summaryrefslogtreecommitdiffstats
path: root/ansible_collections/community/crypto/tests/integration/targets
diff options
context:
space:
mode:
Diffstat (limited to 'ansible_collections/community/crypto/tests/integration/targets')
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml2
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/filter_gpg_fingerprint/aliases6
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/filter_gpg_fingerprint/meta/main.yml9
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/filter_gpg_fingerprint/tasks/main.yml80
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/filter_parse_serial/aliases5
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/filter_parse_serial/tasks/main.yml62
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/filter_to_serial/aliases5
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/filter_to_serial/tasks/main.yml35
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/get_certificate/tests/validate.yml6
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/lookup_gpg_fingerprint/aliases6
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/lookup_gpg_fingerprint/meta/main.yml9
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/lookup_gpg_fingerprint/tasks/main.yml93
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/keyslot-create-destroy.yml206
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/keyslot-duplicate.yml40
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/keyslot-options.yml79
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/performance.yml6
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/luks_device/vars/Alpine.yml1
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/openssh_cert/tests/idempotency.yml2
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/cryptography_backend.yml2
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/options.yml10
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/regenerate.yml41
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/openssl_pkcs12/tasks/main.yml14
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/openssl_privatekey/tests/validate.yml2
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/openssl_publickey/tests/validate.yml2
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/prepare_jinja2_compat/filter_plugins/ansible_compatibility.py20
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/prepare_jinja2_compat/filter_plugins/jinja_compatibility.py11
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/meta/main.yml7
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/tasks/main.yml30
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/Alpine.yml8
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/CentOS-6.yml7
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/Darwin.yml7
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/RedHat.yml7
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/default.yml7
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/setup_python_info/vars/main.yml2
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/x509_certificate/tests/validate_ownca.yml2
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml4
-rw-r--r--ansible_collections/community/crypto/tests/integration/targets/x509_crl/tasks/impl.yml14
37 files changed, 810 insertions, 39 deletions
diff --git a/ansible_collections/community/crypto/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml b/ansible_collections/community/crypto/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml
index ef40ec601..c4b138572 100644
--- a/ansible_collections/community/crypto/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml
+++ b/ansible_collections/community/crypto/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml
@@ -9,7 +9,7 @@
####################################################################
- block:
- - name: Generate ECC256 accoun keys
+ - name: Generate ECC256 account keys
openssl_privatekey:
path: "{{ remote_tmp_dir }}/account-ec256.pem"
type: ECC
diff --git a/ansible_collections/community/crypto/tests/integration/targets/filter_gpg_fingerprint/aliases b/ansible_collections/community/crypto/tests/integration/targets/filter_gpg_fingerprint/aliases
new file mode 100644
index 000000000..326a499c3
--- /dev/null
+++ b/ansible_collections/community/crypto/tests/integration/targets/filter_gpg_fingerprint/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/posix/2
+destructive
diff --git a/ansible_collections/community/crypto/tests/integration/targets/filter_gpg_fingerprint/meta/main.yml b/ansible_collections/community/crypto/tests/integration/targets/filter_gpg_fingerprint/meta/main.yml
new file mode 100644
index 000000000..398d0cf6c
--- /dev/null
+++ b/ansible_collections/community/crypto/tests/integration/targets/filter_gpg_fingerprint/meta/main.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+ - prepare_jinja2_compat
+ - setup_remote_tmp_dir
+ - setup_gnupg
diff --git a/ansible_collections/community/crypto/tests/integration/targets/filter_gpg_fingerprint/tasks/main.yml b/ansible_collections/community/crypto/tests/integration/targets/filter_gpg_fingerprint/tasks/main.yml
new file mode 100644
index 000000000..071b490fd
--- /dev/null
+++ b/ansible_collections/community/crypto/tests/integration/targets/filter_gpg_fingerprint/tasks/main.yml
@@ -0,0 +1,80 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Run tests if GPG is available
+ when: has_gnupg
+ block:
+ - name: Create GPG key
+ ansible.builtin.command:
+ cmd: gpg --homedir "{{ remote_tmp_dir }}" --batch --generate-key
+ stdin: |
+ %echo Generating a basic OpenPGP key
+ %no-ask-passphrase
+ %no-protection
+ Key-Type: RSA
+ Key-Length: 4096
+ Name-Real: Foo Bar
+ Name-Email: foo@bar.com
+ Expire-Date: 0
+ %commit
+ %echo done
+ register: result
+
+ - name: Extract fingerprint
+ ansible.builtin.shell: gpg --homedir "{{ remote_tmp_dir }}" --with-colons --fingerprint foo@bar.com | grep '^fpr:'
+ register: fingerprints
+
+ - name: Show fingerprints
+ ansible.builtin.debug:
+ msg: "{{ fingerprints.stdout_lines | map('split', ':') | list }}"
+
+ - name: Export public key
+ ansible.builtin.command: gpg --homedir "{{ remote_tmp_dir }}" --export --armor foo@bar.com
+ register: public_key
+
+ - name: Export private key
+ ansible.builtin.command: gpg --homedir "{{ remote_tmp_dir }}" --export-secret-key --armor foo@bar.com
+ register: private_key
+
+ - name: Gather fingerprints
+ ansible.builtin.set_fact:
+ public_key_fingerprint: "{{ public_key.stdout | community.crypto.gpg_fingerprint }}"
+ private_key_fingerprint: "{{ private_key.stdout | community.crypto.gpg_fingerprint }}"
+
+ - name: Check whether fingerprints match
+ ansible.builtin.assert:
+ that:
+ - public_key_fingerprint == (fingerprints.stdout_lines[0] | split(':'))[9]
+ - private_key_fingerprint == (fingerprints.stdout_lines[0] | split(':'))[9]
+
+ - name: Error scenario - wrong input type
+ ansible.builtin.set_fact:
+ failing_result: "{{ 42 | community.crypto.gpg_fingerprint }}"
+ register: result
+ ignore_errors: true
+
+ - name: Check result
+ ansible.builtin.assert:
+ that:
+ - result is failed
+ - >-
+ 'The input for the community.crypto.gpg_fingerprint filter must be a string; got ' in result.msg
+ - >-
+ 'int' in result.msg
+
+ - name: Error scenario - garbage input
+ ansible.builtin.set_fact:
+ failing_result: "{{ 'garbage' | community.crypto.gpg_fingerprint }}"
+ register: result
+ ignore_errors: true
+
+ - name: Check result
+ ansible.builtin.assert:
+ that:
+ - result is failed
+ - >-
+ 'Running ' in result.msg
+ - >-
+ ('/gpg --no-keyring --with-colons --import-options show-only --import /dev/stdin yielded return code ') in result.msg
diff --git a/ansible_collections/community/crypto/tests/integration/targets/filter_parse_serial/aliases b/ansible_collections/community/crypto/tests/integration/targets/filter_parse_serial/aliases
new file mode 100644
index 000000000..12d1d6617
--- /dev/null
+++ b/ansible_collections/community/crypto/tests/integration/targets/filter_parse_serial/aliases
@@ -0,0 +1,5 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/posix/2
diff --git a/ansible_collections/community/crypto/tests/integration/targets/filter_parse_serial/tasks/main.yml b/ansible_collections/community/crypto/tests/integration/targets/filter_parse_serial/tasks/main.yml
new file mode 100644
index 000000000..67175ac07
--- /dev/null
+++ b/ansible_collections/community/crypto/tests/integration/targets/filter_parse_serial/tasks/main.yml
@@ -0,0 +1,62 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Test parse_serial filter
+ assert:
+ that:
+ - >-
+ '0' | community.crypto.parse_serial == 0
+ - >-
+ '00' | community.crypto.parse_serial == 0
+ - >-
+ '000' | community.crypto.parse_serial == 0
+ - >-
+ 'ff' | community.crypto.parse_serial == 255
+ - >-
+ '0ff' | community.crypto.parse_serial == 255
+ - >-
+ '1:0' | community.crypto.parse_serial == 256
+ - >-
+ '1:2:3' | community.crypto.parse_serial == 66051
+
+- name: "Test error 1: empty string"
+ debug:
+ msg: >-
+ {{ '' | community.crypto.parse_serial }}
+ ignore_errors: true
+ register: error_1
+
+- name: "Test error 2: invalid type"
+ debug:
+ msg: >-
+ {{ [] | community.crypto.parse_serial }}
+ ignore_errors: true
+ register: error_2
+
+- name: "Test error 3: invalid values (range)"
+ debug:
+ msg: >-
+ {{ '100' | community.crypto.parse_serial }}
+ ignore_errors: true
+ register: error_3
+
+- name: "Test error 4: invalid values (digits)"
+ debug:
+ msg: >-
+ {{ 'abcdefg' | community.crypto.parse_serial }}
+ ignore_errors: true
+ register: error_4
+
+- name: Validate errors
+ assert:
+ that:
+ - >-
+ error_1 is failed and "The 1st part '' is not a hexadecimal number in range [0, 255]: invalid literal" in error_1.msg
+ - >-
+ error_2 is failed and "The input for the community.crypto.parse_serial filter must be a string; got " in error_2.msg
+ - >-
+ error_3 is failed and "The 1st part '100' is not a hexadecimal number in range [0, 255]: the value is not in range [0, 255]" in error_3.msg
+ - >-
+ error_4 is failed and "The 1st part 'abcdefg' is not a hexadecimal number in range [0, 255]: invalid literal" in error_4.msg
diff --git a/ansible_collections/community/crypto/tests/integration/targets/filter_to_serial/aliases b/ansible_collections/community/crypto/tests/integration/targets/filter_to_serial/aliases
new file mode 100644
index 000000000..12d1d6617
--- /dev/null
+++ b/ansible_collections/community/crypto/tests/integration/targets/filter_to_serial/aliases
@@ -0,0 +1,5 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/posix/2
diff --git a/ansible_collections/community/crypto/tests/integration/targets/filter_to_serial/tasks/main.yml b/ansible_collections/community/crypto/tests/integration/targets/filter_to_serial/tasks/main.yml
new file mode 100644
index 000000000..1b1f4385f
--- /dev/null
+++ b/ansible_collections/community/crypto/tests/integration/targets/filter_to_serial/tasks/main.yml
@@ -0,0 +1,35 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Test to_serial filter
