openssh_cert: add serial_number param (#54653)

* [openssh_cert] cleanup the returned certificate info - Drop the certificate path - it is already present in rc.filename. - Drop the leading whitespace for all lines. Signed-off-by: Jakob Ackermann <das7pad@outlook.com> * [openssh_cert] add support for a certificate serial number Signed-off-by: Jakob Ackermann <das7pad@outlook.com> * [openssh_cert] fix lint error Signed-off-by: Jakob Ackermann <das7pad@outlook.com> * [openssh_cert] drop explicit default value Signed-off-by: Jakob Ackermann <das7pad@outlook.com> * [openssh_cert] enforce the specified or missing serial number Signed-off-by: Jakob Ackermann <das7pad@outlook.com> * [openssh_cert] passing no explicit serial number ignores any present one Signed-off-by: Jakob Ackermann <das7pad@outlook.com>
2025-10-03 23:14:02 -07:00 · 2019-04-01 13:18:33 +02:00 · 2019-04-01 13:18:33 +02:00 · 21c8650180
commit 21c8650180
parent fa47bed71c
2 changed files with 138 additions and 5 deletions
--- a/test/integration/targets/openssh_cert/tasks/main.yml
+++ b/test/integration/targets/openssh_cert/tasks/main.yml
@ -239,6 +239,117 @@
          - "clear"
      valid_from: "2001-01-21"
      valid_to: "2019-01-21"
+  - name: Generate cert without serial
+    openssh_cert:
+      type: user
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert_no_serial'
+      valid_from: always
+      valid_to: forever
+    register: rc_no_serial_number
+  - name: check default serial
+    assert:
+      that:
+        - "'Serial: 0' in rc_no_serial_number.info"
+      msg: OpenSSH user certificate contains the default serial number.
+  - name: Generate cert without serial (idempotent)
+    openssh_cert:
+      type: user
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert_no_serial'
+      valid_from: always
+      valid_to: forever
+    register: rc_no_serial_number_idempotent
+  - name: check idempotent
+    assert:
+      that:
+        - rc_no_serial_number_idempotent is not changed
+      msg: OpenSSH certificate generation without serial number is idempotent.
+  - name: Generate cert with serial 42
+    openssh_cert:
+      type: user
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert_serial_42'
+      valid_from: always
+      valid_to: forever
+      serial_number: 42
+    register: rc_serial_number
+  - name: check serial 42
+    assert:
+      that:
+        - "'Serial: 42' in rc_serial_number.info"
+      msg: OpenSSH user certificate contains the serial number from the params.
+  - name: Generate cert with serial 42 (idempotent)
+    openssh_cert:
+      type: user
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert_serial_42'
+      valid_from: always
+      valid_to: forever
+      serial_number: 42
+    register: rc_serial_number_idempotent
+  - name: check idempotent
+    assert:
+      that:
+        - rc_serial_number_idempotent is not changed
+      msg: OpenSSH certificate generation with serial number is idempotent.
+  - name: Generate cert with changed serial number
+    openssh_cert:
+      type: user
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert_serial_42'
+      valid_from: always
+      valid_to: forever
+      serial_number: 1337
+    register: rc_serial_number_changed
+  - name: check changed
+    assert:
+      that:
+        - rc_serial_number_changed is changed
+      msg: OpenSSH certificate regenerated upon serial number change.
+  - name: Generate cert with removed serial number
+    openssh_cert:
+      type: user
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert_serial_42'
+      valid_from: always
+      valid_to: forever
+      serial_number: 0
+    register: rc_serial_number_removed
+  - name: check changed
+    assert:
+      that:
+        - rc_serial_number_removed is changed
+      msg: OpenSSH certificate regenerated upon serial number removal.
+  - name: Generate a new cert with serial number
+    openssh_cert:
+      type: user
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert_serial_ignore'
+      valid_from: always
+      valid_to: forever
+      serial_number: 42
+  - name: Generate cert again, omitting the parameter serial_number (idempotent)
+    openssh_cert:
+      type: user
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert_serial_ignore'
+      valid_from: always
+      valid_to: forever
+    register: rc_serial_number_ignored
+  - name: check idempotent
+    assert:
+      that:
+        - rc_serial_number_ignored is not changed
+      msg: OpenSSH certificate generation with omitted serial number is idempotent.
  - name: Remove certificate (check mode)
    openssh_cert:
      state: absent