Try to open with passphrase3 - name: Try to open with passphrase3
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
passphrase: "{{ cryptfile_passphrase3 }}" passphrase: "{{ cryptfile_passphrase3 }}"
become: true become: true
ignore_errors: true ignore_errors: true
register: open_try register: open_try
- assert: - ansible.builtin.assert:
that: that:
- open_try is failed - open_try is failed
- name: Give access to passphrase3 from keyfile1 - name: Give access to passphrase3 from keyfile1
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -232,18 +232,18 @@
become: true become: true
- name: Open with passphrase3 - name: Open with passphrase3
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
passphrase: "{{ cryptfile_passphrase3 }}" passphrase: "{{ cryptfile_passphrase3 }}"
become: true become: true
ignore_errors: true ignore_errors: true
register: open_try register: open_try
- assert: - ansible.builtin.assert:
that: that:
- open_try is not failed - open_try is not failed
- name: Close - name: Close
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: closed state: closed
become: true become: true

20
tests/integration/targets/luks_device/tasks/tests/performance.yml
View File

@@ -6,7 +6,7 @@
- name: On kernel >= 5.9 use performance flags - name: On kernel >= 5.9 use performance flags
block: block:
- name: Create and open (check) - name: Create and open (check)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -22,7 +22,7 @@
become: true become: true
register: create_open_check register: create_open_check
- name: Create and open - name: Create and open
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -37,7 +37,7 @@
become: true become: true
register: create_open register: create_open
- name: Create and open (idempotent) - name: Create and open (idempotent)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: opened state: opened
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -52,7 +52,7 @@
become: true become: true
register: create_open_idem register: create_open_idem
- name: Create and open (idempotent, check) - name: Create and open (idempotent, check)
luks_device: community.crypto.luks_device:
device: "{{ cryptfile_device }}" device: "{{ cryptfile_device }}"
state: present state: present
keyfile: "{{ remote_tmp_dir }}/keyfile1" keyfile: "{{ remote_tmp_dir }}/keyfile1"
@@ -67,7 +67,7 @@
check_mode: true check_mode: true
become: true become: true
register: create_open_idem_check register: create_open_idem_check
- assert: - ansible.builtin.assert:
that: that:
- create_open_check is changed - create_open_check is changed
- create_open is changed - create_open is changed
@@ -75,10 +75,10 @@
- create_open_idem_check is not changed - create_open_idem_check is not changed
- name: Dump LUKS Header - name: Dump LUKS Header
command: "cryptsetup luksDump {{ cryptfile_device }}" ansible.builtin.command: "cryptsetup luksDump {{ cryptfile_device }}"
become: true become: true
register: luks_header register: luks_header
- assert: - ansible.builtin.assert:
that: that:
- "'no-read-workqueue' in luks_header.stdout" - "'no-read-workqueue' in luks_header.stdout"
- "'no-write-workqueue' in luks_header.stdout" - "'no-write-workqueue' in luks_header.stdout"
@@ -87,10 +87,10 @@
- "'allow-discards' in luks_header.stdout" - "'allow-discards' in luks_header.stdout"
- name: Dump device mapper table - name: Dump device mapper table
command: "dmsetup table {{ create_open.name }}" ansible.builtin.command: "dmsetup table {{ create_open.name }}"
become: true become: true
register: dm_table register: dm_table
- assert: - ansible.builtin.assert:
that: that:
- "'no_read_workqueue' in dm_table.stdout" - "'no_read_workqueue' in dm_table.stdout"
- "'no_write_workqueue' in dm_table.stdout" - "'no_write_workqueue' in dm_table.stdout"
@@ -99,7 +99,7 @@
- "'allow_discards' in dm_table.stdout" - "'allow_discards' in dm_table.stdout"
- name: Closed and Removed - name: Closed and Removed
luks_device: community.crypto.luks_device:
name: "{{ cryptfile_device }}" name: "{{ cryptfile_device }}"
state: absent state: absent
become: true become: true

