openssl_*: add backup option (#54294)

2026-04-03 09:13:12 +00:00 · 2019-03-30 15:38:43 +01:00
parent 5517b0384f
commit 188903448a
19 changed files with 494 additions and 2 deletions
--- a/test/integration/targets/openssl_certificate/tasks/ownca.yml
+++ b/test/integration/targets/openssl_certificate/tasks/ownca.yml
@@ -217,4 +217,54 @@
    ownca_digest: sha256
  register: ownca_broken

+- name: (OwnCA, {{select_crypto_backend}}) Backup test
+  openssl_certificate:
+    path: '{{ output_dir }}/ownca_cert_backup.pem'
+    csr_path: '{{ output_dir }}/csr_ecc.csr'
+    ownca_path: '{{ output_dir }}/ca_cert.pem'
+    ownca_privatekey_path: '{{ output_dir }}/privatekey.pem'
+    provider: ownca
+    ownca_digest: sha256
+    backup: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: ownca_backup_1
+- name: (OwnCA, {{select_crypto_backend}}) Backup test (idempotent)
+  openssl_certificate:
+    path: '{{ output_dir }}/ownca_cert_backup.pem'
+    csr_path: '{{ output_dir }}/csr_ecc.csr'
+    ownca_path: '{{ output_dir }}/ca_cert.pem'
+    ownca_privatekey_path: '{{ output_dir }}/privatekey.pem'
+    provider: ownca
+    ownca_digest: sha256
+    backup: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: ownca_backup_2
+- name: (OwnCA, {{select_crypto_backend}}) Backup test (change)
+  openssl_certificate:
+    path: '{{ output_dir }}/ownca_cert_backup.pem'
+    csr_path: '{{ output_dir }}/csr.csr'
+    ownca_path: '{{ output_dir }}/ca_cert.pem'
+    ownca_privatekey_path: '{{ output_dir }}/privatekey.pem'
+    provider: ownca
+    ownca_digest: sha256
+    backup: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: ownca_backup_3
+- name: (OwnCA, {{select_crypto_backend}}) Backup test (remove)
+  openssl_certificate:
+    path: '{{ output_dir }}/ownca_cert_backup.pem'
+    state: absent
+    provider: ownca
+    backup: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: ownca_backup_4
+- name: (OwnCA, {{select_crypto_backend}}) Backup test (remove, idempotent)
+  openssl_certificate:
+    path: '{{ output_dir }}/ownca_cert_backup.pem'
+    state: absent
+    provider: ownca
+    backup: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: ownca_backup_5
+
 - import_tasks: ../tests/validate_ownca.yml
--- a/test/integration/targets/openssl_certificate/tasks/selfsigned.yml
+++ b/test/integration/targets/openssl_certificate/tasks/selfsigned.yml
@@ -224,4 +224,51 @@
    selfsigned_digest: sha256
  register: selfsigned_broken