+ assert:
+ that:
+ - 0 | community.crypto.to_serial == '00'
+ - 1 | community.crypto.to_serial == '01'
+ - 255 | community.crypto.to_serial == 'FF'
+ - 256 | community.crypto.to_serial == '01:00'
+ - 65536 | community.crypto.to_serial == '01:00:00'
+
+- name: "Test error 1: negative number"
+ debug:
+ msg: >-
+ {{ (-1) | community.crypto.to_serial }}
+ ignore_errors: true
+ register: error_1
+
+- name: "Test error 2: invalid type"
+ debug:
+ msg: >-
+ {{ [] | community.crypto.to_serial }}
+ ignore_errors: true
+ register: error_2
+
+- name: Validate error
+ assert:
+ that:
+ - >-
+ error_1 is failed and "The input for the community.crypto.to_serial filter must not be negative" in error_1.msg
+ - >-
+ error_2 is failed and "The input for the community.crypto.to_serial filter must be an integer; got " in error_2.msg
diff --git a/ansible_collections/community/crypto/tests/integration/targets/get_certificate/tests/validate.yml b/ansible_collections/community/crypto/tests/integration/targets/get_certificate/tests/validate.yml
index 810a66f85..29ca26873 100644
--- a/ansible_collections/community/crypto/tests/integration/targets/get_certificate/tests/validate.yml
+++ b/ansible_collections/community/crypto/tests/integration/targets/get_certificate/tests/validate.yml
@@ -71,7 +71,11 @@
- result is not changed
- result is failed
# We got the expected error message
- - "'The handshake operation timed out' in result.msg or 'unknown protocol' in result.msg or 'wrong version number' in result.msg"
+ - >-
+ 'The handshake operation timed out' in result.msg
+ or 'unknown protocol' in result.msg
+ or 'wrong version number' in result.msg
+ or 'record layer failure' in result.msg
- name: Test timeout option
get_certificate:
diff --git a/ansible_collections/community/crypto/tests/integration/targets/lookup_gpg_fingerprint/aliases b/ansible_collections/community/crypto/tests/integration/targets/lookup_gpg_fingerprint/aliases
new file mode 100644
index 000000000..326a499c3
--- /dev/null
+++ b/ansible_collections/community/crypto/tests/integration/targets/lookup_gpg_fingerprint/aliases
@@ -0,0 +1,6 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/posix/2
+destructive
diff --git a/ansible_collections/community/crypto/tests/integration/targets/lookup_gpg_fingerprint/meta/main.yml b/ansible_collections/community/crypto/tests/integration/targets/lookup_gpg_fingerprint/meta/main.yml
new file mode 100644
index 000000000..398d0cf6c
--- /dev/null
+++ b/ansible_collections/community/crypto/tests/integration/targets/lookup_gpg_fingerprint/meta/main.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+ - prepare_jinja2_compat
+ - setup_remote_tmp_dir
+ - setup_gnupg
diff --git a/ansible_collections/community/crypto/tests/integration/targets/lookup_gpg_fingerprint/tasks/main.yml b/ansible_collections/community/crypto/tests/integration/targets/lookup_gpg_fingerprint/tasks/main.yml
new file mode 100644
index 000000000..860cbce97
--- /dev/null
+++ b/ansible_collections/community/crypto/tests/integration/targets/lookup_gpg_fingerprint/tasks/main.yml
@@ -0,0 +1,93 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Run tests if GPG is available
+ when: has_gnupg
+ block:
+ - name: Create GPG key
+ ansible.builtin.command:
+ cmd: gpg --homedir "{{ remote_tmp_dir }}" --batch --generate-key
+ stdin: |
+ %echo Generating a basic OpenPGP key
+ %no-ask-passphrase
+ %no-protection
+ Key-Type: RSA
+ Key-Length: 4096
+ Name-Real: Foo Bar
+ Name-Email: foo@bar.com
+ Expire-Date: 0
+ %commit
+ %echo done
+ register: result
+
+ - name: Extract fingerprint
+ ansible.builtin.shell: gpg --homedir "{{ remote_tmp_dir }}" --with-colons --fingerprint foo@bar.com | grep '^fpr:'
+ register: fingerprints
+
+ - name: Show fingerprints
+ ansible.builtin.debug:
+ msg: "{{ fingerprints.stdout_lines | map('split', ':') | list }}"
+
+ - name: Export public key
+ ansible.builtin.command: gpg --homedir "{{ remote_tmp_dir }}" --export --armor foo@bar.com
+ register: public_key
+
+ - name: Export private key
+ ansible.builtin.command: gpg --homedir "{{ remote_tmp_dir }}" --export-secret-key --armor foo@bar.com
+ register: private_key
+
+ - name: Write public key to disk
+ ansible.builtin.copy:
+ dest: "{{ remote_tmp_dir }}/public-key"
+ content: "{{ public_key.stdout }}"
+
+ - name: Write private key to disk
+ ansible.builtin.copy:
+ dest: "{{ remote_tmp_dir }}/private-key"
+ content: "{{ private_key.stdout }}"
+
+ - name: Gather fingerprints
+ ansible.builtin.set_fact:
+ public_key_fingerprint: "{{ lookup('community.crypto.gpg_fingerprint', remote_tmp_dir ~ '/public-key') }}"
+ private_key_fingerprint: "{{ lookup('community.crypto.gpg_fingerprint', remote_tmp_dir ~ '/private-key') }}"
+
+ - name: Check whether fingerprints match
+ ansible.builtin.assert:
+ that:
+ - public_key_fingerprint == (fingerprints.stdout_lines[0] | split(':'))[9]
+ - private_key_fingerprint == (fingerprints.stdout_lines[0] | split(':'))[9]
+
+ - name: Error scenario - file does not exist
+ ansible.builtin.set_fact:
+ failing_result: "{{ lookup('community.crypto.gpg_fingerprint', remote_tmp_dir ~ '/does-not-exist') }}"
+ register: result
+ ignore_errors: true
+
+ - name: Check result
+ ansible.builtin.assert:
+ that:
+ - result is failed
+ - >-
+ (remote_tmp_dir ~ '/does-not-exist does not exist') in result.msg
+
+ - name: Write garbage to disk
+ ansible.builtin.copy:
+ dest: "{{ remote_tmp_dir }}/garbage"
+ content: gargabe
+
+ - name: Error scenario - file contains garbage
+ ansible.builtin.set_fact:
+ failing_result: "{{ lookup('community.crypto.gpg_fingerprint', remote_tmp_dir ~ '/garbage') }}"
+ register: result
+ ignore_errors: true
+
+ - name: Check result
+ ansible.builtin.assert:
+ that:
+ - result is failed
+ - >-
+ 'Running ' in result.msg
+ - >-
+ ('/gpg --no-keyring --with-colons --import-options show-only --import ' ~ remote_tmp_dir ~ '/garbage yielded return code ') in result.msg
diff --git a/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/keyslot-create-destroy.yml b/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/keyslot-create-destroy.yml
new file mode 100644
index 000000000..51a3db362
--- /dev/null
+++ b/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/keyslot-create-destroy.yml
@@ -0,0 +1,206 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Create luks with keyslot 4 (check)
+ luks_device:
+ device: "{{ cryptfile_device }}"
+ state: present
+ keyfile: "{{ remote_tmp_dir }}/keyfile1"
+ keyslot: 4
+ pbkdf:
+ iteration_time: 0.1
+ check_mode: true
+ become: true
+ register: create_luks_slot4_check
+- name: Create luks with keyslot 4
+ luks_device:
+ device: "{{ cryptfile_device }}"
+ state: present
+ keyfile: "{{ remote_tmp_dir }}/keyfile1"
+ keyslot: 4
+ pbkdf:
+ iteration_time: 0.1
+ become: true
+ register: create_luks_slot4
+- name: Create luks with keyslot 4 (idempotent)
+ luks_device:
+ device: "{{ cryptfile_device }}"
+ state: present
+ keyfile: "{{ remote_tmp_dir }}/keyfile1"
+ keyslot: 4
+ pbkdf:
+ iteration_time: 0.1
+ become: true
+ register: create_luks_slot4_idem
+- name: Create luks with keyslot 4 (idempotent, check)
+ luks_device:
+ device: "{{ cryptfile_device }}"
+ state: present
+ keyfile: "{{ remote_tmp_dir }}/keyfile1"
+ keyslot: 4
+ pbkdf:
+ iteration_time: 0.1
+ check_mode: true
+ become: true
+ register: create_luks_slot4_idem_check
+- name: Dump luks header
+ command: "cryptsetup luksDump {{ cryptfile_device }}"
+ become: true
+ register: luks_header_slot4
+- assert:
+ that:
+ - create_luks_slot4_check is changed
+ - create_luks_slot4 is changed
+ - create_luks_slot4_idem is not changed
+ - create_luks_slot4_idem_check is not changed
+ - "'Key Slot 4: ENABLED' in luks_header_slot4.stdout or '4: luks2' in luks_header_slot4.stdout"
+
+- name: Add key in slot 2 (check)
+ luks_device:
+ device: "{{ cryptfile_device }}"
+ state: present
+ keyfile: "{{ remote_tmp_dir }}/keyfile1"
+ new_keyfile: "{{ remote_tmp_dir }}/keyfile2"
+ new_keyslot: 2
+ pbkdf:
+ iteration_time: 0.1
+ check_mode: true
+ become: true
+ register: add_luks_slot2_check
+- name: Add key in slot 2
+ luks_device:
+ device: "{{ cryptfile_device }}"
+ state: present
+ keyfile: "{{ remote_tmp_dir }}/keyfile1"
+ new_keyfile: "{{ remote_tmp_dir }}/keyfile2"
+ new_keyslot: 2
+ pbkdf:
+ iteration_time: 0.1
+ become: true
+ register: add_luks_slot2
+- name: Add key in slot 2 (idempotent)
+ luks_device:
+ device: "{{ cryptfile_device }}"
+ state: present
+ keyfile: "{{ remote_tmp_dir }}/keyfile1"
+ new_keyfile: "{{ remote_tmp_dir }}/keyfile2"
+ new_keyslot: 2
+ pbkdf:
+ iteration_time: 0.1
+ become: true
+ register: add_luks_slot2_idem
+- name: Add key in slot 2 (idempotent, check)
+ luks_device:
+ device: "{{ cryptfile_device }}"
+ state: present
+ keyfile: "{{ remote_tmp_dir }}/keyfile1"
+ new_keyfile: "{{ remote_tmp_dir }}/keyfile2"
+ new_keyslot: 2
+ pbkdf:
+ iteration_time: 0.1
+ check_mode: true
+ become: true
+ register: add_luks_slot2_idem_check
+- name: Dump luks header
+ command: "cryptsetup luksDump {{ cryptfile_device }}"
+ become: true
+ register: luks_header_slot2
+- assert:
+ that:
+ - add_luks_slot2_check is changed
+ - add_luks_slot2 is changed
+ - add_luks_slot2_idem is not changed
+ - add_luks_slot2_idem_check is not changed
+ - "'Key Slot 2: ENABLED' in luks_header_slot2.stdout or '2: luks2' in luks_header_slot2.stdout"
+
+- name: Check remove slot 4 without key
+ luks_device:
+ device: "{{ cryptfile_device }}"
+ remove_keyslot: 4
+ ignore_errors: true
+ become: true
+ register: kill_slot4_nokey
+- name: Check remove slot 4 with slot 4 key
+ luks_device:
+ device: "{{ cryptfile_device }}"
+ remove_keyslot: 4
+ keyfile: "{{ remote_tmp_dir }}/keyfile1"
+ ignore_errors: true
+ become: true
+ register: kill_slot4_key_slot4
+- assert:
+ that:
+ - kill_slot4_nokey is failed
+ - kill_slot4_key_slot4 is failed
+
+- name: Remove key in slot 4 (check)
+ luks_device:
+ device: "{{ cryptfile_device }}"
+ keyfile: "{{ remote_tmp_dir }}/keyfile2"
+ remove_keyslot: 4
+ check_mode: true
+ become: true
+ register: kill_luks_slot4_check
+- name: Remove key in slot 4
+ luks_device:
+ device: "{{ cryptfile_device }}"
+ keyfile: "{{ remote_tmp_dir }}/keyfile2"
+ remove_keyslot: 4
+ become: true
+ register: kill_luks_slot4
+- name: Remove key in slot 4 (idempotent)
+ luks_device:
+ device: "{{ cryptfile_device }}"
+ keyfile: "{{ remote_tmp_dir }}/keyfile2"
+ remove_keyslot: 4
+ become: true
+ register: kill_luks_slot4_idem
+- name: Remove key in slot 4 (idempotent)
+ luks_device:
+ device: "{{ cryptfile_device }}"
+ keyfile: "{{ remote_tmp_dir }}/keyfile2"
+ remove_keyslot: 4
+ check_mode: true
+ become: true
+ register: kill_luks_slot4_idem_check
+- name: Dump luks header
+ command: "cryptsetup luksDump {{ cryptfile_device }}"
+ become: true
+ register: luks_header_slot4_removed
+- assert:
+ that:
+ - kill_luks_slot4_check is changed
+ - kill_luks_slot4 is changed
+ - kill_luks_slot4_idem is not changed
+ - kill_luks_slot4_idem_check is not changed
+ - "'Key Slot 4: DISABLED' in luks_header_slot4_removed.stdout or not '4: luks' in luks_header_slot4_removed.stdout"