18
tests/integration/targets/openssh_cert/tasks/main.yml
View File

@@ -9,39 +9,39 @@
#################################################################### ####################################################################
- name: Declare global variables - name: Declare global variables
set_fact: ansible.builtin.set_fact:
signing_key: '{{ remote_tmp_dir }}/id_key' signing_key: '{{ remote_tmp_dir }}/id_key'
public_key: '{{ remote_tmp_dir }}/id_key.pub' public_key: '{{ remote_tmp_dir }}/id_key.pub'
certificate_path: '{{ remote_tmp_dir }}/id_cert' certificate_path: '{{ remote_tmp_dir }}/id_cert'
- name: Generate keypair - name: Generate keypair
openssh_keypair: community.crypto.openssh_keypair:
path: "{{ signing_key }}" path: "{{ signing_key }}"
type: rsa type: rsa
size: 1024 size: 1024
- block: - block:
- name: Import idempotency tests - name: Import idempotency tests
import_tasks: ../tests/idempotency.yml ansible.builtin.import_tasks: ../tests/idempotency.yml
- name: Import key_idempotency tests - name: Import key_idempotency tests
import_tasks: ../tests/key_idempotency.yml ansible.builtin.import_tasks: ../tests/key_idempotency.yml
- name: Import options tests - name: Import options tests
import_tasks: ../tests/options_idempotency.yml ansible.builtin.import_tasks: ../tests/options_idempotency.yml
- name: Import regenerate tests - name: Import regenerate tests
import_tasks: ../tests/regenerate.yml ansible.builtin.import_tasks: ../tests/regenerate.yml
- name: Import remove tests - name: Import remove tests
import_tasks: ../tests/remove.yml ansible.builtin.import_tasks: ../tests/remove.yml
when: not (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "6") when: not (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "6")
- name: Import ssh-agent tests - name: Import ssh-agent tests
import_tasks: ../tests/ssh-agent.yml ansible.builtin.import_tasks: ../tests/ssh-agent.yml
when: openssh_version is version("7.6",">=") when: openssh_version is version("7.6",">=")
- name: Remove keypair - name: Remove keypair
openssh_keypair: community.crypto.openssh_keypair:
path: "{{ signing_key }}" path: "{{ signing_key }}"
state: absent state: absent

8
tests/integration/targets/openssh_cert/tests/idempotency.yml
View File

@@ -8,7 +8,7 @@
# and should not be used as examples of how to write Ansible roles # # and should not be used as examples of how to write Ansible roles #
#################################################################### ####################################################################
- set_fact: - ansible.builtin.set_fact:
test_cases: test_cases:
- test_name: Generate cert - force option (check_mode) - test_name: Generate cert - force option (check_mode)
force: true force: true
@@ -253,7 +253,7 @@
changed: true changed: true
- name: Execute idempotency tests - name: Execute idempotency tests
openssh_cert: community.crypto.openssh_cert:
force: "{{ test_case.force | default(omit) }}" force: "{{ test_case.force | default(omit) }}"
identifier: "{{ test_case.identifier | default(omit) }}" identifier: "{{ test_case.identifier | default(omit) }}"
options: "{{ test_case.options | default(omit) }}" options: "{{ test_case.options | default(omit) }}"
@@ -275,7 +275,7 @@
loop_var: test_case loop_var: test_case
- name: Assert task statuses - name: Assert task statuses
assert: ansible.builtin.assert:
that: that:
- result.changed == test_cases[index].changed - result.changed == test_cases[index].changed
loop: "{{ idempotency_test_output.results }}" loop: "{{ idempotency_test_output.results }}"
@@ -284,6 +284,6 @@
loop_var: result loop_var: result
- name: Remove certificate - name: Remove certificate
openssh_cert: community.crypto.openssh_cert:
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
state: absent state: absent

