diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 16:04:21 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 16:04:21 +0000 |
commit | 8a754e0858d922e955e71b253c139e071ecec432 (patch) | |
tree | 527d16e74bfd1840c85efd675fdecad056c54107 /test/integration/targets/rpm_key | |
parent | Initial commit. (diff) | |
download | ansible-core-upstream.tar.xz ansible-core-upstream.zip |
Adding upstream version 2.14.3.upstream/2.14.3upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'test/integration/targets/rpm_key')
-rw-r--r-- | test/integration/targets/rpm_key/aliases | 2 | ||||
-rw-r--r-- | test/integration/targets/rpm_key/defaults/main.yaml | 0 | ||||
-rw-r--r-- | test/integration/targets/rpm_key/meta/main.yml | 2 | ||||
-rw-r--r-- | test/integration/targets/rpm_key/tasks/main.yaml | 2 | ||||
-rw-r--r-- | test/integration/targets/rpm_key/tasks/rpm_key.yaml | 180 |
5 files changed, 186 insertions, 0 deletions
diff --git a/test/integration/targets/rpm_key/aliases b/test/integration/targets/rpm_key/aliases new file mode 100644 index 0000000..a4c92ef --- /dev/null +++ b/test/integration/targets/rpm_key/aliases @@ -0,0 +1,2 @@ +destructive +shippable/posix/group1 diff --git a/test/integration/targets/rpm_key/defaults/main.yaml b/test/integration/targets/rpm_key/defaults/main.yaml new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/test/integration/targets/rpm_key/defaults/main.yaml diff --git a/test/integration/targets/rpm_key/meta/main.yml b/test/integration/targets/rpm_key/meta/main.yml new file mode 100644 index 0000000..1810d4b --- /dev/null +++ b/test/integration/targets/rpm_key/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: + - setup_remote_tmp_dir diff --git a/test/integration/targets/rpm_key/tasks/main.yaml b/test/integration/targets/rpm_key/tasks/main.yaml new file mode 100644 index 0000000..6f71ca6 --- /dev/null +++ b/test/integration/targets/rpm_key/tasks/main.yaml @@ -0,0 +1,2 @@ + - include_tasks: 'rpm_key.yaml' + when: ansible_os_family == "RedHat" diff --git a/test/integration/targets/rpm_key/tasks/rpm_key.yaml b/test/integration/targets/rpm_key/tasks/rpm_key.yaml new file mode 100644 index 0000000..89ed236 --- /dev/null +++ b/test/integration/targets/rpm_key/tasks/rpm_key.yaml @@ -0,0 +1,180 @@ +--- +# +# Save initial state +# +- name: Retrieve a list of gpg keys are installed for package checking + shell: 'rpm -q gpg-pubkey | sort' + register: list_of_pubkeys + +- name: Retrieve the gpg keys used to verify packages + command: 'rpm -q --qf %{description} gpg-pubkey' + register: pubkeys + +- name: Save gpg keys to a file + copy: + content: "{{ pubkeys['stdout'] }}\n" + dest: '{{ remote_tmp_dir }}/pubkeys' + mode: 0600 + +# +# Tests start +# +- name: download EPEL GPG key + get_url: + url: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7 + dest: /tmp/RPM-GPG-KEY-EPEL-7 + +- name: download sl rpm + get_url: + url: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/sl-5.02-1.el7.x86_64.rpm + dest: /tmp/sl.rpm + +- name: remove EPEL GPG key from keyring + rpm_key: + state: absent + key: /tmp/RPM-GPG-KEY-EPEL-7 + +- name: check GPG signature of sl. Should fail + shell: "rpm --checksig /tmp/sl.rpm" + register: sl_check + ignore_errors: yes + +- name: confirm that signature check failed + assert: + that: + - "'MISSING KEYS' in sl_check.stdout or 'SIGNATURES NOT OK' in sl_check.stdout" + - "sl_check.failed" + +- name: remove EPEL GPG key from keyring (idempotent) + rpm_key: + state: absent + key: /tmp/RPM-GPG-KEY-EPEL-7 + register: idempotent_test + +- name: check idempontence + assert: + that: "not idempotent_test.changed" + +- name: add