+- name: (Selfsigned, {{select_crypto_backend}}) Backup test
+  openssl_certificate:
+    path: '{{ output_dir }}/selfsigned_cert_backup.pem'
+    csr_path: '{{ output_dir }}/csr_ecc.csr'
+    privatekey_path: '{{ output_dir }}/privatekey_ecc.pem'
+    provider: selfsigned
+    selfsigned_digest: sha256
+    backup: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: selfsigned_backup_1
+- name: (Selfsigned, {{select_crypto_backend}}) Backup test (idempotent)
+  openssl_certificate:
+    path: '{{ output_dir }}/selfsigned_cert_backup.pem'
+    csr_path: '{{ output_dir }}/csr_ecc.csr'
+    privatekey_path: '{{ output_dir }}/privatekey_ecc.pem'
+    provider: selfsigned
+    selfsigned_digest: sha256
+    backup: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: selfsigned_backup_2
+- name: (Selfsigned, {{select_crypto_backend}}) Backup test (change)
+  openssl_certificate:
+    path: '{{ output_dir }}/selfsigned_cert_backup.pem'
+    csr_path: '{{ output_dir }}/csr.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    provider: selfsigned
+    selfsigned_digest: sha256
+    backup: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: selfsigned_backup_3
+- name: (Selfsigned, {{select_crypto_backend}}) Backup test (remove)
+  openssl_certificate:
+    path: '{{ output_dir }}/selfsigned_cert_backup.pem'
+    state: absent
+    provider: selfsigned
+    backup: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: selfsigned_backup_4
+- name: (Selfsigned, {{select_crypto_backend}}) Backup test (remove, idempotent)
+  openssl_certificate:
+    path: '{{ output_dir }}/selfsigned_cert_backup.pem'
+    state: absent
+    provider: selfsigned
+    backup: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: selfsigned_backup_5
+
 - import_tasks: ../tests/validate_selfsigned.yml
--- a/test/integration/targets/openssl_certificate/tests/validate_ownca.yml
+++ b/test/integration/targets/openssl_certificate/tests/validate_ownca.yml
@@ -106,3 +106,17 @@
  assert:
    that:
      - ownca_broken is changed
+
+- name: Check backup
+  assert:
+    that:
+      - ownca_backup_1 is changed
+      - ownca_backup_1.backup_file is undefined
+      - ownca_backup_2 is not changed
+      - ownca_backup_2.backup_file is undefined
+      - ownca_backup_3 is changed
+      - ownca_backup_3.backup_file is string
+      - ownca_backup_4 is changed
+      - ownca_backup_4.backup_file is string
+      - ownca_backup_5 is not changed
+      - ownca_backup_5.backup_file is undefined
--- a/test/integration/targets/openssl_certificate/tests/validate_selfsigned.yml
+++ b/test/integration/targets/openssl_certificate/tests/validate_selfsigned.yml
@@ -107,3 +107,17 @@
  assert:
    that:
      - selfsigned_broken is changed
+
+- name: Check backup
+  assert:
+    that:
+      - selfsigned_backup_1 is changed
+      - selfsigned_backup_1.backup_file is undefined
+      - selfsigned_backup_2 is not changed
+      - selfsigned_backup_2.backup_file is undefined
+      - selfsigned_backup_3 is changed
+      - selfsigned_backup_3.backup_file is string
+      - selfsigned_backup_4 is changed
+      - selfsigned_backup_4.backup_file is string
+      - selfsigned_backup_5 is not changed
+      - selfsigned_backup_5.backup_file is undefined
--- a/test/integration/targets/openssl_csr/tasks/impl.yml
+++ b/test/integration/targets/openssl_csr/tasks/impl.yml
@@ -288,3 +288,45 @@
    useCommonNameForSAN: no
    select_crypto_backend: '{{ select_crypto_backend }}'
  register: output_broken
+
+- name: Generate CSR
+  openssl_csr:
+    path: '{{ output_dir }}/csr_backup.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: www.ansible.com
+    backup: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: csr_backup_1
+- name: Generate CSR (idempotent)
+  openssl_csr:
+    path: '{{ output_dir }}/csr_backup.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: www.ansible.com
+    backup: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: csr_backup_2
+- name: Generate CSR (change)
+  openssl_csr:
+    path: '{{ output_dir }}/csr_backup.csr'
+    privatekey_path: '{{ output_dir }}/privatekey.pem'
+    subject:
+      commonName: ansible.com
+    backup: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: csr_backup_3
+- name: Generate CSR (remove)
+  openssl_csr:
+    path: '{{ output_dir }}/csr_backup.csr'
+    state: absent
+    backup: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: csr_backup_4
+- name: Generate CSR (remove, idempotent)
+  openssl_csr:
+    path: '{{ output_dir }}/csr_backup.csr'
+    state: absent
+    backup: yes
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: csr_backup_5
--- a/test/integration/targets/openssl_csr/tests/validate.yml
+++ b/test/integration/targets/openssl_csr/tests/validate.yml
@@ -124,3 +124,17 @@
  assert:
    that:
      - output_broken is changed
+
+- name: Check backup
+  assert:
+    that:
+      - csr_backup_1 is changed
+      - csr_backup_1.backup_file is undefined
+      - csr_backup_2 is not changed
+      - csr_backup_2.backup_file is undefined
+      - csr_backup_3 is changed
+      - csr_backup_3.backup_file is string
+      - csr_backup_4 is changed
+      - csr_backup_4.backup_file is string
+      - csr_backup_5 is not changed
+      - csr_backup_5.backup_file is undefined
--- a/test/integration/targets/openssl_dhparam/tasks/main.yml
+++ b/test/integration/targets/openssl_dhparam/tasks/main.yml
@@ -53,4 +53,36 @@
        force: yes
      register: output_broken