38
tests/integration/targets/openssh_cert/tests/key_idempotency.yml
View File

@@ -8,16 +8,16 @@
# and should not be used as examples of how to write Ansible roles # # and should not be used as examples of how to write Ansible roles #
#################################################################### ####################################################################
- set_fact: - ansible.builtin.set_fact:
new_signing_key: "{{ remote_tmp_dir }}/new_key" new_signing_key: "{{ remote_tmp_dir }}/new_key"
new_public_key: "{{ remote_tmp_dir }}/new_key.pub" new_public_key: "{{ remote_tmp_dir }}/new_key.pub"
- name: Generate new test key - name: Generate new test key
openssh_keypair: community.crypto.openssh_keypair:
path: "{{ new_signing_key }}" path: "{{ new_signing_key }}"
- name: Generate cert with original keys - name: Generate cert with original keys
openssh_cert: community.crypto.openssh_cert:
type: user type: user
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
public_key: "{{ public_key }}" public_key: "{{ public_key }}"
@@ -27,7 +27,7 @@
- block: - block:
- name: Generate cert with updated signature algorithm - name: Generate cert with updated signature algorithm
openssh_cert: community.crypto.openssh_cert:
type: user type: user
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
public_key: "{{ public_key }}" public_key: "{{ public_key }}"
@@ -38,12 +38,12 @@
register: updated_signature_algorithm register: updated_signature_algorithm
- name: Assert signature algorithm update causes change - name: Assert signature algorithm update causes change
assert: ansible.builtin.assert:
that: that:
- updated_signature_algorithm is changed - updated_signature_algorithm is changed
- name: Generate cert with updated signature algorithm (idempotent) - name: Generate cert with updated signature algorithm (idempotent)
openssh_cert: community.crypto.openssh_cert:
type: user type: user
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
public_key: "{{ public_key }}" public_key: "{{ public_key }}"
@@ -54,13 +54,13 @@
register: updated_signature_algorithm_idempotent register: updated_signature_algorithm_idempotent
- name: Assert signature algorithm update is idempotent - name: Assert signature algorithm update is idempotent
assert: ansible.builtin.assert:
that: that:
- updated_signature_algorithm_idempotent is not changed - updated_signature_algorithm_idempotent is not changed
- block: - block:
- name: Generate cert with original signature algorithm - name: Generate cert with original signature algorithm
openssh_cert: community.crypto.openssh_cert:
type: user type: user
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
public_key: "{{ public_key }}" public_key: "{{ public_key }}"
@@ -71,7 +71,7 @@
register: second_signature_algorithm register: second_signature_algorithm
- name: Assert second signature algorithm update causes change - name: Assert second signature algorithm update causes change
assert: ansible.builtin.assert:
that: that:
- second_signature_algorithm is changed - second_signature_algorithm is changed
# RHEL9, Fedora 41 and Rocky 9 disable the SHA-1 algorithms by default, making this test fail with a 'libcrypt' error. # RHEL9, Fedora 41 and Rocky 9 disable the SHA-1 algorithms by default, making this test fail with a 'libcrypt' error.
@@ -81,7 +81,7 @@
- not (ansible_facts['distribution'] == "Fedora" and (ansible_facts['distribution_major_version'] | int) >= 41) - not (ansible_facts['distribution'] == "Fedora" and (ansible_facts['distribution_major_version'] | int) >= 41)
- name: Omit signature algorithm - name: Omit signature algorithm
openssh_cert: community.crypto.openssh_cert:
type: user type: user
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
public_key: "{{ public_key }}" public_key: "{{ public_key }}"
@@ -91,12 +91,12 @@
register: omitted_signature_algorithm register: omitted_signature_algorithm
- name: Assert omitted_signature_algorithm does not cause change - name: Assert omitted_signature_algorithm does not cause change
assert: ansible.builtin.assert:
that: that:
- omitted_signature_algorithm is not changed - omitted_signature_algorithm is not changed
- name: Revert to original certificate - name: Revert to original certificate
openssh_cert: community.crypto.openssh_cert:
type: user type: user
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
public_key: "{{ public_key }}" public_key: "{{ public_key }}"
@@ -107,7 +107,7 @@
when: openssh_version is version("7.3", ">=") when: openssh_version is version("7.3", ">=")
- name: Generate cert with new signing key - name: Generate cert with new signing key
openssh_cert: community.crypto.openssh_cert:
type: user type: user
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
public_key: "{{ public_key }}" public_key: "{{ public_key }}"
@@ -117,7 +117,7 @@
register: new_signing_key_output register: new_signing_key_output
- name: Generate cert with new public key - name: Generate cert with new public key
openssh_cert: community.crypto.openssh_cert:
type: user type: user
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
public_key: "{{ new_public_key }}" public_key: "{{ new_public_key }}"
@@ -127,7 +127,7 @@
register: new_public_key_output register: new_public_key_output
- name: Generate cert with new signing key - full idempotency - name: Generate cert with new signing key - full idempotency
openssh_cert: community.crypto.openssh_cert:
type: user type: user
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
public_key: "{{ public_key }}" public_key: "{{ public_key }}"
@@ -138,7 +138,7 @@
register: new_signing_key_full_idempotency_output register: new_signing_key_full_idempotency_output
- name: Generate cert with new pubic key - full idempotency - name: Generate cert with new pubic key - full idempotency
openssh_cert: community.crypto.openssh_cert:
type: user type: user
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
public_key: "{{ new_public_key }}" public_key: "{{ new_public_key }}"
@@ -149,7 +149,7 @@
register: new_public_key_full_idempotency_output register: new_public_key_full_idempotency_output
- name: Assert changes to public key or signing key results in no change unless idempotency=full - name: Assert changes to public key or signing key results in no change unless idempotency=full
assert: ansible.builtin.assert:
that: that:
- new_signing_key_output is not changed - new_signing_key_output is not changed
- new_public_key_output is not changed - new_public_key_output is not changed
@@ -157,11 +157,11 @@
- new_public_key_full_idempotency_output is changed - new_public_key_full_idempotency_output is changed
- name: Remove certificate - name: Remove certificate
openssh_cert: community.crypto.openssh_cert:
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
state: absent state: absent
- name: Remove new keypair - name: Remove new keypair
openssh_keypair: community.crypto.openssh_keypair:
path: "{{ new_signing_key }}" path: "{{ new_signing_key }}"
state: absent state: absent

