ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-10-03 23:14:02 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

openssl_* modules: private key errors (#54088)

Browse source 
* Improve error handling, in particular with respect to private key loading problems.

* Add tests to validate that modules regenerate invalid input and don't crash.

* Don't crash when input is invalid.

* Create 'better' broken input.

* Fix paths.

* Simplifying pyOpenSSL error handling.
This commit is contained in:
Felix Fontein 2019-03-30 14:28:10 +01:00 committed by René Moser
commit 90c067e947
21 changed files with 327 additions and 228 deletions
Download patch file Download diff file Expand all files Collapse all files

4
test/integration/targets/openssl_certificate/tasks/assertonly.yml
View file

@ -101,6 +101,6 @@
- passphrase_error_1 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_1.msg"
- passphrase_error_2 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_2.msg"
- "'assphrase' in passphrase_error_2.msg or 'assword' in passphrase_error_2.msg or 'serializ' in passphrase_error_2.msg"
- passphrase_error_3 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_3.msg"
- "'assphrase' in passphrase_error_3.msg or 'assword' in passphrase_error_3.msg or 'serializ' in passphrase_error_3.msg"

15
test/integration/targets/openssl_certificate/tasks/ownca.yml
View file

@ -202,4 +202,19 @@
ignore_errors: yes
register: passphrase_error_3
- name: Create broken certificate
copy:
dest: "{{ output_dir }}/ownca_broken.pem"
content: "broken"
- name: Regenerate broken cert
openssl_certificate:
path: '{{ output_dir }}/ownca_broken.pem'
csr_path: '{{ output_dir }}/csr_ecc.csr'
privatekey_path: '{{ output_dir }}/privatekey_ecc.pem'
ownca_path: '{{ output_dir }}/ca_cert.pem'
ownca_privatekey_path: '{{ output_dir }}/ca_privatekey.pem'
provider: ownca
ownca_digest: sha256
register: ownca_broken
- import_tasks: ../tests/validate_ownca.yml

13
test/integration/targets/openssl_certificate/tasks/selfsigned.yml
View file

@ -211,4 +211,17 @@
ignore_errors: yes
register: passphrase_error_3
- name: Create broken certificate
copy:
dest: "{{ output_dir }}/cert_broken.pem"
content: "broken"
- name: Regenerate broken cert
openssl_certificate:
path: '{{ output_dir }}/cert_broken.pem'
csr_path: '{{ output_dir }}/csr_ecc.csr'
privatekey_path: '{{ output_dir }}/privatekey_ecc.pem'
provider: selfsigned
selfsigned_digest: sha256
register: selfsigned_broken
- import_tasks: ../tests/validate_selfsigned.yml

9
test/integration/targets/openssl_certificate/tests/validate_ownca.yml
View file

@ -98,6 +98,11 @@
- passphrase_error_1 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_1.msg"
- passphrase_error_2 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_2.msg"
- "'assphrase' in passphrase_error_2.msg or 'assword' in passphrase_error_2.msg or 'serializ' in passphrase_error_2.msg"
- passphrase_error_3 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_3.msg"
- "'assphrase' in passphrase_error_3.msg or 'assword' in passphrase_error_3.msg or 'serializ' in passphrase_error_3.msg"
- name: Verify that broken certificate will be regenerated
assert:
that:
- ownca_broken is changed

9
test/integration/targets/openssl_certificate/tests/validate_selfsigned.yml
View file

@ -99,6 +99,11 @@
- passphrase_error_1 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_1.msg"
- passphrase_error_2 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_2.msg"
- "'assphrase' in passphrase_error_2.msg or 'assword' in passphrase_error_2.msg or 'serializ' in passphrase_error_2.msg"
- passphrase_error_3 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_3.msg"
- "'assphrase' in passphrase_error_3.msg or 'assword' in passphrase_error_3.msg or 'serializ' in passphrase_error_3.msg"
- name: Verify that broken certificate will be regenerated
assert:
that:
- selfsigned_broken is changed

14
test/integration/targets/openssl_csr/tasks/impl.yml
View file

@ -274,3 +274,17 @@
select_crypto_backend: '{{ select_crypto_backend }}'
ignore_errors: yes
register: passphrase_error_3
- name: Create broken CSR
copy:
dest: "{{ output_dir }}/csrbroken.csr"
content: "broken"
- name: Regenerate broken CSR
openssl_csr:
path: '{{ output_dir }}/csrbroken.csr'
privatekey_path: '{{ output_dir }}/privatekey2.pem'
subject:
commonName: This is for Ansible
useCommonNameForSAN: no
select_crypto_backend: '{{ select_crypto_backend }}'
register: output_broken