+
+- name: Add key in slot 0
+ luks_device:
+ device: "{{ cryptfile_device }}"
+ state: present
+ keyfile: "{{ remote_tmp_dir }}/keyfile2"
+ new_keyfile: "{{ remote_tmp_dir }}/keyfile1"
+ new_keyslot: 0
+ pbkdf:
+ iteration_time: 0.1
+ become: true
+ register: add_luks_slot0
+- name: Remove key in slot 0
+ luks_device:
+ device: "{{ cryptfile_device }}"
+ keyfile: "{{ remote_tmp_dir }}/keyfile2"
+ remove_keyslot: 0
+ become: true
+ register: kill_luks_slot0
+- name: Dump luks header
+ command: "cryptsetup luksDump {{ cryptfile_device }}"
+ become: true
+ register: luks_header_slot0_removed
+- assert:
+ that:
+ - add_luks_slot0 is changed
+ - kill_luks_slot0 is changed
+ - "'Key Slot 0: DISABLED' in luks_header_slot0_removed.stdout or not '0: luks' in luks_header_slot0_removed.stdout"
diff --git a/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/keyslot-duplicate.yml b/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/keyslot-duplicate.yml
new file mode 100644
index 000000000..cb9e559a1
--- /dev/null
+++ b/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/keyslot-duplicate.yml
@@ -0,0 +1,40 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Create new luks
+ luks_device:
+ device: "{{ cryptfile_device }}"
+ state: present
+ keyfile: "{{ remote_tmp_dir }}/keyfile1"
+ pbkdf:
+ iteration_time: 0.1
+ become: true
+- name: Add new keyslot with same keyfile (check)
+ luks_device:
+ device: "{{ cryptfile_device }}"
+ state: present
+ new_keyslot: 1
+ keyfile: "{{ remote_tmp_dir }}/keyfile1"
+ new_keyfile: "{{ remote_tmp_dir }}/keyfile1"
+ become: true
+ ignore_errors: true
+ check_mode: true
+ register: keyslot_duplicate_check
+- name: Add new keyslot with same keyfile
+ luks_device:
+ device: "{{ cryptfile_device }}"
+ state: present
+ new_keyslot: 1
+ keyfile: "{{ remote_tmp_dir }}/keyfile1"
+ new_keyfile: "{{ remote_tmp_dir }}/keyfile1"
+ become: true
+ ignore_errors: true
+ register: keyslot_duplicate
+- assert:
+ that:
+ - keyslot_duplicate_check is failed
+ - "'Trying to add key that is already present in another slot' in keyslot_duplicate_check.msg"
+ - keyslot_duplicate is failed
+ - "'Trying to add key that is already present in another slot' in keyslot_duplicate.msg"
diff --git a/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/keyslot-options.yml b/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/keyslot-options.yml
new file mode 100644
index 000000000..8a1ca14b3
--- /dev/null
+++ b/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/keyslot-options.yml
@@ -0,0 +1,79 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Check invalid slot (luks1, 8)
+ luks_device:
+ device: "{{ cryptfile_device }}"
+ state: present
+ type: luks1
+ keyfile: "{{ remote_tmp_dir }}/keyfile1"
+ keyslot: 8
+ pbkdf:
+ iteration_time: 0.1
+ ignore_errors: true
+ become: true
+ register: create_luks1_slot8
+- name: Check invalid slot (luks2, 32)
+ luks_device:
+ device: "{{ cryptfile_device }}"
+ state: present
+ type: luks2
+ keyfile: "{{ remote_tmp_dir }}/keyfile1"
+ keyslot: 32
+ pbkdf:
+ iteration_time: 0.1
+ ignore_errors: true
+ become: true
+ register: create_luks2_slot32
+- name: Check invalid slot (no luks type, 8)
+ luks_device:
+ device: "{{ cryptfile_device }}"
+ state: present
+ keyfile: "{{ remote_tmp_dir }}/keyfile1"
+ keyslot: 8
+ pbkdf:
+ iteration_time: 0.1
+ ignore_errors: true
+ become: true
+ register: create_luks_slot8
+- assert:
+ that:
+ - create_luks1_slot8 is failed
+ - create_luks2_slot32 is failed
+ - create_luks_slot8 is failed
+
+- name: Check valid slot (luks2, 8)
+ luks_device:
+ device: "{{ cryptfile_device }}"
+ state: present
+ type: luks2
+ keyfile: "{{ remote_tmp_dir }}/keyfile1"
+ keyslot: 8
+ pbkdf:
+ iteration_time: 0.1
+ become: true
+ ignore_errors: true
+ register: create_luks2_slot8
+- name: Make sure that the previous task only fails if LUKS2 is not supported
+ assert:
+ that:
+ - "'Unknown option --type' in create_luks2_slot8.msg"
+ when: create_luks2_slot8 is failed
+- name: Check add valid slot (no luks type, 10)
+ luks_device:
+ device: "{{ cryptfile_device }}"
+ state: present
+ keyfile: "{{ remote_tmp_dir }}/keyfile1"
+ new_keyfile: "{{ remote_tmp_dir }}/keyfile2"
+ new_keyslot: 10
+ pbkdf:
+ iteration_time: 0.1
+ become: true
+ register: create_luks_slot10
+ when: create_luks2_slot8 is changed
+- assert:
+ that:
+ - create_luks_slot10 is changed
+ when: create_luks2_slot8 is changed \ No newline at end of file
diff --git a/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/performance.yml b/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/performance.yml
index 572625517..85f28ae4f 100644
--- a/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/performance.yml
+++ b/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/performance.yml
@@ -15,6 +15,7 @@
perf_no_read_workqueue: true
perf_no_write_workqueue: true
persistent: true
+ allow_discards: true
pbkdf:
iteration_time: 0.1
check_mode: true
@@ -32,6 +33,7 @@
perf_no_read_workqueue: true
perf_no_write_workqueue: true
persistent: true
+ allow_discards: true
become: true
register: create_open
- name: Create and open (idempotent)
@@ -46,6 +48,7 @@
perf_no_read_workqueue: true
perf_no_write_workqueue: true
persistent: true
+ allow_discards: true
become: true
register: create_open_idem
- name: Create and open (idempotent, check)
@@ -60,6 +63,7 @@
perf_no_read_workqueue: true
perf_no_write_workqueue: true
persistent: true
+ allow_discards: true
check_mode: true
