add acme_inspect module (#48444)

test/integration/targets/acme_inspect/aliases

@@ -0,0 +1,2 @@
+shippable/cloud/group1
+cloud/acme

test/integration/targets/acme_inspect/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - setup_acme

test/integration/targets/acme_inspect/tasks/impl.yml

@@ -0,0 +1,150 @@
+---
+- name: Generate account key
+  command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey.pem
+
+- name: Parse account key (to ease debugging some test failures)
+  command: openssl ec -in {{ output_dir }}/accountkey.pem -noout -text
+
+- name: Get directory
+  acme_inspect:
+    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_version: 2
+    validate_certs: no
+    method: directory-only
+  register: directory
+- debug: var=directory
+
+- name: Create an account
+  acme_inspect:
+    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_version: 2
+    validate_certs: no
+    account_key_src: "{{ output_dir }}/accountkey.pem"
+    url: "{{ directory.directory.newAccount}}"
+    method: post
+    content: '{"termsOfServiceAgreed":true}'
+  register: account_creation
+  # account_creation.headers.location contains the account URI
+  # if creation was successful
+- debug: var=account_creation
+
+- name: Get account information
+  acme_inspect:
+    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_version: 2
+    validate_certs: no
+    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_uri: "{{ account_creation.headers.location }}"
+    url: "{{ account_creation.headers.location }}"
+    method: get
+  register: account_get
+- debug: var=account_get
+
+- name: Update account contacts
+  acme_inspect:
+    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_version: 2
+    validate_certs: no
+    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_uri: "{{ account_creation.headers.location }}"
+    url: "{{ account_creation.headers.location }}"
+    method: post
+    content: '{{ account_info | to_json }}'
+  vars:
+    account_info:
+      # For valid values, see
+      # https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-7.3
+      contact:
+      - mailto:me@example.com
+  register: account_update
+- debug: var=account_update
+
+- name: Create certificate order
+  acme_inspect:
+    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_version: 2
+    validate_certs: no
+    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_uri: "{{ account_creation.headers.location }}"
+    url: "{{ directory.directory.newOrder }}"
+    method: post
+    content: '{{ create_order | to_json }}'
+  vars:
+    create_order:
+      # For valid values, see
+      # https://tools.ietf.org/html/draft-ietf-acme-acme-16#section-7.4
+      identifiers:
+      - type: dns
+        value: example.com
+      - type: dns
+        value: example.org
+  register: new_order
+- debug: var=new_order
+
+- name: Get order information
+  acme_inspect:
+    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_version: 2
+    validate_certs: no
+    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_uri: "{{ account_creation.headers.location }}"
+    url: "{{ new_order.headers.location }}"
+    method: get
+  register: order
+- debug: var=order
+
+- name: Get authzs for order
+  acme_inspect:
+    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_version: 2
+    validate_certs: no
+    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_uri: "{{ account_creation.headers.location }}"
+    url: "{{ item }}"
+    method: get
+  loop: "{{ order.output_json.authorizations }}"
+  register: authz
+- debug: var=authz
+
+- name: Get HTTP-01 challenge for authz
+  acme_inspect:
+    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_version: 2
+    validate_certs: no
+    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_uri: "{{ account_creation.headers.location }}"
+    url: "{{ (item.challenges | selectattr('type', 'equalto', 'http-01') | list)[0].url }}"
+    method: get
+  register: http01challenge
+  loop: "{{ authz.results | map(attribute='output_json') | list }}"
+- debug: var=http01challenge
+
+- name: Activate HTTP-01 challenge manually
+  acme_inspect:
+    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_version: 2
+    validate_certs: no
+    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_uri: "{{ account_creation.headers.location }}"
+    url: "{{ item.url }}"
+    method: post
+    content: '{}'
+  register: activation
+  loop: "{{ http01challenge.results | map(attribute='output_json') | list }}"
+- debug: var=activation
+
+- name: Get HTTP-01 challenge results
+  acme_inspect:
+    acme_directory: https://{{ acme_host }}:14000/dir
+    acme_version: 2
+    validate_certs: no
+    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_uri: "{{ account_creation.headers.location }}"
+    url: "{{ item.url }}"
+    method: get
+  register: validation_result
+  loop: "{{ http01challenge.results | map(attribute='output_json') | list }}"
+  until: "validation_result.output_json.status != 'pending'"
+  retries: 20
+  delay: 1
+- debug: var=validation_result

