From 38b7c80217c4e72b1d8988eb1e60bb6e77334114 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Thu, 18 Apr 2024 07:52:22 +0200 Subject: Adding upstream version 9.4.0+dfsg. Signed-off-by: Daniel Baumann --- .../acme_challenge_cert_helper/tasks/main.yml | 2 +- .../targets/filter_gpg_fingerprint/aliases | 6 + .../targets/filter_gpg_fingerprint/meta/main.yml | 9 + .../targets/filter_gpg_fingerprint/tasks/main.yml | 80 ++++++++ .../targets/filter_parse_serial/aliases | 5 + .../targets/filter_parse_serial/tasks/main.yml | 62 +++++++ .../integration/targets/filter_to_serial/aliases | 5 + .../targets/filter_to_serial/tasks/main.yml | 35 ++++ .../targets/get_certificate/tests/validate.yml | 6 +- .../targets/lookup_gpg_fingerprint/aliases | 6 + .../targets/lookup_gpg_fingerprint/meta/main.yml | 9 + .../targets/lookup_gpg_fingerprint/tasks/main.yml | 93 ++++++++++ .../tasks/tests/keyslot-create-destroy.yml | 206 +++++++++++++++++++++ .../luks_device/tasks/tests/keyslot-duplicate.yml | 40 ++++ .../luks_device/tasks/tests/keyslot-options.yml | 79 ++++++++ .../luks_device/tasks/tests/performance.yml | 6 + .../targets/luks_device/vars/Alpine.yml | 1 + .../targets/openssh_cert/tests/idempotency.yml | 2 +- .../openssh_keypair/tests/cryptography_backend.yml | 2 +- .../targets/openssh_keypair/tests/options.yml | 10 + .../targets/openssh_keypair/tests/regenerate.yml | 41 ++-- .../targets/openssl_pkcs12/tasks/main.yml | 14 +- .../targets/openssl_privatekey/tests/validate.yml | 2 +- .../targets/openssl_publickey/tests/validate.yml | 2 +- .../filter_plugins/ansible_compatibility.py | 20 ++ .../filter_plugins/jinja_compatibility.py | 11 +- .../integration/targets/setup_gnupg/meta/main.yml | 7 + .../integration/targets/setup_gnupg/tasks/main.yml | 30 +++ .../targets/setup_gnupg/vars/Alpine.yml | 8 + .../targets/setup_gnupg/vars/CentOS-6.yml | 7 + .../targets/setup_gnupg/vars/Darwin.yml | 7 + .../targets/setup_gnupg/vars/RedHat.yml | 7 + .../targets/setup_gnupg/vars/default.yml | 7 + .../targets/setup_python_info/vars/main.yml | 2 + .../x509_certificate/tests/validate_ownca.yml | 2 +- .../x509_certificate/tests/validate_selfsigned.yml | 4 +- .../integration/targets/x509_crl/tasks/impl.yml | 14 +- 37 files changed, 810 insertions(+), 39 deletions(-) create mode 100644 ansible_collections/community/crypto/tests/integration/targets/filter_gpg_fingerprint/aliases create mode 100644 ansible_collections/community/crypto/tests/integration/targets/filter_gpg_fingerprint/meta/main.yml create mode 100644 ansible_collections/community/crypto/tests/integration/targets/filter_gpg_fingerprint/tasks/main.yml create mode 100644 ansible_collections/community/crypto/tests/integration/targets/filter_parse_serial/aliases create mode 100644 ansible_collections/community/crypto/tests/integration/targets/filter_parse_serial/tasks/main.yml create mode 100644 ansible_collections/community/crypto/tests/integration/targets/filter_to_serial/aliases create mode 100644 ansible_collections/community/crypto/tests/integration/targets/filter_to_serial/tasks/main.yml create mode 100644 ansible_collections/community/crypto/tests/integration/targets/lookup_gpg_fingerprint/aliases create mode 100644 ansible_collections/community/crypto/tests/integration/targets/lookup_gpg_fingerprint/meta/main.yml create mode 100644 ansible_collections/community/crypto/tests/integration/targets/lookup_gpg_fingerprint/tasks/main.yml create mode 100644 ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/keyslot-create-destroy.yml create mode 100644 ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/keyslot-duplicate.yml create mode 100644 ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/keyslot-options.yml create mode 100644 ansible_collections/community/crypto/tests/integration/targets/prepare_jinja2_compat/filter_plugins/ansible_compatibility.py create mode 100644 ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/meta/main.yml create mode 100644 ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/tasks/main.yml create mode 100644 ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/Alpine.yml create mode 100644 ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/CentOS-6.yml create mode 100644 ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/Darwin.yml create mode 100644 ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/RedHat.yml create mode 100644 ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/default.yml (limited to 'ansible_collections/community/crypto/tests/integration') diff --git a/ansible_collections/community/crypto/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml b/ansible_collections/community/crypto/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml index ef40ec601..c4b138572 100644 --- a/ansible_collections/community/crypto/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml +++ b/ansible_collections/community/crypto/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml @@ -9,7 +9,7 @@ #################################################################### - block: - - name: Generate ECC256 accoun keys + - name: Generate ECC256 account keys openssl_privatekey: path: "{{ remote_tmp_dir }}/account-ec256.pem" type: ECC diff --git a/ansible_collections/community/crypto/tests/integration/targets/filter_gpg_fingerprint/aliases b/ansible_collections/community/crypto/tests/integration/targets/filter_gpg_fingerprint/aliases new file mode 100644 index 000000000..326a499c3 --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/filter_gpg_fingerprint/aliases @@ -0,0 +1,6 @@ +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +azp/posix/2 +destructive diff --git a/ansible_collections/community/crypto/tests/integration/targets/filter_gpg_fingerprint/meta/main.yml b/ansible_collections/community/crypto/tests/integration/targets/filter_gpg_fingerprint/meta/main.yml new file mode 100644 index 000000000..398d0cf6c --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/filter_gpg_fingerprint/meta/main.yml @@ -0,0 +1,9 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +dependencies: + - prepare_jinja2_compat + - setup_remote_tmp_dir + - setup_gnupg diff --git a/ansible_collections/community/crypto/tests/integration/targets/filter_gpg_fingerprint/tasks/main.yml b/ansible_collections/community/crypto/tests/integration/targets/filter_gpg_fingerprint/tasks/main.yml new file mode 100644 index 000000000..071b490fd --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/filter_gpg_fingerprint/tasks/main.yml @@ -0,0 +1,80 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +- name: Run tests if GPG is available + when: has_gnupg + block: + - name: Create GPG key + ansible.builtin.command: + cmd: gpg --homedir "{{ remote_tmp_dir }}" --batch --generate-key + stdin: | + %echo Generating a basic OpenPGP key + %no-ask-passphrase + %no-protection + Key-Type: RSA + Key-Length: 4096 + Name-Real: Foo Bar + Name-Email: foo@bar.com + Expire-Date: 0 + %commit + %echo done + register: result + + - name: Extract fingerprint + ansible.builtin.shell: gpg --homedir "{{ remote_tmp_dir }}" --with-colons --fingerprint foo@bar.com | grep '^fpr:' + register: fingerprints + + - name: Show fingerprints + ansible.builtin.debug: + msg: "{{ fingerprints.stdout_lines | map('split', ':') | list }}" + + - name: Export public key + ansible.builtin.command: gpg --homedir "{{ remote_tmp_dir }}" --export --armor foo@bar.com + register: public_key + + - name: Export private key + ansible.builtin.command: gpg --homedir "{{ remote_tmp_dir }}" --export-secret-key --armor foo@bar.com + register: private_key + + - name: Gather fingerprints + ansible.builtin.set_fact: + public_key_fingerprint: "{{ public_key.stdout | community.crypto.gpg_fingerprint }}" + private_key_fingerprint: "{{ private_key.stdout | community.crypto.gpg_fingerprint }}" + + - name: Check whether fingerprints match + ansible.builtin.assert: + that: + - public_key_fingerprint == (fingerprints.stdout_lines[0] | split(':'))[9] + - private_key_fingerprint == (fingerprints.stdout_lines[0] | split(':'))[9] + + - name: Error scenario - wrong input type + ansible.builtin.set_fact: + failing_result: "{{ 42 | community.crypto.gpg_fingerprint }}" + register: result + ignore_errors: true + + - name: Check result + ansible.builtin.assert: + that: + - result is failed + - >- + 'The input for the community.crypto.gpg_fingerprint filter must be a string; got ' in result.msg + - >- + 'int' in result.msg + + - name: Error scenario - garbage input + ansible.builtin.set_fact: + failing_result: "{{ 'garbage' | community.crypto.gpg_fingerprint }}" + register: result + ignore_errors: true + + - name: Check result + ansible.builtin.assert: + that: + - result is failed + - >- + 'Running ' in result.msg + - >- + ('/gpg --no-keyring --with-colons --import-options show-only --import /dev/stdin yielded return code ') in result.msg diff --git a/ansible_collections/community/crypto/tests/integration/targets/filter_parse_serial/aliases b/ansible_collections/community/crypto/tests/integration/targets/filter_parse_serial/aliases new file mode 100644 index 000000000..12d1d6617 --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/filter_parse_serial/aliases @@ -0,0 +1,5 @@ +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +azp/posix/2 diff --git a/ansible_collections/community/crypto/tests/integration/targets/filter_parse_serial/tasks/main.yml b/ansible_collections/community/crypto/tests/integration/targets/filter_parse_serial/tasks/main.yml new file mode 100644 index 000000000..67175ac07 --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/filter_parse_serial/tasks/main.yml @@ -0,0 +1,62 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +- name: Test parse_serial filter + assert: + that: + - >- + '0' | community.crypto.parse_serial == 0 + - >- + '00' | community.crypto.parse_serial == 0 + - >- + '000' | community.crypto.parse_serial == 0 + - >- + 'ff' | community.crypto.parse_serial == 255 + - >- + '0ff' | community.crypto.parse_serial == 255 + - >- + '1:0' | community.crypto.parse_serial == 256 + - >- + '1:2:3' | community.crypto.parse_serial == 66051 + +- name: "Test error 1: empty string" + debug: + msg: >- + {{ '' | community.crypto.parse_serial }} + ignore_errors: true + register: error_1 + +- name: "Test error 2: invalid type" + debug: + msg: >- + {{ [] | community.crypto.parse_serial }} + ignore_errors: true + register: error_2 + +- name: "Test error 3: invalid values (range)" + debug: + msg: >- + {{ '100' | community.crypto.parse_serial }} + ignore_errors: true + register: error_3 + +- name: "Test error 4: invalid values (digits)" + debug: + msg: >- + {{ 'abcdefg' | community.crypto.parse_serial }} + ignore_errors: true + register: error_4 + +- name: Validate errors + assert: + that: + - >- + error_1 is failed and "The 1st part '' is not a hexadecimal number in range [0, 255]: invalid literal" in error_1.msg + - >- + error_2 is failed and "The input for the community.crypto.parse_serial filter must be a string; got " in error_2.msg + - >- + error_3 is failed and "The 1st part '100' is not a hexadecimal number in range [0, 255]: the value is not in range [0, 255]" in error_3.msg + - >- + error_4 is failed and "The 1st part 'abcdefg' is not a hexadecimal number in range [0, 255]: invalid literal" in error_4.msg diff --git a/ansible_collections/community/crypto/tests/integration/targets/filter_to_serial/aliases b/ansible_collections/community/crypto/tests/integration/targets/filter_to_serial/aliases new file mode 100644 index 000000000..12d1d6617 --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/filter_to_serial/aliases @@ -0,0 +1,5 @@ +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +azp/posix/2 diff --git a/ansible_collections/community/crypto/tests/integration/targets/filter_to_serial/tasks/main.yml b/ansible_collections/community/crypto/tests/integration/targets/filter_to_serial/tasks/main.yml new file mode 100644 index 000000000..1b1f4385f --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/filter_to_serial/tasks/main.yml @@ -0,0 +1,35 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +- name: Test to_serial filter + assert: + that: + - 0 | community.crypto.to_serial == '00' + - 