Improve CI (#3348)

* Remove superfluous test. * Use remote_temp_dir instead of output_dir on remote. * Read certificate from correct place. * Adjust more places. * Fix boolean. * Improve cryptography setup. * Fix java_keystore changes. * Need to copy binary from remote. * Use correct Python for serve script. * Sleep before downloading. * Use correct Python interpreter. * Avoid failing shebang test. * Fix permission error with macOS 11.1. * Avoid shebang trouble.
2025-07-22 12:50:22 -07:00 · 2021-09-09 07:31:44 +02:00 · 2021-09-09 07:31:44 +02:00 · 7c43cc3faa
commit 7c43cc3faa
parent 6b207bce4c
68 changed files with 440 additions and 394 deletions
--- a/tests/integration/targets/java_keystore/meta/main.yml
+++ b/tests/integration/targets/java_keystore/meta/main.yml
@ -1,3 +1,4 @@
 dependencies:
  - setup_java_keytool
  - setup_openssl
+  - setup_remote_tmp_dir
--- a/tests/integration/targets/java_keystore/tasks/prepare.yml
+++ b/tests/integration/targets/java_keystore/tasks/prepare.yml
@ -1,12 +1,12 @@
 ---
 - name: Create test directory
  ansible.builtin.file:
-    path: "{{ output_dir }}"
+    path: "{{ remote_tmp_dir }}"
    state: directory

 - name: Create private keys
  community.crypto.openssl_privatekey:
-    path: "{{ output_dir ~ '/' ~ (item.keyname | default(item.name)) ~ '.key' }}"
+    path: "{{ remote_tmp_dir ~ '/' ~ (item.keyname | default(item.name)) ~ '.key' }}"
    size: 2048  # this should work everywhere
    # The following is more efficient, but might not work everywhere:
    # type: ECC
@ -17,17 +17,17 @@

 - name: Create CSRs
  community.crypto.openssl_csr:
-    path: "{{ output_dir ~ '/' ~ item.name ~ '.csr' }}"
-    privatekey_path: "{{ output_dir ~ '/' ~ (item.keyname | default(item.name)) ~ '.key' }}"
+    path: "{{ remote_tmp_dir ~ '/' ~ item.name ~ '.csr' }}"
+    privatekey_path: "{{ remote_tmp_dir ~ '/' ~ (item.keyname | default(item.name)) ~ '.key' }}"
    privatekey_passphrase: "{{ item.passphrase | default(omit) }}"
    commonName: "{{ item.commonName }}"
  loop: "{{ java_keystore_certs + java_keystore_new_certs }}"

 - name: Create certificates
  community.crypto.x509_certificate:
-    path: "{{ output_dir ~ '/' ~ item.name ~ '.pem' }}"
-    csr_path: "{{ output_dir ~ '/' ~ item.name ~ '.csr' }}"
-    privatekey_path: "{{ output_dir ~ '/' ~ (item.keyname | default(item.name)) ~ '.key' }}"
+    path: "{{ remote_tmp_dir ~ '/' ~ item.name ~ '.pem' }}"
+    csr_path: "{{ remote_tmp_dir ~ '/' ~ item.name ~ '.csr' }}"
+    privatekey_path: "{{ remote_tmp_dir ~ '/' ~ (item.keyname | default(item.name)) ~ '.key' }}"
    privatekey_passphrase: "{{ item.passphrase | default(omit) }}"
    provider: selfsigned
  loop: "{{ java_keystore_certs + java_keystore_new_certs }}"
--- a/tests/integration/targets/java_keystore/tasks/tests.yml
+++ b/tests/integration/targets/java_keystore/tasks/tests.yml
@ -1,199 +1,273 @@
 ---
 - name: Create test directory
  ansible.builtin.file:
-    path: "{{ output_dir }}"
+    path: "{{ remote_tmp_dir }}"
    state: directory