+    - name: Generate params
+      openssl_dhparam:
+        path: '{{ output_dir }}/dh_backup.pem'
+        size: 512
+        backup: yes
+      register: dhparam_backup_1
+    - name: Generate params (idempotent)
+      openssl_dhparam:
+        path: '{{ output_dir }}/dh_backup.pem'
+        size: 512
+        backup: yes
+      register: dhparam_backup_2
+    - name: Generate params (change)
+      openssl_dhparam:
+        path: '{{ output_dir }}/dh_backup.pem'
+        size: 512
+        force: yes
+        backup: yes
+      register: dhparam_backup_3
+    - name: Generate params (remove)
+      openssl_dhparam:
+        path: '{{ output_dir }}/dh_backup.pem'
+        state: absent
+        backup: yes
+      register: dhparam_backup_4
+    - name: Generate params (remove, idempotent)
+      openssl_dhparam:
+        path: '{{ output_dir }}/dh_backup.pem'
+        state: absent
+        backup: yes
+      register: dhparam_backup_5
+
    - import_tasks: ../tests/validate.yml
--- a/test/integration/targets/openssl_dhparam/tests/validate.yml
+++ b/test/integration/targets/openssl_dhparam/tests/validate.yml
@@ -35,3 +35,17 @@
  assert:
    that:
      - output_broken is changed
+
+- name: Check backup
+  assert:
+    that:
+      - dhparam_backup_1 is changed
+      - dhparam_backup_1.backup_file is undefined
+      - dhparam_backup_2 is not changed
+      - dhparam_backup_2.backup_file is undefined
+      - dhparam_backup_3 is changed
+      - dhparam_backup_3.backup_file is string
+      - dhparam_backup_4 is changed
+      - dhparam_backup_4.backup_file is string
+      - dhparam_backup_5 is not changed
+      - dhparam_backup_5.backup_file is undefined
--- a/test/integration/targets/openssl_pkcs12/tasks/impl.yml
+++ b/test/integration/targets/openssl_pkcs12/tasks/impl.yml
@@ -1,3 +1,4 @@
+---
 - block:
  - name: 'Generate privatekey with'
    openssl_privatekey:
@@ -115,6 +116,47 @@
      mode: 0644
    register: output_broken

+  - name: 'Generate PKCS#12 file'
+    openssl_pkcs12:
+      path: "{{ output_dir }}/ansible_backup.p12"
+      friendly_name: 'abracadabra'
+      privatekey_path: "{{ output_dir }}/ansible_pkey.pem"
+      certificate_path: "{{ output_dir }}/ansible.crt"
+      state: present
+      backup: yes
+    register: p12_backup_1
+  - name: 'Generate PKCS#12 file (idempotent)'
+    openssl_pkcs12:
+      path: "{{ output_dir }}/ansible_backup.p12"
+      friendly_name: 'abracadabra'
+      privatekey_path: "{{ output_dir }}/ansible_pkey.pem"
+      certificate_path: "{{ output_dir }}/ansible.crt"
+      state: present
+      backup: yes
+    register: p12_backup_2
+  - name: 'Generate PKCS#12 file (change)'
+    openssl_pkcs12:
+      path: "{{ output_dir }}/ansible_backup.p12"
+      friendly_name: 'abra'
+      privatekey_path: "{{ output_dir }}/ansible_pkey.pem"
+      certificate_path: "{{ output_dir }}/ansible.crt"
+      state: present
+      force: yes  # FIXME: idempotency does not work, so we have to force! (https://github.com/ansible/ansible/issues/53221)
+      backup: yes
+    register: p12_backup_3
+  - name: 'Generate PKCS#12 file (remove)'
+    openssl_pkcs12:
+      path: "{{ output_dir }}/ansible_backup.p12"
+      state: absent
+      backup: yes
+    register: p12_backup_4
+  - name: 'Generate PKCS#12 file (remove, idempotent)'
+    openssl_pkcs12:
+      path: "{{ output_dir }}/ansible_backup.p12"
+      state: absent
+      backup: yes
+    register: p12_backup_5
+
  - import_tasks: ../tests/validate.yml

  always:
--- a/test/integration/targets/openssl_pkcs12/tests/validate.yml
+++ b/test/integration/targets/openssl_pkcs12/tests/validate.yml
@@ -22,7 +22,7 @@
      - p12_force.changed
      - p12_force_and_mode.mode == '0644' and p12_force_and_mode.changed