1 | community.crypto.to_serial == '01' + - 255 | community.crypto.to_serial == 'FF' + - 256 | community.crypto.to_serial == '01:00' + - 65536 | community.crypto.to_serial == '01:00:00' + +- name: "Test error 1: negative number" + debug: + msg: >- + {{ (-1) | community.crypto.to_serial }} + ignore_errors: true + register: error_1 + +- name: "Test error 2: invalid type" + debug: + msg: >- + {{ [] | community.crypto.to_serial }} + ignore_errors: true + register: error_2 + +- name: Validate error + assert: + that: + - >- + error_1 is failed and "The input for the community.crypto.to_serial filter must not be negative" in error_1.msg + - >- + error_2 is failed and "The input for the community.crypto.to_serial filter must be an integer; got " in error_2.msg diff --git a/ansible_collections/community/crypto/tests/integration/targets/get_certificate/tests/validate.yml b/ansible_collections/community/crypto/tests/integration/targets/get_certificate/tests/validate.yml index 810a66f85..29ca26873 100644 --- a/ansible_collections/community/crypto/tests/integration/targets/get_certificate/tests/validate.yml +++ b/ansible_collections/community/crypto/tests/integration/targets/get_certificate/tests/validate.yml @@ -71,7 +71,11 @@ - result is not changed - result is failed # We got the expected error message - - "'The handshake operation timed out' in result.msg or 'unknown protocol' in result.msg or 'wrong version number' in result.msg" + - >- + 'The handshake operation timed out' in result.msg + or 'unknown protocol' in result.msg + or 'wrong version number' in result.msg + or 'record layer failure' in result.msg - name: Test timeout option get_certificate: diff --git a/ansible_collections/community/crypto/tests/integration/targets/lookup_gpg_fingerprint/aliases b/ansible_collections/community/crypto/tests/integration/targets/lookup_gpg_fingerprint/aliases new file mode 100644 index 000000000..326a499c3 --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/lookup_gpg_fingerprint/aliases @@ -0,0 +1,6 @@ +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +azp/posix/2 +destructive diff --git a/ansible_collections/community/crypto/tests/integration/targets/lookup_gpg_fingerprint/meta/main.yml b/ansible_collections/community/crypto/tests/integration/targets/lookup_gpg_fingerprint/meta/main.yml new file mode 100644 index 000000000..398d0cf6c --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/lookup_gpg_fingerprint/meta/main.yml @@ -0,0 +1,9 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +dependencies: + - prepare_jinja2_compat + - setup_remote_tmp_dir + - setup_gnupg diff --git a/ansible_collections/community/crypto/tests/integration/targets/lookup_gpg_fingerprint/tasks/main.yml b/ansible_collections/community/crypto/tests/integration/targets/lookup_gpg_fingerprint/tasks/main.yml new file mode 100644 index 000000000..860cbce97 --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/lookup_gpg_fingerprint/tasks/main.yml @@ -0,0 +1,93 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +- name: Run tests if GPG is available + when: has_gnupg + block: + - name: Create GPG key + ansible.builtin.command: + cmd: gpg --homedir "{{ remote_tmp_dir }}" --batch --generate-key + stdin: | + %echo Generating a basic OpenPGP key + %no-ask-passphrase + %no-protection + Key-Type: RSA + Key-Length: 4096 + Name-Real: Foo Bar + Name-Email: foo@bar.com + Expire-Date: 0 + %commit + %echo done + register: result + + - name: Extract fingerprint + ansible.builtin.shell: gpg --homedir "{{ remote_tmp_dir }}" --with-colons --fingerprint foo@bar.com | grep '^fpr:' + register: fingerprints + + - name: Show fingerprints + ansible.builtin.debug: + msg: "{{ fingerprints.stdout_lines | map('split', ':') | list }}" + + - name: Export public key + ansible.builtin.command: gpg --homedir "{{ remote_tmp_dir }}" --export --armor foo@bar.com + register: public_key + + - name: Export private key + ansible.builtin.command: gpg --homedir "{{ remote_tmp_dir }}" --export-secret-key --armor foo@bar.com + register: private_key + + - name: Write public key to disk + ansible.builtin.copy: + dest: "{{ remote_tmp_dir }}/public-key" + content: "{{ public_key.stdout }}" + + - name: Write private key to disk + ansible.builtin.copy: + dest: "{{ remote_tmp_dir }}/private-key" + content: "{{ private_key.stdout }}" + + - name: Gather fingerprints + ansible.builtin.set_fact: + public_key_fingerprint: "{{ lookup('community.crypto.gpg_fingerprint', remote_tmp_dir ~ '/public-key') }}" + private_key_fingerprint: "{{ lookup('community.crypto.gpg_fingerprint', remote_tmp_dir ~ '/private-key') }}" + + - name: Check whether fingerprints match + ansible.builtin.assert: + that: + - public_key_fingerprint == (fingerprints.stdout_lines[0] | split(':'))[9] + - private_key_fingerprint == (fingerprints.stdout_lines[0] | split(':'))[9] + + - name: Error scenario - file does not exist + ansible.builtin.set_fact: + failing_result: "{{ lookup('community.crypto.gpg_fingerprint', remote_tmp_dir ~ '/does-not-exist') }}" + register: result + ignore_errors: true + + - name: Check result + ansible.builtin.assert: + that: + - result is failed + - >- + (remote_tmp_dir ~ '/does-not-exist does not exist') in result.msg + + - name: Write garbage to disk + ansible.builtin.copy: + dest: "{{ remote_tmp_dir }}/garbage" + content: gargabe + + - name: Error scenario - file contains garbage + ansible.builtin.set_fact: + failing_result: "{{ lookup('community.crypto.gpg_fingerprint', remote_tmp_dir ~ '/garbage') }}" + register: result + ignore_errors: true + + - name: Check result + ansible.builtin.assert: + that: + - result is failed + - >- + 'Running ' in result.msg + - >- + ('/gpg --no-keyring --with-colons --import-options show-only --import ' ~ remote_tmp_dir ~ '/garbage yielded return code ') in result.msg diff --git a/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/keyslot-create-destroy.yml b/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/keyslot-create-destroy.yml new file mode 100644 index 000000000..51a3db362 --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/keyslot-create-destroy.yml @@ -0,0 +1,206 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +- name: Create luks with keyslot 4 (check) + luks_device: + device: "{{ cryptfile_device }}" + state: present + keyfile: "{{ remote_tmp_dir }}/keyfile1" + keyslot: 4 + pbkdf: + iteration_time: 0.1 + check_mode: true + become: true + register: create_luks_slot4_check +- name: Create luks with keyslot 4 + luks_device: + device: "{{ cryptfile_device }}" + state: present + keyfile: "{{ remote_tmp_dir }}/keyfile1" + keyslot: 4 + pbkdf: + iteration_time: 0.1 + become: true + register: create_luks_slot4 +- name: Create luks with keyslot 4 (idempotent) + luks_device: + device: "{{ cryptfile_device }}" + state: present + keyfile: "{{ remote_tmp_dir }}/keyfile1" + keyslot: 4 + pbkdf: + iteration_time: 0.1 + become: true + register: create_luks_slot4_idem +- name: Create luks with keyslot 4 (idempotent, check) + luks_device: + device: "{{ cryptfile_device }}" + state: present + keyfile: "{{ remote_tmp_dir }}/keyfile1" + keyslot: 4 + pbkdf: + iteration_time: 0.1 + check_mode: true + become: true + register: create_luks_slot4_idem_check +- name: Dump luks header + command: "cryptsetup luksDump {{ cryptfile_device }}" + become: true + register: luks_header_slot4 +- assert: + that: + - create_luks_slot4_check is changed + - create_luks_slot4 is changed + - create_luks_slot4_idem is not changed + - create_luks_slot4_idem_check is not changed + - "'Key Slot 4: ENABLED' in luks_header_slot4.stdout or '4: luks2' in luks_header_slot4.stdout" + +- name: Add key in slot 2 (check) + luks_device: + device: "{{ cryptfile_device }}" + state: present + keyfile: "{{ remote_tmp_dir }}/keyfile1" + new_keyfile: "{{ remote_tmp_dir }}/keyfile2" + new_keyslot: 2 + pbkdf: + iteration_time: 0.1 + check_mode: true + become: true + register: add_luks_slot2_check +- name: Add key in slot 2 + luks_device: + device: "{{ cryptfile_device }}" + state: present + keyfile: "{{ remote_tmp_dir }}/keyfile1" + new_keyfile: "{{ remote_tmp_dir }}/keyfile2" + new_keyslot: 2 + pbkdf: + iteration_time: 0.1 + become: true + register: add_luks_slot2 +- name: Add key in slot 2 (idempotent) + luks_device: + device: "{{ cryptfile_device }}" + state: present + keyfile: "{{ remote_tmp_dir }}/keyfile1" + new_keyfile: "{{ remote_tmp_dir }}/keyfile2" + new_keyslot: 2 + pbkdf: + iteration_time: 0.1 + become: true + register: add_luks_slot2_idem +- name: Add key in slot 2 (idempotent, check) + luks_device: + device: "{{ cryptfile_device }}" + state: present + keyfile: "{{ remote_tmp_dir }}/keyfile1" + new_keyfile: "{{ remote_tmp_dir }}/keyfile2" + new_keyslot: 2 + pbkdf: + iteration_time: 0.1 + check_mode: true + become: true + register: add_luks_slot2_idem_check +- name: Dump luks header + command: "cryptsetup luksDump {{ cryptfile_device }}" + become: true + register: luks_header_slot2 +- assert: + that: + - add_luks_slot2_check is changed + - add_luks_slot2 is changed + - add_luks_slot2_idem is not changed + - add_luks_slot2_idem_check is not changed + - "'Key Slot 2: ENABLED' in luks_header_slot2.stdout or '2: luks2' in luks_header_slot2.stdout" + +- name: Check remove slot 4 without key + luks_device: + device: "{{ cryptfile_device }}" + remove_keyslot: 4 + ignore_errors: true + become: true + register: kill_slot4_nokey +- name: Check remove slot 4 with slot 4 key + luks_device: + device: "{{ cryptfile_device }}" + remove_keyslot: 4 + keyfile: "{{ remote_tmp_dir }}/keyfile1" + ignore_errors: true + become: true + register: kill_slot4_key_slot4 +- assert: + that: + - kill_slot4_nokey is failed + - kill_slot4_key_slot4 is failed + +- name: Remove key in slot 4 (check) + luks_device: + device: "{{ cryptfile_device }}" + keyfile: "{{ remote_tmp_dir }}/keyfile2" + remove_keyslot: 4 + check_mode: true + become: true + register: kill_luks_slot4_check +- name: Remove key in slot 4 + luks_device: + device: "{{ cryptfile_device }}" + keyfile: "{{ remote_tmp_dir }}/keyfile2" + remove_keyslot: 4 + become: true + register: kill_luks_slot4 +- name: Remove key in slot 4 (idempotent) + luks_device: + device: "{{ cryptfile_device }}" + keyfile: "{{ remote_tmp_dir }}/keyfile2" + remove_keyslot: 4 + become: true + register: kill_luks_slot4_idem +- name: Remove key in slot 4 (idempotent) + luks_device: + device: "{{ cryptfile_device }}" + keyfile: "{{ remote_tmp_dir }}/keyfile2" + remove_keyslot: 4 + check_mode: true + become: true + register: kill_luks_slot4_idem_check +- name: Dump luks header + command: "cryptsetup luksDump {{ cryptfile_device }}" + become: true + register: luks_header_slot4_removed +- assert: + that: + - kill_luks_slot4_check is changed + - kill_luks_slot4 is changed + - kill_luks_slot4_idem is not changed + - kill_luks_slot4_idem_check is not changed + - "'Key Slot 4: DISABLED' in luks_header_slot4_removed.stdout or not '4: luks' in luks_header_slot4_removed.stdout" + +- name: Add key in slot 0 + luks_device: + device: "{{ cryptfile_device }}" + state: present + keyfile: "{{ remote_tmp_dir }}/keyfile2" + new_keyfile: "{{ remote_tmp_dir }}/keyfile1" + new_keyslot: 0 + pbkdf: + iteration_time: 0.1 + become: true + register: add_luks_slot0 +- name: Remove key in slot 0 + luks_device: + device: "{{ cryptfile_device }}" + keyfile: "{{ remote_tmp_dir }}/keyfile2" + remove_keyslot: 0 + become: true + register: kill_luks_slot0 +- name: Dump luks header + command: "cryptsetup luksDump {{ cryptfile_device }}" + become: true + register: luks_header_slot0_removed +- assert: + that: + - add_luks_slot0 is changed + - kill_luks_slot0 is changed + - "'Key Slot 0: DISABLED' in luks_header_slot0_removed.stdout or not '0: luks' in luks_header_slot0_removed.stdout" diff --git a/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/keyslot-duplicate.yml b/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/keyslot-duplicate.yml new file mode 100644 index 000000000..cb9e559a1 --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/keyslot-duplicate.yml @@ -0,0 +1,40 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +- name: Create new luks + luks_device: + device: "{{ cryptfile_device }}" + state: present + keyfile: "{{ remote_tmp_dir }}/keyfile1" + pbkdf: + iteration_time: 0.1 + become: true +- name: Add new keyslot with same keyfile (check) + luks_device: + device: "{{ cryptfile_device }}" + state: present + new_keyslot: 1 + keyfile: "{{ remote_tmp_dir }}/keyfile1" + new_keyfile: "{{ remote_tmp_dir }}/keyfile1" + become: true + ignore_errors: true + check_mode: true + register: keyslot_duplicate_check +- name: Add new keyslot with same keyfile + luks_device: + device: "{{ cryptfile_device }}" + state: present + new_keyslot: 1 + keyfile: "{{ remote_tmp_dir }}/keyfile1" + new_keyfile: "{{ remote_tmp_dir }}/keyfile1" + become: true + ignore_errors: true + register: keyslot_duplicate +- assert: + that: + - keyslot_duplicate_check is failed + - "'Trying to add key that is already present in another slot' in keyslot_duplicate_check.msg" + - keyslot_duplicate is failed + - "'Trying to add key that is already present in another slot' in keyslot_duplicate.msg" diff --git a/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/keyslot-options.yml b/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/keyslot-options.yml new file mode 100644 index 000000000..8a1ca14b3 --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/keyslot-options.yml @@ -0,0 +1,79 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +- name: Check invalid slot (luks1, 8) + luks_device: + device: "{{ cryptfile_device }}" + state: present + type: luks1 + keyfile: "{{ remote_tmp_dir }}/keyfile1" + keyslot: 8 + pbkdf: + iteration_time: 0.1 + ignore_errors: true + become: true + register: create_luks1_slot8 +- name: Check invalid slot (luks2, 32) + luks_device: + device: "{{ cryptfile_device }}" + state: present + type: luks2 + keyfile: "{{ remote_tmp_dir }}/keyfile1" + keyslot: 32 + pbkdf: + iteration_time: 0.1 + ignore_errors: true + become: true + register: create_luks2_slot32 +- name: Check invalid slot (no luks type, 8) + luks_device: + device: "{{ cryptfile_device }}" + state: present + keyfile: "{{ remote_tmp_dir }}/keyfile1" + keyslot: 8 + pbkdf: + iteration_time: 0.1 + ignore_errors: true + become: true + register: create_luks_slot8 +- assert: + that: + - create_luks1_slot8 is failed + - create_luks2_slot32 is failed + - create_luks_slot8 is failed + +- name: Check valid slot (luks2, 8) + luks_device: + device: "{{ cryptfile_device }}" + state: present + type: luks2 + keyfile: "{{ remote_tmp_dir }}/keyfile1" + keyslot: 8 + pbkdf: + iteration_time: 0.1 + become: true + ignore_errors: true + register: create_luks2_slot8 +- name: Make sure that the previous task only fails if LUKS2 is not supported + assert: + that: + - "'Unknown option --type' in create_luks2_slot8.msg" + when: create_luks2_slot8 is failed +- name: Check add valid slot (no luks type, 10) + luks_device: + device: "{{ cryptfile_device }}" + state: present + keyfile: "{{ remote_tmp_dir }}/keyfile1" + new_keyfile: "{{ remote_tmp_dir }}/keyfile2" + new_keyslot: 10 + pbkdf: + iteration_time: 0.1 + become: true + register: create_luks_slot10 + when: create_luks2_slot8 is changed +- assert: + that: + - create_luks_slot10 is changed + when: create_luks2_slot8 is changed \ No newline at end of file diff --git a/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/performance.yml b/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/performance.yml index 572625517..85f28ae4f 100644 --- a/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/performance.yml +++ b/ansible_collections/community/crypto/tests/integration/targets/luks_device/tasks/tests/performance.yml @@ -15,6 +15,7 @@ perf_no_read_workqueue: true perf_no_write_workqueue: true persistent: true + allow_discards: true pbkdf: iteration_time: 0.1 check_mode: true @@ -32,6 +33,7 @@ perf_no_read_workqueue: true perf_no_write_workqueue: true persistent: true + allow_discards: true become: true register: create_open - name: Create and open (idempotent) @@ -46,6 +48,7 @@ perf_no_read_workqueue: true perf_no_write_workqueue: true persistent: true + allow_discards: true become: true register: create_open_idem - name: Create and open (idempotent, check) @@ -60,6 +63,7 @@ perf_no_read_workqueue: true perf_no_write_workqueue: true persistent: true + allow_discards: true check_mode: true become: true register: create_open_idem_check @@ -80,6 +84,7 @@ - "'no-write-workqueue' in luks_header.stdout" - "'same-cpu-crypt' in luks_header.stdout" - "'submit-from-crypt-cpus' in luks_header.stdout" + - "'allow-discards' in luks_header.stdout" - name: Dump device mapper table command: "dmsetup table {{ create_open.name }}" @@ -91,6 +96,7 @@ - "'no_write_workqueue' in dm_table.stdout" - "'same_cpu_crypt' in dm_table.stdout" - "'submit_from_crypt_cpus' in dm_table.stdout" + - "'allow_discards' in dm_table.stdout" - name: Closed and Removed luks_device: diff --git a/ansible_collections/community/crypto/tests/integration/targets/luks_device/vars/Alpine.yml b/ansible_collections/community/crypto/tests/integration/targets/luks_device/vars/Alpine.yml index c0d230abf..e7e1f184a 100644 --- a/ansible_collections/community/crypto/tests/integration/targets/luks_device/vars/Alpine.yml +++ b/ansible_collections/community/crypto/tests/integration/targets/luks_device/vars/Alpine.yml @@ -7,4 +7,5 @@ cryptsetup_package: cryptsetup luks_extra_packages: - device-mapper + - lsblk - wipefs diff --git a/ansible_collections/community/crypto/tests/integration/targets/openssh_cert/tests/idempotency.yml b/ansible_collections/community/crypto/tests/integration/targets/openssh_cert/tests/idempotency.yml index c83596997..b1dd4a650 100644 --- a/ansible_collections/community/crypto/tests/integration/targets/openssh_cert/tests/idempotency.yml +++ b/ansible_collections/community/crypto/tests/integration/targets/openssh_cert/tests/idempotency.yml @@ -31,7 +31,7 @@ valid_to: forever check_mode: true changed: true - - test_name: Generate cert - force option (idemopotent, check mode) + - test_name: Generate cert - force option (idempotent, check mode) force: true type: user valid_from: always diff --git