 - name: Ensure the Java keystore does not exist (cleanup between tests)
  ansible.builtin.file:
-    path: "{{ output_dir ~ '/' ~ item.name ~ '.jks' }}"
+    path: "{{ remote_tmp_dir ~ '/' ~ item.name ~ '.jks' }}"
    state: absent
  loop: "{{ java_keystore_certs }}"
  loop_control:
-    label: "{{ output_dir ~ '/' ~ item.name ~ '.jks' }}"
+    label: "{{ remote_tmp_dir ~ '/' ~ item.name ~ '.jks' }}"


+- name: Read certificates
+  slurp:
+    src: "{{ remote_tmp_dir ~ '/' ~ item.name ~ '.pem' }}"
+  loop: "{{ java_keystore_certs }}"
+  when: not remote_cert
+  register: certificates
+
+- name: Read certificate keys
+  slurp:
+    src: "{{ remote_tmp_dir ~ '/' ~ (item.keyname | d(item.name)) ~ '.key' }}"
+  loop: "{{ java_keystore_certs }}"
+  when: not remote_cert
+  register: certificate_keys
+
 - name: Create a Java keystore for the given ({{ 'remote' if remote_cert else 'local' }}) certificates (check mode)
  community.general.java_keystore: &java_keystore_params
    name: example
-    dest: "{{ output_dir ~ '/' ~ (item.keyname | d(item.name)) ~ '.jks' }}"
-    certificate: "{{ omit if remote_cert else lookup('file', output_dir ~ '/' ~ item.name ~ '.pem') }}"
-    private_key: "{{ omit if remote_cert else lookup('file', output_dir ~ '/' ~ (item.keyname | d(item.name)) ~ '.key') }}"
-    certificate_path: "{{ omit if not remote_cert else output_dir ~ '/' ~ item.name ~ '.pem' }}"
-    private_key_path: "{{ omit if not remote_cert else output_dir ~ '/' ~ (item.keyname | d(item.name)) ~ '.key' }}"
+    dest: "{{ remote_tmp_dir ~ '/' ~ (item.keyname | d(item.name)) ~ '.jks' }}"
+    certificate: "{{ omit if remote_cert else (certificates.results[loop_index].content | b64decode) }}"
+    private_key: "{{ omit if remote_cert else (certificate_keys.results[loop_index].content | b64decode) }}"
+    certificate_path: "{{ omit if not remote_cert else remote_tmp_dir ~ '/' ~ item.name ~ '.pem' }}"
+    private_key_path: "{{ omit if not remote_cert else remote_tmp_dir ~ '/' ~ (item.keyname | d(item.name)) ~ '.key' }}"
    private_key_passphrase: "{{ item.passphrase | d(omit) }}"
    password: changeit
    ssl_backend: "{{ ssl_backend }}"
    keystore_type: "{{ item.keystore_type | d(omit) }}"
  loop: "{{ java_keystore_certs }}"
+  loop_control:
+    index_var: loop_index
  check_mode: yes
  register: result_check

 - name: Create a Java keystore for the given certificates
  community.general.java_keystore: *java_keystore_params
  loop: "{{ java_keystore_certs }}"
+  loop_control:
+    index_var: loop_index
  register: result


 - name: Create a Java keystore for the given certificates (idempotency, check mode)
  community.general.java_keystore: *java_keystore_params
  loop: "{{ java_keystore_certs }}"
+  loop_control:
+    index_var: loop_index
  check_mode: yes
  register: result_idem_check

 - name: Create a Java keystore for the given certificates (idempotency)
  community.general.java_keystore: *java_keystore_params
  loop: "{{ java_keystore_certs }}"
+  loop_control:
+    index_var: loop_index
  register: result_idem


