mirror of
https://github.com/ansible-collections/community.crypto.git
synced 2026-05-07 05:43:06 +00:00
6bf3ef47e1
* Add SPDX license identifiers, mention all licenses in galaxy.yml. * Add default copyright headers. * Add headers for documents. * Fix/add more copyright statements. * Add copyright / license info for vendored code. * Add extra sanity test. * Add changelog fragment. * Comment PSF-2.0 license out in galaxy.yml for now. * Remove colon after 'Copyright'. * Avoid colon after 'Copyright' in lint script. * Mention correct filename. * Add BSD-3-Clause. * Improve lint script. * Update README. * Symlinks...
166 lines
5.2 KiB
YAML
166 lines
5.2 KiB
YAML
---
|
|
# Copyright (c) Ansible Project
|
|
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
####################################################################
|
|
# WARNING: These are designed specifically for Ansible tests #
|
|
# and should not be used as examples of how to write Ansible roles #
|
|
####################################################################
|
|
|
|
- set_fact:
|
|
new_signing_key: "{{ remote_tmp_dir }}/new_key"
|
|
new_public_key: "{{ remote_tmp_dir }}/new_key.pub"
|
|
|
|
- name: Generate new test key
|
|
openssh_keypair:
|
|
path: "{{ new_signing_key }}"
|
|
|
|
- name: Generate cert with original keys
|
|
openssh_cert:
|
|
type: user
|
|
path: "{{ certificate_path }}"
|
|
public_key: "{{ public_key }}"
|
|
signing_key: "{{ signing_key }}"
|
|
valid_from: always
|
|
valid_to: forever
|
|
|
|
- block:
|
|
- name: Generate cert with updated signature algorithm
|
|
openssh_cert:
|
|
type: user
|
|
path: "{{ certificate_path }}"
|
|
public_key: "{{ public_key }}"
|
|
signing_key: "{{ signing_key }}"
|
|
signature_algorithm: rsa-sha2-256
|
|
valid_from: always
|
|
valid_to: forever
|
|
register: updated_signature_algorithm
|
|
|
|
- name: Assert signature algorithm update causes change
|
|
assert:
|
|
that:
|
|
- updated_signature_algorithm is changed
|
|
|
|
- name: Generate cert with updated signature algorithm (idempotent)
|
|
openssh_cert:
|
|
type: user
|
|
path: "{{ certificate_path }}"
|
|
public_key: "{{ public_key }}"
|
|
signing_key: "{{ signing_key }}"
|
|
signature_algorithm: rsa-sha2-256
|
|
valid_from: always
|
|
valid_to: forever
|
|
register: updated_signature_algorithm_idempotent
|
|
|
|
- name: Assert signature algorithm update is idempotent
|
|
assert:
|
|
that:
|
|
- updated_signature_algorithm_idempotent is not changed
|
|
|
|
- block:
|
|
- name: Generate cert with original signature algorithm
|
|
openssh_cert:
|
|
type: user
|
|
path: "{{ certificate_path }}"
|
|
public_key: "{{ public_key }}"
|
|
signing_key: "{{ signing_key }}"
|
|
signature_algorithm: ssh-rsa
|
|
valid_from: always
|
|
valid_to: forever
|
|
register: second_signature_algorithm
|
|
|
|
- name: Assert second signature algorithm update causes change
|
|
assert:
|
|
that:
|
|
- second_signature_algorithm is changed
|
|
# RHEL9 disables SHA-1 algorithms by default making this test fail with a 'libcrypt' error. Other systems which
|
|
# impose a similar restriction may also need to skip this block in the future.
|
|
when: not (ansible_facts['distribution'] == "RedHat" and (ansible_facts['distribution_major_version'] | int) >= 9)
|
|
|
|
- name: Omit signature algorithm
|
|
openssh_cert:
|
|
type: user
|
|
path: "{{ certificate_path }}"
|
|
public_key: "{{ public_key }}"
|
|
signing_key: "{{ signing_key }}"
|
|
valid_from: always
|
|
valid_to: forever
|
|
register: omitted_signature_algorithm
|
|
|
|
- name: Assert omitted_signature_algorithm does not cause change
|
|
assert:
|
|
that:
|
|
- omitted_signature_algorithm is not changed
|
|
|
|
- name: Revert to original certificate
|
|
openssh_cert:
|
|
type: user
|
|
path: "{{ certificate_path }}"
|
|
public_key: "{{ public_key }}"
|
|
signing_key: "{{ signing_key }}"
|
|
valid_from: always
|
|
valid_to: forever
|
|
regenerate: always
|
|
when: openssh_version is version("7.3", ">=")
|
|
|
|
- name: Generate cert with new signing key
|
|
openssh_cert:
|
|
type: user
|
|
path: "{{ certificate_path }}"
|
|
public_key: "{{ public_key }}"
|
|
signing_key: "{{ new_signing_key }}"
|
|
valid_from: always
|
|
valid_to: forever
|
|
register: new_signing_key_output
|
|
|
|
- name: Generate cert with new public key
|
|
openssh_cert:
|
|
type: user
|
|
path: "{{ certificate_path }}"
|
|
public_key: "{{ new_public_key }}"
|
|
signing_key: "{{ signing_key }}"
|
|
valid_from: always
|
|
valid_to: forever
|
|
register: new_public_key_output
|
|
|
|
- name: Generate cert with new signing key - full idempotency
|
|
openssh_cert:
|
|
type: user
|
|
path: "{{ certificate_path }}"
|
|
public_key: "{{ public_key }}"
|
|
signing_key: "{{ new_signing_key }}"
|
|
valid_from: always
|
|
valid_to: forever
|
|
regenerate: full_idempotence
|
|
register: new_signing_key_full_idempotency_output
|
|
|
|
- name: Generate cert with new pubic key - full idempotency
|
|
openssh_cert:
|
|
type: user
|
|
path: "{{ certificate_path }}"
|
|
public_key: "{{ new_public_key }}"
|
|
signing_key: "{{ new_signing_key }}"
|
|
valid_from: always
|
|
valid_to: forever
|
|
regenerate: full_idempotence
|
|
register: new_public_key_full_idempotency_output
|
|
|
|
- name: Assert changes to public key or signing key results in no change unless idempotency=full
|
|
assert:
|
|
that:
|
|
- new_signing_key_output is not changed
|
|
- new_public_key_output is not changed
|
|
- new_signing_key_full_idempotency_output is changed
|
|
- new_public_key_full_idempotency_output is changed
|
|
|
|
- name: Remove certificate
|
|
openssh_cert:
|
|
path: "{{ certificate_path }}"
|
|
state: absent
|
|
|
|
- name: Remove new keypair
|
|
openssh_keypair:
|
|
path: "{{ new_signing_key }}"
|
|
state: absent
|