a/ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/cryptography_backend.yml b/ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/cryptography_backend.yml index b72c0be68..cf09dc20f 100644 --- a/ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/cryptography_backend.yml +++ b/ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/cryptography_backend.yml @@ -75,7 +75,7 @@ state: absent - name: Generate PEM encoded key with passphrase - command: 'ssh-keygen -b 1280 -f {{ remote_tmp_dir }}/pem_encoded -N {{ passphrase }} -m PEM' + command: 'ssh-keygen -t rsa -b 1280 -f {{ remote_tmp_dir }}/pem_encoded -N {{ passphrase }} -m PEM' - name: Try to verify a PEM encoded key openssh_keypair: diff --git a/ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/options.yml b/ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/options.yml index fdabd7614..0d324939c 100644 --- a/ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/options.yml +++ b/ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/options.yml @@ -100,8 +100,10 @@ comment: "test_modified@comment" backend: "{{ backend }}" register: modified_comment_output + ignore_errors: true - name: "({{ backend }}) Assert comment preserved public key - comment" + when: modified_comment_output is succeeded assert: that: - comment_output.public_key == modified_comment_output.public_key @@ -111,9 +113,17 @@ assert: that: - modified_comment_output.comment == 'test_modified@comment' + - modified_comment_output is succeeded # Support for updating comments for key types other than rsa1 was added in OpenSSH 7.2 when: not (backend == 'opensshbin' and openssh_version is version('7.2', '<')) +- name: "({{ backend }}) Assert comment not changed - comment" + assert: + that: + - modified_comment_output is failed + # Support for updating comments for key types other than rsa1 was added in OpenSSH 7.2 + when: backend == 'opensshbin' and openssh_version is version('7.2', '<') + - name: "({{ backend }}) Remove key - comment" openssh_keypair: path: "{{ remote_tmp_dir }}/comment" diff --git a/ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/regenerate.yml b/ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/regenerate.yml index d10096044..f9e2f43b3 100644 --- a/ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/regenerate.yml +++ b/ansible_collections/community/crypto/tests/integration/targets/openssh_keypair/tests/regenerate.yml @@ -329,22 +329,25 @@ that: - result is changed -- name: "({{ backend }}) Regenerate - adjust comment" - openssh_keypair: - path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}' - type: dsa - size: 1024 - comment: test comment - regenerate: '{{ item }}' - backend: "{{ backend }}" - loop: "{{ regenerate_values }}" - register: result -- assert: - that: - - result is changed - # for all values but 'always', the key should not be regenerated. - # verify this by comparing fingerprints: - - result.results[0].fingerprint == result.results[1].fingerprint - - result.results[0].fingerprint == result.results[2].fingerprint - - result.results[0].fingerprint == result.results[3].fingerprint - - result.results[0].fingerprint != result.results[4].fingerprint +# Support for updating comments for key types other than rsa1 was added in OpenSSH 7.2 +- when: not (backend == 'opensshbin' and openssh_version is version('7.2', '<')) + block: + - name: "({{ backend }}) Regenerate - adjust comment" + openssh_keypair: + path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}' + type: dsa + size: 1024 + comment: test comment + regenerate: '{{ item }}' + backend: "{{ backend }}" + loop: "{{ regenerate_values }}" + register: result + - assert: + that: + - result is changed + # for all values but 'always', the key should not be regenerated. + # verify this by comparing fingerprints: + - result.results[0].fingerprint == result.results[1].fingerprint + - result.results[0].fingerprint == result.results[2].fingerprint + - result.results[0].fingerprint == result.results[3].fingerprint + - result.results[0].fingerprint != result.results[4].fingerprint diff --git a/ansible_collections/community/crypto/tests/integration/targets/openssl_pkcs12/tasks/main.yml b/ansible_collections/community/crypto/tests/integration/targets/openssl_pkcs12/tasks/main.yml index 7116c8674..cad051c6c 100644 --- a/ansible_collections/community/crypto/tests/integration/targets/openssl_pkcs12/tasks/main.yml +++ b/ansible_collections/community/crypto/tests/integration/targets/openssl_pkcs12/tasks/main.yml @@ -69,7 +69,10 @@ vars: select_crypto_backend: pyopenssl - when: (pyopenssl_version.stdout | default('0.0')) is version('0.15', '>=') + when: >- + (pyopenssl_version.stdout | default('0.0')) is version('0.15', '>=') + and + (pyopenssl_version.stdout | default('0.0')) is version('23.3.0', '<') - block: - name: Running tests with cryptography backend @@ -79,4 +82,11 @@ when: cryptography_version.stdout is version('3.0', '>=') - when: (pyopenssl_version.stdout | default('0.0')) is version('0.15', '>=') or cryptography_version.stdout is version('3.0', '>=') + when: >- + ( + (pyopenssl_version.stdout | default('0.0')) is version('0.15', '>=') + and + (pyopenssl_version.stdout | default('0.0')) is version('23.3.0', '<') + ) + or + cryptography_version.stdout is version('3.0', '>=') diff --git a/ansible_collections/community/crypto/tests/integration/targets/openssl_privatekey/tests/validate.yml b/ansible_collections/community/crypto/tests/integration/targets/openssl_privatekey/tests/validate.yml index 8f134dddf..4d92c2546 100644 --- a/ansible_collections/community/crypto/tests/integration/targets/openssl_privatekey/tests/validate.yml +++ b/ansible_collections/community/crypto/tests/integration/targets/openssl_privatekey/tests/validate.yml @@ -74,7 +74,7 @@ shell: "{{ openssl_binary }} rsa -noout -text -in {{ remote_tmp_dir }}/privatekey5.pem -passin pass:ansible | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'" register: privatekey5 # Current version of OS/X that runs in the CI (10.11) does not have an up to date version of the OpenSSL library - # leading to this test to fail when run in the CI. However, this