9
test/integration/targets/openssl_csr/tests/validate.yml
View file

@ -116,6 +116,11 @@
- passphrase_error_1 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_1.msg"
- passphrase_error_2 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_2.msg"
- "'assphrase' in passphrase_error_2.msg or 'assword' in passphrase_error_2.msg or 'serializ' in passphrase_error_2.msg"
- passphrase_error_3 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_3.msg"
- "'assphrase' in passphrase_error_3.msg or 'assword' in passphrase_error_3.msg or 'serializ' in passphrase_error_3.msg"
- name: Verify that broken CSR will be regenerated
assert:
that:
- output_broken is changed

12
test/integration/targets/openssl_dhparam/tasks/main.yml
View file

@ -1,3 +1,4 @@
---
- block:
# This module generates unsafe parameters for testing purposes
# otherwise tests would be too slow
@ -41,4 +42,15 @@
force: yes
register: dhparam_changed_force
- name: Create broken params
copy:
dest: "{{ output_dir }}/dhbroken.pem"
content: "broken"
- name: Regenerate broken params
openssl_dhparam:
path: '{{ output_dir }}/dhbroken.pem'
size: 512
force: yes
register: output_broken
- import_tasks: ../tests/validate.yml

5
test/integration/targets/openssl_dhparam/tests/validate.yml
View file

@ -30,3 +30,8 @@
- dhparam_changed_512 is not changed
- dhparam_changed_to_512 is changed
- dhparam_changed_force is changed
- name: Verify that broken params will be regenerated
assert:
that:
- output_broken is changed

15
test/integration/targets/openssl_pkcs12/tasks/impl.yml
View file

@ -100,6 +100,21 @@
state: present
register: p12_no_pkey
- name: 'Create broken PKCS#12'
copy:
dest: "{{ output_dir }}/broken.p12"
content: "broken"
- name: 'Regenerate broken PKCS#12'
openssl_pkcs12:
path: "{{ output_dir }}/broken.p12"
friendly_name: 'abracadabra'
privatekey_path: "{{ output_dir }}/ansible_pkey.pem"
certificate_path: "{{ output_dir }}/ansible.crt"
state: present
force: True
mode: 0644
register: output_broken
- import_tasks: ../tests/validate.yml
always:

10
test/integration/targets/openssl_pkcs12/tests/validate.yml
View file

@ -1,3 +1,4 @@
---
- name: 'Install pexpect'
pip:
name: 'pexpect'
@ -27,6 +28,11 @@
- passphrase_error_1 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_1.msg"
- passphrase_error_2 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_2.msg"
- "'assphrase' in passphrase_error_2.msg or 'assword' in passphrase_error_2.msg or 'serializ' in passphrase_error_2.msg"
- passphrase_error_3 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_3.msg"
- "'assphrase' in passphrase_error_3.msg or 'assword' in passphrase_error_3.msg or 'serializ' in passphrase_error_3.msg"
- name: "Verify that broken PKCS#12 will be regenerated"
assert:
that:
- output_broken is changed

10
test/integration/targets/openssl_privatekey/tasks/impl.yml
View file

@ -184,6 +184,16 @@
backup: yes
register: passphrase_5
- name: Create broken key
copy:
dest: "{{ output_dir }}/broken"
content: "broken"
- name: Regenerate broken key
openssl_privatekey:
path: '{{ output_dir }}/broken.pem'
select_crypto_backend: '{{ select_crypto_backend }}'
register: output_broken
- name: Remove module
openssl_privatekey:
path: '{{ output_dir }}/privatekeypw.pem'

5
test/integration/targets/openssl_privatekey/tests/validate.yml
View file

@ -119,6 +119,11 @@
- passphrase_4.backup_file is undefined
- passphrase_5.backup_file is string
- name: Verify that broken key will be regenerated
assert:
that:
- output_broken is changed
- name: Validate remove
assert:
that:

10
test/integration/targets/openssl_publickey/tasks/main.yml
View file

@ -108,6 +108,16 @@
ignore_errors: yes
register: passphrase_error_3
- name: Create broken key
copy:
dest: "{{ output_dir }}/publickeybroken.pub"
content: "broken"
- name: Regenerate broken key
openssl_publickey:
path: '{{ output_dir }}/publickeybroken.pub'
privatekey_path: '{{ output_dir }}/privatekey5.pem'
register: output_broken
- import_tasks: ../tests/validate.yml
when: pyopenssl_version.stdout is version('16.0.0', '>=')

9
test/integration/targets/openssl_publickey/tests/validate.yml
View file

@ -103,6 +103,11 @@
- passphrase_error_1 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_1.msg"
- passphrase_error_2 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_2.msg"
- "'assphrase' in passphrase_error_2.msg or 'assword' in passphrase_error_2.msg or 'serializ' in passphrase_error_2.msg"
- passphrase_error_3 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_3.msg"
- "'assphrase' in passphrase_error_3.msg or 'assword' in passphrase_error_3.msg or 'serializ' in passphrase_error_3.msg"
- name: Verify that broken key will be regenerated
assert:
that:
- output_broken is changed