mirror of
https://github.com/ansible-collections/community.crypto.git
synced 2026-05-07 13:53:06 +00:00
ec55161cb1
* Run tests with macOS 10.15.
* Update prepare_http_tests as in https://github.com/ansible/ansible/pull/71841/files.
* Also skip luks_device tests on macOS.
* Temporarily restrict to macOS/OSX nodes.
* Show full OpenSSL version.
* Show pyOpenSSL debug details.
* Make location of openssl binary configurable.
* Try to upgrade openssl on macOS when LibreSSL is found.
* Use other variable.
* Use found binary instead of default.
* Revert "Temporarily restrict to macOS/OSX nodes."
This reverts commit ea379382e5.
ci_complete
* Avoid crashing when OpenSSL.debug does not exist.
* Combine setup_openssl_cli with setup_openssl
* Split up setup_openssl in setup_openssl (openssl + cryptography) and setup_pyopenssl.
* Fix package name.
* Don't install cryptography on CentOS 6, print environment.
* Work around ansible-test limitation.
221 lines
8.1 KiB
YAML
221 lines
8.1 KiB
YAML
---
|
|
####################################################################
|
|
# WARNING: These are designed specifically for Ansible tests #
|
|
# and should not be used as examples of how to write Ansible roles #
|
|
####################################################################
|
|
|
|
## Verify that integration_config was specified
|
|
- block:
|
|
- assert:
|
|
that:
|
|
- entrust_api_user is defined
|
|
- entrust_api_key is defined
|
|
- entrust_api_ip_address is defined
|
|
- entrust_cloud_ip_address is defined
|
|
- entrust_api_client_cert_path is defined or entrust_api_client_cert_contents is defined
|
|
- entrust_api_client_cert_key_path is defined or entrust_api_client_cert_key_contents
|
|
- cacerts_bundle_path_local is defined
|
|
|
|
## SET UP TEST ENVIRONMENT ########################################################################
|
|
- name: copy the files needed for verifying test server certificate to the host
|
|
copy:
|
|
src: '{{ cacerts_bundle_path_local }}/'
|
|
dest: '{{ cacerts_bundle_path }}'
|
|
|
|
- name: Update the CA certificates for our QA certs (collection may need updating if new QA environments used)
|
|
command: c_rehash {{ cacerts_bundle_path }}
|
|
|
|
- name: Update hosts file
|
|
lineinfile:
|
|
path: /etc/hosts
|
|
state: present
|
|
regexp: 'api.entrust.net$'
|
|
line: '{{ entrust_api_ip_address }} api.entrust.net'
|
|
|
|
- name: Update hosts file
|
|
lineinfile:
|
|
path: /etc/hosts
|
|
state: present
|
|
regexp: 'cloud.entrust.net$'
|
|
line: '{{ entrust_cloud_ip_address }} cloud.entrust.net'
|
|
|
|
- name: Clear out the temporary directory for storing the API connection information
|
|
file:
|
|
path: '{{ tmpdir_path }}'
|
|
state: absent
|
|
|
|
- name: Create a directory for storing the API connection Information
|
|
file:
|
|
path: '{{ tmpdir_path }}'
|
|
state: directory
|
|
|
|
- name: Copy the files needed for the connection to entrust API to the host
|
|
copy:
|
|
src: '{{ entrust_api_client_cert_path }}'
|
|
dest: '{{ entrust_api_cert }}'
|
|
|
|
- name: Copy the files needed for the connection to entrust API to the host
|
|
copy:
|
|
src: '{{ entrust_api_client_cert_key_path }}'
|
|
dest: '{{ entrust_api_cert_key }}'
|
|
|
|
## SETUP CSR TO REQUEST
|
|
- name: Generate a 2048 bit RSA private key
|
|
openssl_privatekey:
|
|
path: '{{ privatekey_path }}'
|
|
passphrase: '{{ privatekey_passphrase }}'
|
|
cipher: auto
|
|
type: RSA
|
|
size: 2048
|
|
|
|
- name: Generate a certificate signing request using the generated key
|
|
openssl_csr:
|
|
path: '{{ csr_path }}'
|
|
privatekey_path: '{{ privatekey_path }}'
|
|
privatekey_passphrase: '{{ privatekey_passphrase }}'
|
|
common_name: '{{ common_name }}'
|
|
organization_name: '{{ organization_name | default(omit) }}'
|
|
organizational_unit_name: '{{ organizational_unit_name | default(omit) }}'
|
|
country_name: '{{ country_name | default(omit) }}'
|
|
state_or_province_name: '{{ state_or_province_name | default(omit) }}'
|
|
digest: sha256
|
|
|
|
- block:
|
|
- name: Have ECS generate a signed certificate
|
|
ecs_certificate:
|
|
backup: True
|
|
path: '{{ example1_cert_path }}'
|
|
full_chain_path: '{{ example1_chain_path }}'
|
|
csr: '{{ csr_path }}'
|
|
cert_type: '{{ example1_cert_type }}'
|
|
requester_name: '{{ entrust_requester_name }}'
|
|
requester_email: '{{ entrust_requester_email }}'
|
|
requester_phone: '{{ entrust_requester_phone }}'
|
|
entrust_api_user: '{{ entrust_api_user }}'
|
|
entrust_api_key: '{{ entrust_api_key }}'
|
|
entrust_api_client_cert_path: '{{ entrust_api_cert }}'
|
|
entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'