become: true
register: create_open_idem_check
@@ -80,6 +84,7 @@
- "'no-write-workqueue' in luks_header.stdout"
- "'same-cpu-crypt' in luks_header.stdout"
- "'submit-from-crypt-cpus' in luks_header.stdout"
+ - "'allow-discards' in luks_header.stdout"
- name: Dump device mapper table
command: "dmsetup table {{ create_open.name }}"
@@ -91,6 +96,7 @@
- "'no_write_workqueue' in dm_table.stdout"
- "'same_cpu_crypt' in dm_table.stdout"
- "'submit_from_crypt_cpus' in dm_table.stdout"
+ - "'allow_discards' in dm_table.stdout"
- name: Closed and Removed
luks_device:
diff --git a/ansible_collections/community/crypto/tests/integration/targets/luks_device/vars/Alpine.yml b/ansible_collections/community/crypto/tests/integration/targets/luks_device/vars/Alpine.yml
index c0d230abf..e7e1f184a 100644
--- a/ansible_collections/community/crypto/tests/integration/targets/luks_device/vars/Alpine.yml
+++ b/ansible_collections/community/crypto/tests/integration/targets/luks_device/vars/Alpine.yml
@@ -7,4 +7,5 @@ cryptsetup_package: cryptsetup
luks_extra_packages:
- device-mapper
+ - lsblk
- wipefs
diff --git a/ansible_collections/community/crypto/tests/integration/targets/openssh_cert/tests/idempotency.yml b/ansible_collections/community/crypto/tests/integration/targets/openssh_cert/tests/idempotency.yml
index c83596997..b1dd4a650 100644
--- a/ansible_collections/community/crypto/tests/integration/targets/openssh_cert/tests/idempotency.yml
+++ b/ansible_collections/community/crypto/tests/integration/targets/openssh_cert/tests/idempotency.yml
@@ -31,7 +31,7 @@
valid_to: forever
check_mode: true
changed: true
- - test_name: Generate cert - force option (idemopotent, check mode)
+ - test_name: Generate cert - force option (idempotent, check mode)
force: true
type: user
valid_from: always
diff --git a/ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/cryptography_backend.yml b/ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/cryptography_backend.yml
index b72c0be68..cf09dc20f 100644
--- a/ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/cryptography_backend.yml
+++ b/ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/cryptography_backend.yml
@@ -75,7 +75,7 @@
state: absent
- name: Generate PEM encoded key with passphrase
- command: 'ssh-keygen -b 1280 -f {{ remote_tmp_dir }}/pem_encoded -N {{ passphrase }} -m PEM'
+ command: 'ssh-keygen -t rsa -b 1280 -f {{ remote_tmp_dir }}/pem_encoded -N {{ passphrase }} -m PEM'
- name: Try to verify a PEM encoded key
openssh_keypair:
diff --git a/ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/options.yml b/ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/options.yml
index fdabd7614..0d324939c 100644
--- a/ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/options.yml
+++ b/ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/options.yml
@@ -100,8 +100,10 @@
comment: "test_modified@comment"
backend: "{{ backend }}"
register: modified_comment_output
+ ignore_errors: true
- name: "({{ backend }}) Assert comment preserved public key - comment"
+ when: modified_comment_output is succeeded
assert:
that:
- comment_output.public_key == modified_comment_output.public_key
@@ -111,9 +113,17 @@
assert:
that:
- modified_comment_output.comment == 'test_modified@comment'
+ - modified_comment_output is succeeded
# Support for updating comments for key types other than rsa1 was added in OpenSSH 7.2
when: not (backend == 'opensshbin' and openssh_version is version('7.2', '<'))
+- name: "({{ backend }}) Assert comment not changed - comment"
+ assert:
+ that:
+ - modified_comment_output is failed
+ # Support for updating comments for key types other than rsa1 was added in OpenSSH 7.2
+ when: backend == 'opensshbin' and openssh_version is version('7.2', '<')
+
- name: "({{ backend }}) Remove key - comment"
openssh_keypair:
path: "{{ remote_tmp_dir }}/comment"
diff --git a/ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/regenerate.yml b/ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/regenerate.yml
index d10096044..f9e2f43b3 100644
--- a/ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/regenerate.yml
+++ b/ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/regenerate.yml
@@ -329,22 +329,25 @@
that:
- result is changed
-- name: "({{ backend }}) Regenerate - adjust comment"
- openssh_keypair:
- path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
- type: dsa
- size: 1024
- comment: test comment
- regenerate: '{{ item }}'
- backend: "{{ backend }}"
- loop: "{{ regenerate_values }}"
- register: result
-- assert:
- that:
- - result is changed
- # for all values but 'always', the key should not be regenerated.
- # verify this by comparing fingerprints:
- - result.results[0].fingerprint == result.results[1].fingerprint
- - result.results[0].fingerprint == result.results[2].fingerprint
- - result.results[0].fingerprint == result.results[3].fingerprint
- - result.results[0].fingerprint != result.results[4].fingerprint
+# Support for updating comments for key types other than rsa1 was added in OpenSSH 7.2
+- when: not (backend == 'opensshbin' and openssh_version is version('7.2', '<'))
+ block:
+ - name: "({{ backend }}) Regenerate - adjust comment"
+ openssh_keypair:
+ path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
+ type: dsa
+ size: 1024
+ comment: test comment
+ regenerate: '{{ item }}'
+ backend: "{{ backend }}"
+ loop: "{{ regenerate_values }}"
+ register: result
+ - assert:
+ that:
+ - result is changed
+ # for all values but 'always', the key should not be regenerated.