- name: Create a Java keystore for the given certificates (certificate changed, check mode)
-  community.general.java_keystore: *java_keystore_params
+- name: Read certificates (new)
+  slurp:
+    src: "{{ remote_tmp_dir ~ '/' ~ item.name ~ '.pem' }}"
  loop: "{{ java_keystore_new_certs }}"
+  when: not remote_cert
+  register: certificates_new
+
+- name: Read certificate keys (new)
+  slurp:
+    src: "{{ remote_tmp_dir ~ '/' ~ (item.keyname | d(item.name)) ~ '.key' }}"
+  loop: "{{ java_keystore_new_certs }}"
+  when: not remote_cert
+  register: certificate_keys_new
+
+- name: Create a Java keystore for the given certificates (certificate changed, check mode)
+  community.general.java_keystore: &java_keystore_params_new_certs
+    name: example
+    dest: "{{ remote_tmp_dir ~ '/' ~ (item.keyname | d(item.name)) ~ '.jks' }}"
+    certificate: "{{ omit if remote_cert else (certificates_new.results[loop_index].content | b64decode) }}"
+    private_key: "{{ omit if remote_cert else (certificate_keys_new.results[loop_index].content | b64decode) }}"
+    certificate_path: "{{ omit if not remote_cert else remote_tmp_dir ~ '/' ~ item.name ~ '.pem' }}"
+    private_key_path: "{{ omit if not remote_cert else remote_tmp_dir ~ '/' ~ (item.keyname | d(item.name)) ~ '.key' }}"
+    private_key_passphrase: "{{ item.passphrase | d(omit) }}"
+    password: changeit
+    ssl_backend: "{{ ssl_backend }}"
+    keystore_type: "{{ item.keystore_type | d(omit) }}"
+  loop: "{{ java_keystore_new_certs }}"
+  loop_control:
+    index_var: loop_index
  check_mode: yes
  register: result_change_check

 - name: Create a Java keystore for the given certificates (certificate changed)
-  community.general.java_keystore: *java_keystore_params
+  community.general.java_keystore: *java_keystore_params_new_certs
  loop: "{{ java_keystore_new_certs }}"
+  loop_control:
+    index_var: loop_index
  register: result_change


 - name: Create a Java keystore for the given certificates (alias changed, check mode)
  community.general.java_keystore:
-    <<: *java_keystore_params
+    <<: *java_keystore_params_new_certs
    name: foobar
  loop: "{{ java_keystore_new_certs }}"
+  loop_control:
+    index_var: loop_index
  check_mode: yes
  register: result_alias_change_check

 - name: Create a Java keystore for the given certificates (alias changed)
  community.general.java_keystore:
-    <<: *java_keystore_params
+    <<: *java_keystore_params_new_certs
    name: foobar
  loop: "{{ java_keystore_new_certs }}"
+  loop_control:
+    index_var: loop_index
  register: result_alias_change


 - name: Create a Java keystore for the given certificates (password changed, check mode)
  community.general.java_keystore:
-    <<: *java_keystore_params
+    <<: *java_keystore_params_new_certs
    name: foobar
    password: hunter2
  loop: "{{ java_keystore_new_certs }}"
+  loop_control:
+    index_var: loop_index
  check_mode: yes
  register: result_pw_change_check

 - name: Create a Java keystore for the given certificates (password changed)
  community.general.java_keystore:
-    <<: *java_keystore_params
+    <<: *java_keystore_params_new_certs
    name: foobar
    password: hunter2
  loop: "{{ java_keystore_new_certs }}"
+  loop_control:
+    index_var: loop_index
  register: result_pw_change


 - name: Create a Java keystore for the given certificates (force keystore type pkcs12, check mode)
  community.general.java_keystore:
-    <<: *java_keystore_params
+    <<: *java_keystore_params_new_certs
    name: foobar
    password: hunter2
    keystore_type: pkcs12
  loop: "{{ java_keystore_new_certs }}"
+  loop_control:
+    index_var: loop_index
  check_mode: yes
  register: result_type_pkcs12_check

 - name: Create a Java keystore for the given certificates (force keystore type jks, check mode)
  community.general.java_keystore:
-    <<: *java_keystore_params
+    <<: *java_keystore_params_new_certs
    name: foobar
    password: hunter2
    keystore_type: jks
  loop: "{{ java_keystore_new_certs }}"
+  loop_control:
+    index_var: loop_index
  check_mode: yes
  register: result_type_jks_check