|
|
register: example1_result
|
|
|
|
- assert:
|
|
that:
|
|
- example1_result is not failed
|
|
- example1_result.changed
|
|
- example1_result.tracking_id > 0
|
|
- example1_result.serial_number is string
|
|
|
|
# Internal CA refuses to issue certificates with the same DN in a short time frame
|
|
- name: Sleep for 5 seconds so we don't run into duplicate-request errors
|
|
pause:
|
|
seconds: 5
|
|
|
|
- name: Attempt to have ECS generate a signed certificate, but existing one is valid
|
|
ecs_certificate:
|
|
backup: True
|
|
path: '{{ example1_cert_path }}'
|
|
full_chain_path: '{{ example1_chain_path }}'
|
|
csr: '{{ csr_path }}'
|
|
cert_type: '{{ example1_cert_type }}'
|
|
requester_name: '{{ entrust_requester_name }}'
|
|
requester_email: '{{ entrust_requester_email }}'
|
|
requester_phone: '{{ entrust_requester_phone }}'
|
|
entrust_api_user: '{{ entrust_api_user }}'
|
|
entrust_api_key: '{{ entrust_api_key }}'
|
|
entrust_api_client_cert_path: '{{ entrust_api_cert }}'
|
|
entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'
|
|
register: example2_result
|
|
|
|
- assert:
|
|
that:
|
|
- example2_result is not failed
|
|
- not example2_result.changed
|
|
- example2_result.backup_file is undefined
|
|
- example2_result.backup_full_chain_file is undefined
|
|
- example2_result.serial_number == example1_result.serial_number
|
|
- example2_result.tracking_id == example1_result.tracking_id
|
|
|
|
# Internal CA refuses to issue certificates with the same DN in a short time frame
|
|
- name: Sleep for 5 seconds so we don't run into duplicate-request errors
|
|
pause:
|
|
seconds: 5
|
|
|
|
- name: Force a reissue with no CSR, verify that contents changed
|
|
ecs_certificate:
|
|
backup: True
|
|
force: True
|
|
path: '{{ example1_cert_path }}'
|
|
full_chain_path: '{{ example1_chain_path }}'
|
|
cert_type: '{{ example1_cert_type }}'
|
|
request_type: reissue
|
|
requester_name: '{{ entrust_requester_name }}'
|
|
requester_email: '{{ entrust_requester_email }}'
|
|
requester_phone: '{{ entrust_requester_phone }}'
|
|
entrust_api_user: '{{ entrust_api_user }}'
|
|
entrust_api_key: '{{ entrust_api_key }}'
|
|
entrust_api_client_cert_path: '{{ entrust_api_cert }}'
|
|
entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'
|
|
register: example3_result
|
|
|
|
- assert:
|
|
that:
|
|
- example3_result is not failed
|
|
- example3_result.changed
|
|
- example3_result.backup_file is string
|
|
- example3_result.backup_full_chain_file is string
|
|
- example3_result.tracking_id > 0
|
|
- example3_result.tracking_id != example1_result.tracking_id
|
|
- example3_result.serial_number != example1_result.serial_number
|
|
|
|
# Internal CA refuses to issue certificates with the same DN in a short time frame
|
|
- name: Sleep for 5 seconds so we don't run into duplicate-request errors
|
|
pause:
|
|
seconds: 5
|
|
|
|
- name: Test a request with all of the various optional possible fields populated
|
|
ecs_certificate:
|
|
path: '{{ example4_cert_path }}'
|
|
full_chain_path: '{{ example4_full_chain_path }}'
|
|
csr: '{{ csr_path }}'
|
|
subject_alt_name: '{{ example4_subject_alt_name }}'
|
|
eku: '{{ example4_eku }}'
|
|
ct_log: True
|
|
cert_type: '{{ example4_cert_type }}'
|
|
org: '{{ example4_org }}'
|
|
ou: '{{ example4_ou }}'
|
|
tracking_info: '{{ example4_tracking_info }}'
|
|
additional_emails: '{{ example4_additional_emails }}'
|
|
custom_fields: '{{ example4_custom_fields }}'
|
|
cert_expiry: '{{ example4_cert_expiry }}'
|
|
requester_name: '{{ entrust_requester_name }}'
|
|
requester_email: '{{ entrust_requester_email }}'
|
|
requester_phone: '{{ entrust_requester_phone }}'
|
|
entrust_api_user: '{{ entrust_api_user }}'
|
|
entrust_api_key: '{{ entrust_api_key }}'
|
|
entrust_api_client_cert_path: '{{ entrust_api_cert }}'
|
|
entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'
|
|
register: example4_result
|
|
|
|
- assert:
|
|
that:
|
|
- example4_result is not failed
|
|
- example4_result.changed
|
|
- example4_result.backup_file is undefined
|
|
- example4_result.backup_full_chain_file is undefined
|
|
- example4_result.tracking_id > 0
|
|
- example4_result.serial_number is string
|
|
|
|
# For bug 61738, verify that the full chain is valid
|
|
- name: Verify that the full chain path can be successfully imported
|
|
command: '{{ openssl_binary }} verify "{{ example4_full_chain_path }}"'
|
|
register: openssl_result
|
|
|
|
- assert:
|
|
that:
|
|
- "' OK' in openssl_result.stdout_lines[0]"
|
|
|
|
always:
|
|
- name: clean-up temporary folder
|
|
file:
|
|
path: '{{ tmpdir_path }}'
|
|
state: absent
|