+ # verify this by comparing fingerprints:
+ - result.results[0].fingerprint == result.results[1].fingerprint
+ - result.results[0].fingerprint == result.results[2].fingerprint
+ - result.results[0].fingerprint == result.results[3].fingerprint
+ - result.results[0].fingerprint != result.results[4].fingerprint
diff --git a/ansible_collections/community/crypto/tests/integration/targets/openssl_pkcs12/tasks/main.yml b/ansible_collections/community/crypto/tests/integration/targets/openssl_pkcs12/tasks/main.yml
index 7116c8674..cad051c6c 100644
--- a/ansible_collections/community/crypto/tests/integration/targets/openssl_pkcs12/tasks/main.yml
+++ b/ansible_collections/community/crypto/tests/integration/targets/openssl_pkcs12/tasks/main.yml
@@ -69,7 +69,10 @@
vars:
select_crypto_backend: pyopenssl
- when: (pyopenssl_version.stdout | default('0.0')) is version('0.15', '>=')
+ when: >-
+ (pyopenssl_version.stdout | default('0.0')) is version('0.15', '>=')
+ and
+ (pyopenssl_version.stdout | default('0.0')) is version('23.3.0', '<')
- block:
- name: Running tests with cryptography backend
@@ -79,4 +82,11 @@
when: cryptography_version.stdout is version('3.0', '>=')
- when: (pyopenssl_version.stdout | default('0.0')) is version('0.15', '>=') or cryptography_version.stdout is version('3.0', '>=')
+ when: >-
+ (
+ (pyopenssl_version.stdout | default('0.0')) is version('0.15', '>=')
+ and
+ (pyopenssl_version.stdout | default('0.0')) is version('23.3.0', '<')
+ )
+ or
+ cryptography_version.stdout is version('3.0', '>=')
diff --git a/ansible_collections/community/crypto/tests/integration/targets/openssl_privatekey/tests/validate.yml b/ansible_collections/community/crypto/tests/integration/targets/openssl_privatekey/tests/validate.yml
index 8f134dddf..4d92c2546 100644
--- a/ansible_collections/community/crypto/tests/integration/targets/openssl_privatekey/tests/validate.yml
+++ b/ansible_collections/community/crypto/tests/integration/targets/openssl_privatekey/tests/validate.yml
@@ -74,7 +74,7 @@
shell: "{{ openssl_binary }} rsa -noout -text -in {{ remote_tmp_dir }}/privatekey5.pem -passin pass:ansible | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
register: privatekey5
# Current version of OS/X that runs in the CI (10.11) does not have an up to date version of the OpenSSL library
- # leading to this test to fail when run in the CI. However, this test has been run for 10.12 and has returned succesfully.
+ # leading to this test to fail when run in the CI. However, this test has been run for 10.12 and has returned successfully.
when: openssl_version.stdout is version('0.9.8zh', '>=')
- name: "({{ select_crypto_backend }}) Validate privatekey5 (assert - Passphrase protected key + idempotence)"
diff --git a/ansible_collections/community/crypto/tests/integration/targets/openssl_publickey/tests/validate.yml b/ansible_collections/community/crypto/tests/integration/targets/openssl_publickey/tests/validate.yml
index 8a1ab86e3..8c8a7292c 100644
--- a/ansible_collections/community/crypto/tests/integration/targets/openssl_publickey/tests/validate.yml
+++ b/ansible_collections/community/crypto/tests/integration/targets/openssl_publickey/tests/validate.yml
@@ -43,7 +43,7 @@
- name: "({{ select_crypto_backend }}) Validate public key - OpenSSH format (assert)"
assert:
that:
- - privatekey_publickey.stdout == '{{ publickey.content|b64decode }}'
+ - privatekey_publickey.stdout == publickey.content | b64decode
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('1.4.0', '>=')
- name: "({{ select_crypto_backend }}) Validate public key - OpenSSH format - test idempotence (issue 33256)"
diff --git a/ansible_collections/community/crypto/tests/integration/targets/prepare_jinja2_compat/filter_plugins/ansible_compatibility.py b/ansible_collections/community/crypto/tests/integration/targets/prepare_jinja2_compat/filter_plugins/ansible_compatibility.py
new file mode 100644
index 000000000..c14af4ccb
--- /dev/null
+++ b/ansible_collections/community/crypto/tests/integration/targets/prepare_jinja2_compat/filter_plugins/ansible_compatibility.py
@@ -0,0 +1,20 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+
+# Added in ansible-core 2.11
+def compatibility_split_filter(text, by_what):
+ return text.split(by_what)
+
+
+class FilterModule:
+ ''' Jinja2 compat filters '''
+
+ def filters(self):
+ return {
+ 'split': compatibility_split_filter,
+ }
diff --git a/ansible_collections/community/crypto/tests/integration/targets/prepare_jinja2_compat/filter_plugins/jinja_compatibility.py b/ansible_collections/community/crypto/tests/integration/targets/prepare_jinja2_compat/filter_plugins/jinja_compatibility.py
index 87ce01dce..98180a177 100644
--- a/ansible_collections/community/crypto/tests/integration/targets/prepare_jinja2_compat/filter_plugins/jinja_compatibility.py
+++ b/ansible_collections/community/crypto/tests/integration/targets/prepare_jinja2_compat/filter_plugins/jinja_compatibility.py
@@ -1,6 +1,11 @@
-# Copyright (c) Ansible Project
-# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
-# SPDX-License-Identifier: GPL-3.0-or-later
+# This code is part of Ansible, but is an independent component.
+# This particular file snippet, and this file snippet only, is licensed under the
+# BSD-3-Clause License. Modules you write using this snippet, which is embedded
+# dynamically by Ansible, still belong to the author of the module, and may assign
+# their own license to the complete work.
+
+# The BSD License license has been included as LICENSES/BSD-3-Clause.txt in this collection.
+# SPDX-License-Identifier: BSD-3-Clause
# Copyright 2007 Pallets
#
diff --git a/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/meta/main.yml b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/meta/main.yml
new file mode 100644
index 000000000..2fcd152f9
--- /dev/null
+++ b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/meta/main.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+ - setup_pkg_mgr
diff --git a/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/tasks/main.yml b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/tasks/main.yml
new file mode 100644
index 000000000..9e02356fc
--- /dev/null
+++ b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Print distribution specific data
+ ansible.builtin.debug:
+ msg: |
+ Distribution: {{ ansible_facts.distribution }}
+ Distribution version: {{ ansible_facts.distribution_version }}
+ Distribution major version: {{ ansible_facts.distribution_major_version }}
+ OS family: {{ ansible_facts.os_family }}
+
+- name: Include distribution specific variables
+ ansible.builtin.include_vars: '{{ lookup("ansible.builtin.first_found", params) }}'
+ vars:
+ params:
+ files:
+ - '{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_version }}.yml'
+ - '{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_major_version }}.yml'
+ - '{{ ansible_facts.distribution }}.yml'
+ - '{{ ansible_facts.os_family }}.yml'
+ - default.yml
+ paths:
+ - '{{ role_path }}/vars'
+
+- name: Install GnuPG
+ ansible.builtin.package:
+ name: '{{ gnupg_package_name }}'
+ when: has_gnupg
diff --git a/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/Alpine.yml b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/Alpine.yml
new file mode 100644
index 000000000..99bd64412
--- /dev/null
+++ b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/Alpine.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Alpine 3.12 should have GnuPG, but for some reason installing it fails...