test has been run for 10.12 and has returned succesfully. + # leading to this test to fail when run in the CI. However, this test has been run for 10.12 and has returned successfully. when: openssl_version.stdout is version('0.9.8zh', '>=') - name: "({{ select_crypto_backend }}) Validate privatekey5 (assert - Passphrase protected key + idempotence)" diff --git a/ansible_collections/community/crypto/tests/integration/targets/openssl_publickey/tests/validate.yml b/ansible_collections/community/crypto/tests/integration/targets/openssl_publickey/tests/validate.yml index 8a1ab86e3..8c8a7292c 100644 --- a/ansible_collections/community/crypto/tests/integration/targets/openssl_publickey/tests/validate.yml +++ b/ansible_collections/community/crypto/tests/integration/targets/openssl_publickey/tests/validate.yml @@ -43,7 +43,7 @@ - name: "({{ select_crypto_backend }}) Validate public key - OpenSSH format (assert)" assert: that: - - privatekey_publickey.stdout == '{{ publickey.content|b64decode }}' + - privatekey_publickey.stdout == publickey.content | b64decode when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('1.4.0', '>=') - name: "({{ select_crypto_backend }}) Validate public key - OpenSSH format - test idempotence (issue 33256)" diff --git a/ansible_collections/community/crypto/tests/integration/targets/prepare_jinja2_compat/filter_plugins/ansible_compatibility.py b/ansible_collections/community/crypto/tests/integration/targets/prepare_jinja2_compat/filter_plugins/ansible_compatibility.py new file mode 100644 index 000000000..c14af4ccb --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/prepare_jinja2_compat/filter_plugins/ansible_compatibility.py @@ -0,0 +1,20 @@ +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + + +# Added in ansible-core 2.11 +def compatibility_split_filter(text, by_what): + return text.split(by_what) + + +class FilterModule: + ''' Jinja2 compat filters ''' + + def filters(self): + return { + 'split': compatibility_split_filter, + } diff --git a/ansible_collections/community/crypto/tests/integration/targets/prepare_jinja2_compat/filter_plugins/jinja_compatibility.py b/ansible_collections/community/crypto/tests/integration/targets/prepare_jinja2_compat/filter_plugins/jinja_compatibility.py index 87ce01dce..98180a177 100644 --- a/ansible_collections/community/crypto/tests/integration/targets/prepare_jinja2_compat/filter_plugins/jinja_compatibility.py +++ b/ansible_collections/community/crypto/tests/integration/targets/prepare_jinja2_compat/filter_plugins/jinja_compatibility.py @@ -1,6 +1,11 @@ -# Copyright (c) Ansible Project -# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) -# SPDX-License-Identifier: GPL-3.0-or-later +# This code is part of Ansible, but is an independent component. +# This particular file snippet, and this file snippet only, is licensed under the +# BSD-3-Clause License. Modules you write using this snippet, which is embedded +# dynamically by Ansible, still belong to the author of the module, and may assign +# their own license to the complete work. + +# The BSD License license has been included as LICENSES/BSD-3-Clause.txt in this collection. +# SPDX-License-Identifier: BSD-3-Clause # Copyright 2007 Pallets # diff --git a/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/meta/main.yml b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/meta/main.yml new file mode 100644 index 000000000..2fcd152f9 --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/meta/main.yml @@ -0,0 +1,7 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +dependencies: + - setup_pkg_mgr diff --git a/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/tasks/main.yml b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/tasks/main.yml new file mode 100644 index 000000000..9e02356fc --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/tasks/main.yml @@ -0,0 +1,30 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +- name: Print distribution specific data + ansible.builtin.debug: + msg: | + Distribution: {{ ansible_facts.distribution }} + Distribution version: {{ ansible_facts.distribution_version }} + Distribution major version: {{ ansible_facts.distribution_major_version }} + OS family: {{ ansible_facts.os_family }} + +- name: Include distribution specific variables + ansible.builtin.include_vars: '{{ lookup("ansible.builtin.first_found", params) }}' + vars: + params: + files: + - '{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_version }}.yml' + - '{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_major_version }}.yml' + - '{{ ansible_facts.distribution }}.yml' + - '{{ ansible_facts.os_family }}.yml' + - default.yml + paths: + - '{{ role_path }}/vars' + +- name: Install GnuPG + ansible.builtin.package: + name: '{{ gnupg_package_name }}' + when: has_gnupg diff --git a/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/Alpine.yml b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/Alpine.yml new file mode 100644 index 000000000..99bd64412 --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/Alpine.yml @@ -0,0 +1,8 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +# Alpine 3.12 should have GnuPG, but for some reason installing it fails... +has_gnupg: "{{ ansible_facts.distribution_version is version('3.13', '>=') }}" +gnupg_package_name: gpg diff --git a/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/CentOS-6.yml b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/CentOS-6.yml new file mode 100644 index 000000000..fd09e9142 --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/CentOS-6.yml @@ -0,0 +1,7 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +has_gnupg: false +# The GnuPG version included with CentOS 6 is too old, it doesn't understand --generate-key diff --git a/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/Darwin.yml b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/Darwin.yml new file mode 100644 index 000000000..a7d999db8 --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/Darwin.yml @@ -0,0 +1,7 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +# TODO Homebrew currently