summaryrefslogtreecommitdiffstats
path: root/test/integration/targets/rpm_key/tasks/rpm_key.yaml
diff options
context:
space:
mode:
Diffstat (limited to 'test/integration/targets/rpm_key/tasks/rpm_key.yaml')
-rw-r--r--test/integration/targets/rpm_key/tasks/rpm_key.yaml180
1 files changed, 180 insertions, 0 deletions
diff --git a/test/integration/targets/rpm_key/tasks/rpm_key.yaml b/test/integration/targets/rpm_key/tasks/rpm_key.yaml
new file mode 100644
index 0000000..89ed236
--- /dev/null
+++ b/test/integration/targets/rpm_key/tasks/rpm_key.yaml
@@ -0,0 +1,180 @@
+---
+#
+# Save initial state
+#
+- name: Retrieve a list of gpg keys are installed for package checking
+ shell: 'rpm -q gpg-pubkey | sort'
+ register: list_of_pubkeys
+
+- name: Retrieve the gpg keys used to verify packages
+ command: 'rpm -q --qf %{description} gpg-pubkey'
+ register: pubkeys
+
+- name: Save gpg keys to a file
+ copy:
+ content: "{{ pubkeys['stdout'] }}\n"
+ dest: '{{ remote_tmp_dir }}/pubkeys'
+ mode: 0600
+
+#
+# Tests start
+#
+- name: download EPEL GPG key
+ get_url:
+ url: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7
+ dest: /tmp/RPM-GPG-KEY-EPEL-7
+
+- name: download sl rpm
+ get_url:
+ url: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/sl-5.02-1.el7.x86_64.rpm
+ dest: /tmp/sl.rpm
+
+- name: remove EPEL GPG key from keyring
+ rpm_key:
+ state: absent
+ key: /tmp/RPM-GPG-KEY-EPEL-7
+
+- name: check GPG signature of sl. Should fail
+ shell: "rpm --checksig /tmp/sl.rpm"
+ register: sl_check
+ ignore_errors: yes
+
+- name: confirm that signature check failed
+ assert:
+ that:
+ - "'MISSING KEYS' in sl_check.stdout or 'SIGNATURES NOT OK' in sl_check.stdout"
+ - "sl_check.failed"
+
+- name: remove EPEL GPG key from keyring (idempotent)
+ rpm_key:
+ state: absent
+ key: /tmp/RPM-GPG-KEY-EPEL-7
+ register: idempotent_test
+
+- name: check idempontence
+ assert:
+ that: "not idempotent_test.changed"
+
+- name: add EPEL GPG key to key ring
+ rpm_key:
+ state: present
+ key: /tmp/RPM-GPG-KEY-EPEL-7
+
+- name: add EPEL GPG key to key ring (idempotent)
+ rpm_key:
+ state: present
+ key: /tmp/RPM-GPG-KEY-EPEL-7
+ register: key_idempotence
+
+- name: verify idempotence
+ assert:
+ that: "not key_idempotence.changed"
+
+- name: check GPG signature of sl. Should return okay
+ shell: "rpm --checksig /tmp/sl.rpm"
+ register: sl_check
+
+- name: confirm that signature check succeeded
+ assert:
+ that: "'rsa sha1 (md5) pgp md5 OK' in sl_check.stdout or 'digests signatures OK' in sl_check.stdout"
+
+- name: remove GPG key from url
+ rpm_key:
+ state: absent
+ key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7
+
+- name: Confirm key is missing
+ shell: "rpm --checksig /tmp/sl.rpm"
+ register: sl_check
+ ignore_errors: yes
+
+- name: confirm that signature check failed
+ assert:
+ that:
+ - "'MISSING KEYS' in sl_check.stdout or 'SIGNATURES NOT OK' in sl_check.stdout"
+ - "sl_check.failed"
+
+- name: add GPG key from url
+ rpm_key:
+ state: present
+ key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7
+
+- name: check GPG signature of sl. Should return okay
+ shell: "rpm --checksig /tmp/sl.rpm"
+ register: sl_check
+
+- name: confirm that signature check succeeded
+ assert:
+ that: "'rsa sha1 (md5) pgp md5 OK' in sl_check.stdout or 'digests signatures OK' in sl_check.stdout"
+
+- name: remove all keys from key ring
+ shell: "rpm -q gpg-pubkey | xargs rpm -e"
+
+- name: add very first key on system
+ rpm_key:
+ state: present
+ key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7
+
+- name: check GPG signature of sl. Should return okay
+ shell: "rpm --checksig /tmp/sl.rpm"
+ register: sl_check
+
+- name: confirm that signature check succeeded
+ assert:
+ that: "'rsa sha1 (md5) pgp md5 OK' in sl_check.stdout or 'digests signatures OK' in sl_check.stdout"
+
+- name: Issue 20325 - Verify fingerprint of key, invalid fingerprint - EXPECTED FAILURE
+ rpm_key:
+ key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
+ fingerprint: 1111 1111 1111 1111 1111 1111 1111 1111 1111 1111
+ register: result
+ failed_when: result is success
+
+- name: Issue 20325 - Assert Verify fingerprint of key, invalid fingerprint
+ assert:
+ that:
+ - result is success
+ - result is not changed
+ - "'does not match the key fingerprint' in result.msg"
+
+- name: Issue 20325 - Verify fingerprint of key, valid fingerprint
+ rpm_key:
+ key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
+ fingerprint: EBC6 E12C 62B1 C734 026B 2122 A20E 5214 6B8D 79E6
+ register: result
+
+- name: Issue 20325 - Assert Verify fingerprint of key, valid fingerprint
+ assert:
+ that:
+ - result is success
+ - result is changed
+
+- name: Issue 20325 - Verify fingerprint of key, valid fingerprint - Idempotent check
+ rpm_key:
+ key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
+ fingerprint: EBC6 E12C 62B1 C734 026B 2122 A20E 5214 6B8D 79E6
+ register: result
+
+- name: Issue 20325 - Assert Verify fingerprint of key, valid fingerprint - Idempotent check
+ assert:
+ that:
+ - result is success
+ - result is not changed
+
+#
+# Cleanup
+#
+- name: remove all keys from key ring
+ shell: "rpm -q gpg-pubkey | xargs rpm -e"
+
+- name: Restore the gpg keys normally installed on the system
+ command: 'rpm --import {{ remote_tmp_dir }}/pubkeys'
+
+- name: Retrieve a list of gpg keys are installed for package checking
+ shell: 'rpm -q gpg-pubkey | sort'
+ register: new_list_of_pubkeys
+
+- name: Confirm that we've restored all the pubkeys
+ assert:
+ that:
+ - 'list_of_pubkeys["stdout"] == new_list_of_pubkeys["stdout"]'
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-24 17:32:43 +0000