- name:
+- name: Check passphrase on private key
  assert:
    that:
      - passphrase_error_1 is failed
@@ -36,3 +36,17 @@
  assert:
    that:
      - output_broken is changed
+
+- name: Check backup
+  assert:
+    that:
+      - p12_backup_1 is changed
+      - p12_backup_1.backup_file is undefined
+      - p12_backup_2 is not changed
+      - p12_backup_2.backup_file is undefined
+      - p12_backup_3 is changed
+      - p12_backup_3.backup_file is string
+      - p12_backup_4 is changed
+      - p12_backup_4.backup_file is string
+      - p12_backup_5 is not changed
+      - p12_backup_5.backup_file is undefined
--- a/test/integration/targets/openssl_publickey/tasks/main.yml
+++ b/test/integration/targets/openssl_publickey/tasks/main.yml
@@ -74,9 +74,23 @@
        curve: secp256k1

    - name: Generate publickey 5 - PEM format
+      openssl_publickey:
+        path: '{{ output_dir }}/publickey5.pub'
+        privatekey_path: '{{ output_dir }}/privatekey.pem'
+        backup: yes
+      register: privatekey5_1
+    - name: Generate publickey 5 - PEM format (idempotent)
+      openssl_publickey:
+        path: '{{ output_dir }}/publickey5.pub'
+        privatekey_path: '{{ output_dir }}/privatekey.pem'
+        backup: yes
+      register: privatekey5_2
+    - name: Generate publickey 5 - PEM format (different private key)
      openssl_publickey:
        path: '{{ output_dir }}/publickey5.pub'
        privatekey_path: '{{ output_dir }}/privatekey5.pem'
+        backup: yes
+      register: privatekey5_3

    - name: Generate privatekey with password
      openssl_privatekey:
@@ -118,6 +132,25 @@
        privatekey_path: '{{ output_dir }}/privatekey5.pem'
      register: output_broken

+    - name: Generate publickey - PEM format (for removal)
+      openssl_publickey:
+        path: '{{ output_dir }}/publickey_removal.pub'
+        privatekey_path: '{{ output_dir }}/privatekey.pem'
+    - name: Generate publickey - PEM format (removal)
+      openssl_publickey:
+        state: absent
+        path: '{{ output_dir }}/publickey_removal.pub'
+        privatekey_path: '{{ output_dir }}/privatekey.pem'
+        backup: yes
+      register: remove_1
+    - name: Generate publickey - PEM format (removal, idempotent)
+      openssl_publickey:
+        state: absent
+        path: '{{ output_dir }}/publickey_removal.pub'
+        privatekey_path: '{{ output_dir }}/privatekey.pem'
+        backup: yes
+      register: remove_2
+
    - import_tasks: ../tests/validate.yml

  when: pyopenssl_version.stdout is version('16.0.0', '>=')
--- a/test/integration/targets/openssl_publickey/tests/validate.yml
+++ b/test/integration/targets/openssl_publickey/tests/validate.yml
@@ -83,6 +83,16 @@
      - publickey4_modulus.stdout == privatekey4_modulus.stdout
  when: openssl_version.stdout is version('0.9.8zh', '>=')

+- name: Validate idempotency and backup
+  assert:
+    that:
+      - privatekey5_1 is changed
+      - privatekey5_1.backup_file is undefined
+      - privatekey5_2 is not changed
+      - privatekey5_2.backup_file is undefined
+      - privatekey5_3 is changed
+      - privatekey5_3.backup_file is string
+
 - name: Validate public key 5 (test - privatekey's pubkey)
  command: 'openssl ec -in {{ output_dir }}/privatekey5.pem -pubout'
  register: privatekey5_pubkey
@@ -111,3 +121,11 @@
  assert:
    that:
      - output_broken is changed
+
+- name: Validate remove
+  assert:
+    that:
+      - remove_1 is changed
+      - remove_2 is not changed
+      - remove_1.backup_file is string
+      - remove_2.backup_file is undefined