isn't happy when running as root, so assume we don't have GnuPG +has_gnupg: false diff --git a/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/RedHat.yml b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/RedHat.yml new file mode 100644 index 000000000..3e82c4f98 --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/RedHat.yml @@ -0,0 +1,7 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +has_gnupg: true +gnupg_package_name: gnupg2 diff --git a/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/default.yml b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/default.yml new file mode 100644 index 000000000..6059ed80e --- /dev/null +++ b/ansible_collections/community/crypto/tests/integration/targets/setup_gnupg/vars/default.yml @@ -0,0 +1,7 @@ +--- +# Copyright (c) Ansible Project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +has_gnupg: true +gnupg_package_name: gnupg diff --git a/ansible_collections/community/crypto/tests/integration/targets/setup_python_info/vars/main.yml b/ansible_collections/community/crypto/tests/integration/targets/setup_python_info/vars/main.yml index ec2170aed..8bbf9f670 100644 --- a/ansible_collections/community/crypto/tests/integration/targets/setup_python_info/vars/main.yml +++ b/ansible_collections/community/crypto/tests/integration/targets/setup_python_info/vars/main.yml @@ -72,6 +72,8 @@ system_python_version_data: Debian: '11': - '3.9' + '12': + - '3.11' Alpine: '3.16': - '3.10' diff --git a/ansible_collections/community/crypto/tests/integration/targets/x509_certificate/tests/validate_ownca.yml b/ansible_collections/community/crypto/tests/integration/targets/x509_certificate/tests/validate_ownca.yml index b1569a94c..ac25b6295 100644 --- a/ansible_collections/community/crypto/tests/integration/targets/x509_certificate/tests/validate_ownca.yml +++ b/ansible_collections/community/crypto/tests/integration/targets/x509_certificate/tests/validate_ownca.yml @@ -15,7 +15,7 @@ shell: '{{ openssl_binary }} x509 -noout -in {{ remote_tmp_dir}}/ownca_cert.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g"' register: ownca_cert_issuer -- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - ownca certficate version == default == 3) +- name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - ownca certificate version == default == 3) shell: '{{ openssl_binary }} x509 -noout -in {{ remote_tmp_dir}}/ownca_cert.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"' register: ownca_cert_version diff --git a/ansible_collections/community/crypto/tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml b/ansible_collections/community/crypto/tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml index dfb1d8713..c76310437 100644 --- a/ansible_collections/community/crypto/tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml +++ b/ansible_collections/community/crypto/tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml @@ -18,7 +18,7 @@ shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ remote_tmp_dir }}/cert_no_csr.pem' register: cert_modulus -- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate with no CSR (test - certficate version == default == 3) +- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate with no CSR (test - certificate version == default == 3) shell: '{{ openssl_binary }} x509 -noout -in {{ remote_tmp_dir}}/cert_no_csr.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"' register: cert_version @@ -55,7 +55,7 @@ register: cert_issuer -- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - certficate version == default == 3) +- name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - certificate version == default == 3) shell: '{{ openssl_binary }} x509 -noout -in {{ remote_tmp_dir}}/cert.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"' register: cert_version diff --git a/ansible_collections/community/crypto/tests/integration/targets/x509_crl/tasks/impl.yml b/ansible_collections/community/crypto/tests/integration/targets/x509_crl/tasks/impl.yml index 11fa7dcca..29f2c473d 100644 --- a/ansible_collections/community/crypto/tests/integration/targets/x509_crl/tasks/impl.yml +++ b/ansible_collections/community/crypto/tests/integration/targets/x509_crl/tasks/impl.yml @@ -119,7 +119,7 @@ - cert-2.pem register: slurp -- name: Create CRL 1 (idempotent with content, check mode) +- name: Create CRL 1 (idempotent with content and octet string serial, check mode) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl1.crl' privatekey_content: "{{ slurp.results[0].content | b64decode }}" @@ -127,6 +127,7 @@ CN: Ansible last_update: 20191013000000Z next_update: 20191113000000Z + serial_numbers: hex-octets revoked_certificates: - content: "{{ slurp.results[1].content | b64decode }}" revocation_date: 20191013000000Z @@ -135,12 +136,12 @@ reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z - - serial_number: 1234 + - serial_number: 04:D2 revocation_date: 20191001000000Z check_mode: true register: crl_1_idem_content_check -- name: Create CRL 1 (idempotent with content) +- name: Create CRL 1 (idempotent with content and octet string serial) x509_crl: path: '{{ remote_tmp_dir }}/ca-crl1.crl' privatekey_content: "{{ slurp.results[0].content | b64decode }}" @@ -148,6 +149,7 @@ CN: Ansible last_update: 20191013000000Z next_update: 20191113000000Z + serial_numbers: hex-octets revoked_certificates: - content: "{{ slurp.results[1].content | b64decode }}" revocation_date: 20191013000000Z @@ -156,7 +158,7 @@ reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z - - serial_number: 1234 + - serial_number: 04:D2 revocation_date: 20191001000000Z register: crl_1_idem_content @@ -220,7 +222,7 @@ reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z - - serial_number: 1234 + - serial_number: "1234" revocation_date: 20191001000000Z check_mode: true register: crl_1_format_idem_check @@ -242,7 +244,7 @@ reason: key_compromise reason_critical: true invalidity_date: 20191012000000Z - - serial_number: 1234 + - serial_number: "1234" revocation_date: 20191001000000Z return_content: true register: crl_1_format_idem -- cgit v1.2.3