 - name: Create a Java keystore for the given certificates (force keystore type jks)
  community.general.java_keystore:
-    <<: *java_keystore_params
+    <<: *java_keystore_params_new_certs
    name: foobar
    password: hunter2
    keystore_type: jks
  loop: "{{ java_keystore_new_certs }}"
+  loop_control:
+    index_var: loop_index
  register: result_type_jks


 - name: Stat keystore (before failure)
  ansible.builtin.stat:
-    path: "{{ output_dir ~ '/' ~ (item.keyname | d(item.name)) ~ '.jks' }}"
+    path: "{{ remote_tmp_dir ~ '/' ~ (item.keyname | d(item.name)) ~ '.jks' }}"
  loop: "{{ java_keystore_new_certs }}"
  register: result_stat_before

 - name: Fail to create a Java keystore for the given certificates (password too short)
  community.general.java_keystore:
-    <<: *java_keystore_params
+    <<: *java_keystore_params_new_certs
    name: foobar
    password: short
    keystore_type: jks
  loop: "{{ java_keystore_new_certs }}"
+  loop_control:
+    index_var: loop_index
  register: result_fail_jks
  ignore_errors: true

 - name: Stat keystore (after failure)
  ansible.builtin.stat:
-    path: "{{ output_dir ~ '/' ~ (item.keyname | d(item.name)) ~ '.jks' }}"
+    path: "{{ remote_tmp_dir ~ '/' ~ (item.keyname | d(item.name)) ~ '.jks' }}"
  loop: "{{ java_keystore_new_certs }}"
  register: result_stat_after


 - name: Create a Java keystore for the given certificates (keystore type changed, check mode)
  community.general.java_keystore:
-    <<: *java_keystore_params
+    <<: *java_keystore_params_new_certs
    name: foobar
    password: hunter2
    keystore_type: pkcs12
  loop: "{{ java_keystore_new_certs }}"
+  loop_control:
+    index_var: loop_index
  check_mode: yes
  register: result_type_change_check

 - name: Create a Java keystore for the given certificates (keystore type changed)
  community.general.java_keystore:
-    <<: *java_keystore_params
+    <<: *java_keystore_params_new_certs
    name: foobar
    password: hunter2
    keystore_type: pkcs12
  loop: "{{ java_keystore_new_certs }}"
+  loop_control:
+    index_var: loop_index
  register: result_type_change


 - name: Create a Java keystore for the given certificates (omit keystore type, check mode)
  community.general.java_keystore:
-    <<: *java_keystore_params
+    <<: *java_keystore_params_new_certs
    name: foobar
    password: hunter2
  loop: "{{ java_keystore_new_certs }}"
+  loop_control:
+    index_var: loop_index
  check_mode: yes
  register: result_type_omit_check

 - name: Create a Java keystore for the given certificates (omit keystore type)
  community.general.java_keystore:
-    <<: *java_keystore_params
+    <<: *java_keystore_params_new_certs
    name: foobar
    password: hunter2
  loop: "{{ java_keystore_new_certs }}"
+  loop_control:
+    index_var: loop_index
  register: result_type_omit


 - name: Check that the remote certificates have not been removed
  ansible.builtin.file:
-    path: "{{ output_dir ~ '/' ~ item.name ~ '.pem' }}"
+    path: "{{ remote_tmp_dir ~ '/' ~ item.name ~ '.pem' }}"
    state: file
  loop: "{{ java_keystore_certs + java_keystore_new_certs }}"
  when: remote_cert

 - name: Check that the remote private keys have not been removed
  ansible.builtin.file:
-    path: "{{ output_dir ~ '/' ~ item.name ~ '.key' }}"
+    path: "{{ remote_tmp_dir ~ '/' ~ item.name ~ '.key' }}"
    state: file
  loop: "{{ java_keystore_certs }}"
  when: remote_cert