EPEL GPG key to key ring + rpm_key: + state: present + key: /tmp/RPM-GPG-KEY-EPEL-7 + +- name: add EPEL GPG key to key ring (idempotent) + rpm_key: + state: present + key: /tmp/RPM-GPG-KEY-EPEL-7 + register: key_idempotence + +- name: verify idempotence + assert: + that: "not key_idempotence.changed" + +- name: check GPG signature of sl. Should return okay + shell: "rpm --checksig /tmp/sl.rpm" + register: sl_check + +- name: confirm that signature check succeeded + assert: + that: "'rsa sha1 (md5) pgp md5 OK' in sl_check.stdout or 'digests signatures OK' in sl_check.stdout" + +- name: remove GPG key from url + rpm_key: + state: absent + key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7 + +- name: Confirm key is missing + shell: "rpm --checksig /tmp/sl.rpm" + register: sl_check + ignore_errors: yes + +- name: confirm that signature check failed + assert: + that: + - "'MISSING KEYS' in sl_check.stdout or 'SIGNATURES NOT OK' in sl_check.stdout" + - "sl_check.failed" + +- name: add GPG key from url + rpm_key: + state: present + key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7 + +- name: check GPG signature of sl. Should return okay + shell: "rpm --checksig /tmp/sl.rpm" + register: sl_check + +- name: confirm that signature check succeeded + assert: + that: "'rsa sha1 (md5) pgp md5 OK' in sl_check.stdout or 'digests signatures OK' in sl_check.stdout" + +- name: remove all keys from key ring + shell: "rpm -q gpg-pubkey | xargs rpm -e" + +- name: add very first key on system + rpm_key: + state: present + key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7 + +- name: check GPG signature of sl. Should return okay + shell: "rpm --checksig /tmp/sl.rpm" + register: sl_check + +- name: confirm that signature check succeeded + assert: + that: "'rsa sha1 (md5) pgp md5 OK' in sl_check.stdout or 'digests signatures OK' in sl_check.stdout" + +- name: Issue 20325 - Verify fingerprint of key, invalid fingerprint - EXPECTED FAILURE + rpm_key: + key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag + fingerprint: 1111 1111 1111 1111 1111 1111 1111 1111 1111 1111 + register: result + failed_when: result is success + +- name: Issue 20325 - Assert Verify fingerprint of key, invalid fingerprint + assert: + that: + - result is success + - result is not changed + - "'does not match the key fingerprint' in result.msg" + +- name: Issue 20325 - Verify fingerprint of key, valid fingerprint + rpm_key: + key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag + fingerprint: EBC6 E12C 62B1 C734 026B 2122 A20E 5214 6B8D 79E6 + register: result + +- name: Issue 20325 - Assert Verify fingerprint of key, valid fingerprint + assert: + that: + - result is success + - result is changed + +- name: Issue 20325 - Verify fingerprint of key, valid fingerprint - Idempotent check + rpm_key: + key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag + fingerprint: EBC6 E12C 62B1 C734 026B 2122 A20E 5214 6B8D 79E6 + register: result + +- name: Issue 20325 - Assert Verify fingerprint of key, valid fingerprint - Idempotent check + assert: + that: + - result is success + - result is not changed + +# +# Cleanup +# +- name: remove all keys from key ring + shell: "rpm -q gpg-pubkey | xargs rpm -e" + +- name: Restore the gpg keys normally installed on the system + command: 'rpm --import {{ remote_tmp_dir }}/pubkeys' + +- name: Retrieve a list of gpg keys are installed for package checking + shell: 'rpm -q gpg-pubkey | sort' + register: new_list_of_pubkeys + +- name: Confirm that we've restored all the pubkeys + assert: + that: + - 'list_of_pubkeys["stdout"] == new_list_of_pubkeys["stdout"]' |