+has_gnupg: "{{ ansible_facts.distribution_version is version('3.13', '>=') }}"
+gnupg_package_name: gpg
diff --git a/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/CentOS-6.yml b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/CentOS-6.yml
new file mode 100644
index 000000000..fd09e9142
--- /dev/null
+++ b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/CentOS-6.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+has_gnupg: false
+# The GnuPG version included with CentOS 6 is too old, it doesn't understand --generate-key
diff --git a/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/Darwin.yml b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/Darwin.yml
new file mode 100644
index 000000000..a7d999db8
--- /dev/null
+++ b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/Darwin.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# TODO Homebrew currently isn't happy when running as root, so assume we don't have GnuPG
+has_gnupg: false
diff --git a/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/RedHat.yml b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/RedHat.yml
new file mode 100644
index 000000000..3e82c4f98
--- /dev/null
+++ b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/RedHat.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+has_gnupg: true
+gnupg_package_name: gnupg2
diff --git a/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/default.yml b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/default.yml
new file mode 100644
index 000000000..6059ed80e
--- /dev/null
+++ b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/default.yml
@@ -0,0 +1,7 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+has_gnupg: true
+gnupg_package_name: gnupg
diff --git a/ansible_collections/community/crypto/tests/integration/targets/setup_python_info/vars/main.yml b/ansible_collections/community/crypto/tests/integration/targets/setup_python_info/vars/main.yml
index ec2170aed..8bbf9f670 100644
--- a/ansible_collections/community/crypto/tests/integration/targets/setup_python_info/vars/main.yml
+++ b/ansible_collections/community/crypto/tests/integration/targets/setup_python_info/vars/main.yml
@@ -72,6 +72,8 @@ system_python_version_data:
Debian:
'11':
- '3.9'
+ '12':
+ - '3.11'
Alpine:
'3.16':
- '3.10'
diff --git a/ansible_collections/community/crypto/tests/integration/targets/x509_certificate/tests/validate_ownca.yml b/ansible_collections/community/crypto/tests/integration/targets/x509_certificate/tests/validate_ownca.yml
index b1569a94c..ac25b6295 100644
--- a/ansible_collections/community/crypto/tests/integration/targets/x509_certificate/tests/validate_ownca.yml
+++ b/ansible_collections/community/crypto/tests/integration/targets/x509_certificate/tests/validate_ownca.yml
@@ -15,7 +15,7 @@
shell: '{{ openssl_binary }} x509 -noout -in {{ remote_tmp_dir}}/ownca_cert.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g"'
register: ownca_cert_issuer
-- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - ownca certficate version == default == 3)
+- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - ownca certificate version == default == 3)
shell: '{{ openssl_binary }} x509 -noout -in {{ remote_tmp_dir}}/ownca_cert.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
register: ownca_cert_version
diff --git a/ansible_collections/community/crypto/tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml b/ansible_collections/community/crypto/tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml
index dfb1d8713..c76310437 100644
--- a/ansible_collections/community/crypto/tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml
+++ b/ansible_collections/community/crypto/tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml
@@ -18,7 +18,7 @@
shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ remote_tmp_dir }}/cert_no_csr.pem'
register: cert_modulus
-- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate with no CSR (test - certficate version == default == 3)
+- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate with no CSR (test - certificate version == default == 3)
shell: '{{ openssl_binary }} x509 -noout -in {{ remote_tmp_dir}}/cert_no_csr.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
register: cert_version
@@ -55,7 +55,7 @@
register: cert_issuer
-- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - certficate version == default == 3)
+- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - certificate version == default == 3)
shell: '{{ openssl_binary }} x509 -noout -in {{ remote_tmp_dir}}/cert.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'
register: cert_version
diff --git a/ansible_collections/community/crypto/tests/integration/targets/x509_crl/tasks/impl.yml b/ansible_collections/community/crypto/tests/integration/targets/x509_crl/tasks/impl.yml
index 11fa7dcca..29f2c473d 100644
--- a/ansible_collections/community/crypto/tests/integration/targets/x509_crl/tasks/impl.yml
+++ b/ansible_collections/community/crypto/tests/integration/targets/x509_crl/tasks/impl.yml
@@ -119,7 +119,7 @@
- cert-2.pem
register: slurp
-- name: Create CRL 1 (idempotent with content, check mode)
+- name: Create CRL 1 (idempotent with content and octet string serial, check mode)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl1.crl'
privatekey_content: "{{ slurp.results[0].content | b64decode }}"
@@ -127,6 +127,7 @@
CN: Ansible
last_update: 20191013000000Z
next_update: 20191113000000Z
+ serial_numbers: hex-octets
revoked_certificates:
- content: "{{ slurp.results[1].content | b64decode }}"
revocation_date: 20191013000000Z
@@ -135,12 +136,12 @@
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
- - serial_number: 1234
+ - serial_number: 04:D2
revocation_date: 20191001000000Z
check_mode: true
register: crl_1_idem_content_check
-- name: Create CRL 1 (idempotent with content)
+- name: Create CRL 1 (idempotent with content and octet string serial)
x509_crl:
path: '{{ remote_tmp_dir }}/ca-crl1.crl'
privatekey_content: "{{ slurp.results[0].content | b64decode }}"
@@ -148,6 +149,7 @@
CN: Ansible
last_update: 20191013000000Z
next_update: 20191113000000Z
+ serial_numbers: hex-octets
revoked_certificates:
- content: "{{ slurp.results[1].content | b64decode }}"
revocation_date: 20191013000000Z
@@ -156,7 +158,7 @@
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
- - serial_number: 1234
+ - serial_number: 04:D2
revocation_date: 20191001000000Z
register: crl_1_idem_content
@@ -220,7 +222,7 @@
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
- - serial_number: 1234
+ - serial_number: "1234"
revocation_date: 20191001000000Z
check_mode: true
register: crl_1_format_idem_check
@@ -242,7 +244,7 @@
reason: key_compromise
reason_critical: true
invalidity_date: 20191012000000Z
- - serial_number: 1234
+ - serial_number: "1234"
revocation_date: 20191001000000Z
return_content: true
register: crl_1_format_idem