28
tests/integration/targets/openssh_cert/tests/options_idempotency.yml
View File

@@ -9,7 +9,7 @@
#################################################################### ####################################################################
- name: Generate cert with no options - name: Generate cert with no options
openssh_cert: community.crypto.openssh_cert:
type: user type: user
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
public_key: "{{ public_key }}" public_key: "{{ public_key }}"
@@ -22,7 +22,7 @@
register: no_options register: no_options
- name: Generate cert with no options with explicit directives - name: Generate cert with no options with explicit directives
openssh_cert: community.crypto.openssh_cert:
type: user type: user
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
public_key: "{{ public_key }}" public_key: "{{ public_key }}"
@@ -39,7 +39,7 @@
register: no_options_explicit_directives register: no_options_explicit_directives
- name: Generate cert with explicit extension - name: Generate cert with explicit extension
openssh_cert: community.crypto.openssh_cert:
type: user type: user
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
public_key: "{{ public_key }}" public_key: "{{ public_key }}"
@@ -53,7 +53,7 @@
register: explicit_extension_before register: explicit_extension_before
- name: Generate cert with explicit extension (idempotency) - name: Generate cert with explicit extension (idempotency)
openssh_cert: community.crypto.openssh_cert:
type: user type: user
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
public_key: "{{ public_key }}" public_key: "{{ public_key }}"
@@ -67,7 +67,7 @@
register: explicit_extension_after register: explicit_extension_after
- name: Generate cert with explicit extension and corresponding directive - name: Generate cert with explicit extension and corresponding directive
openssh_cert: community.crypto.openssh_cert:
type: user type: user
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
public_key: "{{ public_key }}" public_key: "{{ public_key }}"
@@ -81,7 +81,7 @@
register: explicit_extension_and_directive register: explicit_extension_and_directive
- name: Generate cert with default options - name: Generate cert with default options
openssh_cert: community.crypto.openssh_cert:
type: user type: user
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
public_key: "{{ public_key }}" public_key: "{{ public_key }}"
@@ -92,7 +92,7 @@
register: default_options register: default_options
- name: Generate cert with relative timestamp - name: Generate cert with relative timestamp
openssh_cert: community.crypto.openssh_cert:
type: user type: user
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
public_key: "{{ public_key }}" public_key: "{{ public_key }}"
@@ -104,7 +104,7 @@
register: relative_timestamp register: relative_timestamp
- name: Generate cert with ignore_timestamp true - name: Generate cert with ignore_timestamp true
openssh_cert: community.crypto.openssh_cert:
type: user type: user
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
public_key: "{{ public_key }}" public_key: "{{ public_key }}"
@@ -117,7 +117,7 @@
register: relative_timestamp_true register: relative_timestamp_true
- name: Generate cert with ignore_timestamp false - name: Generate cert with ignore_timestamp false
openssh_cert: community.crypto.openssh_cert:
type: user type: user
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
public_key: "{{ public_key }}" public_key: "{{ public_key }}"
@@ -130,7 +130,7 @@
register: relative_timestamp_false register: relative_timestamp_false
- name: Generate cert with ignore_timestamp true - name: Generate cert with ignore_timestamp true
openssh_cert: community.crypto.openssh_cert:
type: user type: user
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
public_key: "{{ public_key }}" public_key: "{{ public_key }}"
@@ -143,7 +143,7 @@
register: relative_timestamp_invalid_at register: relative_timestamp_invalid_at
- name: Generate host cert full_idempotence - name: Generate host cert full_idempotence
openssh_cert: community.crypto.openssh_cert:
type: host type: host
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
public_key: "{{ public_key }}" public_key: "{{ public_key }}"
@@ -153,7 +153,7 @@
regenerate: full_idempotence regenerate: full_idempotence
- name: Generate host cert full_idempotence again - name: Generate host cert full_idempotence again
openssh_cert: community.crypto.openssh_cert:
type: host type: host
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
public_key: "{{ public_key }}" public_key: "{{ public_key }}"
@@ -164,7 +164,7 @@
register: host_cert_full_idempotence register: host_cert_full_idempotence
- name: Assert options results - name: Assert options results
assert: ansible.builtin.assert:
that: that:
- no_options is changed - no_options is changed
- no_options_explicit_directives is not changed - no_options_explicit_directives is not changed
@@ -179,6 +179,6 @@
- host_cert_full_idempotence is not changed - host_cert_full_idempotence is not changed
- name: Remove certificate - name: Remove certificate
openssh_cert: community.crypto.openssh_cert:
path: "{{ certificate_path }}" path: "{{ certificate_path }}"
state: absent state: absent

Some files were not shown because too many files have changed in this diff Show More