test/integration/targets/acme_inspect/tasks/main.yml

@@ -0,0 +1,31 @@
+---
+- block:
+  - name: Running tests with OpenSSL backend
+    include_tasks: impl.yml
+    vars:
+      select_crypto_backend: openssl
+
+  - import_tasks: ../tests/validate.yml
+
+  # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
+  when: openssl_version.stdout is version('1.0.0', '>=')
+
+- name: Remove output directory
+  file:
+    path: "{{ output_dir }}"
+    state: absent
+
+- name: Re-create output directory
+  file:
+    path: "{{ output_dir }}"
+    state: directory
+
+- block:
+  - name: Running tests with cryptography backend
+    include_tasks: impl.yml
+    vars:
+      select_crypto_backend: cryptography
+
+  - import_tasks: ../tests/validate.yml
+
+  when: cryptography_version.stdout is version('1.5', '>=')

test/integration/targets/acme_inspect/tests/validate.yml

@@ -0,0 +1,131 @@
+---
+- name: Check directory output
+  assert:
+    that:
+    - directory is not changed
+    - "'directory' in directory"
+    - "'newAccount' in directory.directory"
+    - "'newOrder' in directory.directory"
+    - "'newNonce' in directory.directory"
+    - "'headers' not in directory"
+    - "'output_text' not in directory"
+    - "'output_json' not in directory"
+
+- name: Check account creation output
+  assert:
+    that:
+    - account_creation is changed
+    - "'directory' in account_creation"
+    - "'headers' in account_creation"
+    - "'output_text' in account_creation"
+    - "'output_json' in account_creation"
+    - account_creation.headers.status == 201
+    - "'location' in account_creation.headers"
+    - account_creation.output_json.status == 'valid'
+    - not account_creation.output_json.contact
+    - account_creation.output_text | from_json == account_creation.output_json
+
+- name: Check account get output
+  assert:
+    that:
+    - account_get is not changed
+    - "'directory' in account_get"
+    - "'headers' in account_get"
+    - "'output_text' in account_get"
+    - "'output_json' in account_get"
+    - account_get.headers.status == 200
+    - account_get.output_json == account_creation.output_json
+
+- name: Check account update output
+  assert:
+    that:
+    - account_update is changed
+    - "'directory' in account_update"
+    - "'headers' in account_update"
+    - "'output_text' in account_update"
+    - "'output_json' in account_update"
+    - account_update.output_json.status == 'valid'
+    - account_update.output_json.contact | length == 1
+    - account_update.output_json.contact[0] == 'mailto:me@example.com'
+
+- name: Check certificate request output
+  assert:
+    that:
+    - new_order is changed
+    - "'directory' in new_order"
+    - "'headers' in new_order"
+    - "'output_text' in new_order"
+    - "'output_json' in new_order"
+    - new_order.output_json.authorizations | length == 2
+    - new_order.output_json.identifiers | length == 2
+    - new_order.output_json.status == 'pending'
+    - "'finalize' in new_order.output_json"
+
+- name: Check get order output
+  assert:
+    that:
+    - order is not changed
+    - "'directory' in order"
+    - "'headers' in order"
+    - "'output_text' in order"
+    - "'output_json' in order"
+    # The order of identifiers and authorizations is randomized!
+    # - new_order.output_json == order.output_json
+
+- name: Check get authz output
+  assert:
+    that:
+    - item is not changed
+    - "'directory' in item"
+    - "'headers' in item"
+    - "'output_text' in item"
+    - "'output_json' in item"
+    - item.output_json.challenges | length >= 3
+    - item.output_json.identifier.type == 'dns'
+    - item.output_json.status == 'pending'
+  loop: "{{ authz.results }}"
+
+- name: Check get challenge output
+  assert:
+    that:
+    - item is not changed
+    - "'directory' in item"
+    - "'headers' in item"
+    - "'output_text' in item"
+    - "'output_json' in item"
+    - item.output_json.status == 'pending'
+    - item.output_json.type == 'http-01'
+    - item.output_json.url == item.invocation.module_args.url
+    - "'token' in item.output_json"
+  loop: "{{ http01challenge.results }}"
+
+- name: Check challenge activation output
+  assert:
+    that:
+    - item is changed
+    - "'directory' in item"
+    - "'headers' in item"
+    - "'output_text' in item"
+    - "'output_json' in item"
+    - item.output_json.status == 'pending'
+    - item.output_json.type == 'http-01'
+    - item.output_json.url == item.invocation.module_args.url
+    - "'token' in item.output_json"
+  loop: "{{ activation.results }}"
+
+- name: Check validation result
+  assert:
+    that:
+    - item is not changed
+    - "'directory' in item"
+    - "'headers' in item"
+    - "'output_text' in item"
+    - "'output_json' in item"
+    - item.output_json.status == 'invalid'
+    - item.output_json.type == 'http-01'
+    - item.output_json.url == item.invocation.module_args.url
+    - "'token' in item.output_json"
+    - "'validated' in item.output_json"
+    - "'error' in item.output_json"
+    - item.output_json.error.type == 'urn:ietf:params:acme:error:unauthorized'
+  loop: "{{ validation_result.results }}"