From b3d3b108bf70d33adc6b017b628a35128e83c404 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sun, 24 Jan 2021 16:51:02 +0100 Subject: [PATCH] Add CI tests for java_cert and java_keystore (#1666) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Try to run java_cert tests in CI. * Forgot to add meta/ * Exclude CentOS 6. * Add basic java_keystore tests. * Forgot that. * Without a CN, keytool always claims 'keystore password was incorrect' (sigh). * Improve/fix tests. Apparently the module cannot handle changed passwords. * Update tests/integration/targets/java_keystore/tasks/main.yml Co-authored-by: Tadej Borovšak <70951+tadeboro@users.noreply.github.com> * More simpliications. * Fix typo. Co-authored-by: Tadej Borovšak <70951+tadeboro@users.noreply.github.com> --- tests/integration/targets/java_cert/aliases | 8 +- .../targets/java_cert/meta/main.yml | 2 + .../targets/java_cert/tasks/main.yml | 98 +++++++------ .../integration/targets/java_keystore/aliases | 7 + .../targets/java_keystore/meta/main.yml | 3 + .../targets/java_keystore/tasks/main.yml | 137 ++++++++++++++++++ .../targets/setup_java_keytool/meta/main.yml | 3 + .../targets/setup_java_keytool/tasks/main.yml | 21 +++ .../setup_java_keytool/vars/Debian.yml | 2 + .../setup_java_keytool/vars/RedHat.yml | 2 + .../targets/setup_java_keytool/vars/Suse.yml | 2 + 11 files changed, 236 insertions(+), 49 deletions(-) create mode 100644 tests/integration/targets/java_cert/meta/main.yml create mode 100644 tests/integration/targets/java_keystore/aliases create mode 100644 tests/integration/targets/java_keystore/meta/main.yml create mode 100644 tests/integration/targets/java_keystore/tasks/main.yml create mode 100644 tests/integration/targets/setup_java_keytool/meta/main.yml create mode 100644 tests/integration/targets/setup_java_keytool/tasks/main.yml create mode 100644 tests/integration/targets/setup_java_keytool/vars/Debian.yml create mode 100644 tests/integration/targets/setup_java_keytool/vars/RedHat.yml create mode 100644 tests/integration/targets/setup_java_keytool/vars/Suse.yml diff --git a/tests/integration/targets/java_cert/aliases b/tests/integration/targets/java_cert/aliases index ad7ccf7ada..49222305a9 100644 --- a/tests/integration/targets/java_cert/aliases +++ b/tests/integration/targets/java_cert/aliases @@ -1 +1,7 @@ -unsupported +destructive +shippable/posix/group3 +skip/aix +skip/osx +skip/macos +skip/freebsd +needs/root diff --git a/tests/integration/targets/java_cert/meta/main.yml b/tests/integration/targets/java_cert/meta/main.yml new file mode 100644 index 0000000000..1d18287ada --- /dev/null +++ b/tests/integration/targets/java_cert/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: + - setup_java_keytool diff --git a/tests/integration/targets/java_cert/tasks/main.yml b/tests/integration/targets/java_cert/tasks/main.yml index cccb40eaaf..e701836e5d 100644 --- a/tests/integration/targets/java_cert/tasks/main.yml +++ b/tests/integration/targets/java_cert/tasks/main.yml @@ -3,56 +3,58 @@ # WARNING: These are designed specifically for Ansible tests # # and should not be used as examples of how to write Ansible roles # #################################################################### +- when: has_java_keytool + block: -- name: prep pkcs12 file - copy: src="{{ test_pkcs12_path }}" dest="{{output_dir}}/{{ test_pkcs12_path }}" + - name: prep pkcs12 file + copy: src="{{ test_pkcs12_path }}" dest="{{output_dir}}/{{ test_pkcs12_path }}" -- name: import pkcs12 - java_cert: - pkcs12_path: "{{output_dir}}/{{ test_pkcs12_path }}" - pkcs12_password: changeit - pkcs12_alias: default - cert_alias: default - keystore_path: "{{output_dir}}/{{ test_keystore_path }}" - keystore_pass: changeme_keystore - keystore_create: yes - state: present - register: result_success -- name: verify success - assert: - that: - - result_success is successful + - name: import pkcs12 + java_cert: + pkcs12_path: "{{output_dir}}/{{ test_pkcs12_path }}" + pkcs12_password: changeit + pkcs12_alias: default + cert_alias: default + keystore_path: "{{output_dir}}/{{ test_keystore_path }}" + keystore_pass: changeme_keystore + keystore_create: yes + state: present + register: result_success + - name: verify success + assert: + that: + - result_success is successful -- name: import pkcs12 with wrong password - java_cert: - pkcs12_path: "{{output_dir}}/{{ test_pkcs12_path }}" - pkcs12_password: wrong_pass - pkcs12_alias: default - cert_alias: default_new - keystore_path: "{{output_dir}}/{{ test_keystore_path }}" - keystore_pass: changeme_keystore - keystore_create: yes - state: present - ignore_errors: true - register: result_wrong_pass + - name: import pkcs12 with wrong password + java_cert: + pkcs12_path: "{{output_dir}}/{{ test_pkcs12_path }}" + pkcs12_password: wrong_pass + pkcs12_alias: default + cert_alias: default_new + keystore_path: "{{output_dir}}/{{ test_keystore_path }}" + keystore_pass: changeme_keystore + keystore_create: yes + state: present + ignore_errors: true + register: result_wrong_pass -- name: verify fail with wrong import password - assert: - that: - - result_wrong_pass is failed + - name: verify fail with wrong import password + assert: + that: + - result_wrong_pass is failed -- name: test fail on mutually exclusive params - java_cert: - cert_path: ca.crt - pkcs12_path: "{{output_dir}}/{{ test_pkcs12_path }}" - cert_alias: default - keystore_path: "{{output_dir}}/{{ test_keystore_path }}" - keystore_pass: changeme_keystore - keystore_create: yes - state: present - ignore_errors: true - register: result_excl_params -- name: verify failed exclusive params - assert: - that: - - result_excl_params is failed + - name: test fail on mutually exclusive params + java_cert: + cert_path: ca.crt + pkcs12_path: "{{output_dir}}/{{ test_pkcs12_path }}" + cert_alias: default + keystore_path: "{{output_dir}}/{{ test_keystore_path }}" + keystore_pass: changeme_keystore + keystore_create: yes + state: present + ignore_errors: true + register: result_excl_params + - name: verify failed exclusive params + assert: + that: + - result_excl_params is failed diff --git a/tests/integration/targets/java_keystore/aliases b/tests/integration/targets/java_keystore/aliases new file mode 100644 index 0000000000..49222305a9 --- /dev/null +++ b/tests/integration/targets/java_keystore/aliases @@ -0,0 +1,7 @@ +destructive +shippable/posix/group3 +skip/aix +skip/osx +skip/macos +skip/freebsd +needs/root diff --git a/tests/integration/targets/java_keystore/meta/main.yml b/tests/integration/targets/java_keystore/meta/main.yml new file mode 100644 index 0000000000..9bc23ac67f --- /dev/null +++ b/tests/integration/targets/java_keystore/meta/main.yml @@ -0,0 +1,3 @@ +dependencies: + - setup_java_keytool + - setup_openssl diff --git a/tests/integration/targets/java_keystore/tasks/main.yml b/tests/integration/targets/java_keystore/tasks/main.yml new file mode 100644 index 0000000000..2a8ad86e27 --- /dev/null +++ b/tests/integration/targets/java_keystore/tasks/main.yml @@ -0,0 +1,137 @@ +--- +#################################################################### +# WARNING: These are designed specifically for Ansible tests # +# and should not be used as examples of how to write Ansible roles # +#################################################################### +- when: has_java_keytool + block: + - name: Create private keys + community.crypto.openssl_privatekey: + path: "{{ output_dir ~ '/' ~ (item.keyname | default(item.name)) ~ '.key' }}" + size: 2048 # this should work everywhere + # The following is more efficient, but might not work everywhere: + # type: ECC + # curve: secp384r1 + cipher: "{{ 'auto' if item.passphrase is defined else omit }}" + passphrase: "{{ item.passphrase | default(omit) }}" + loop: + - name: cert + - name: cert-pw + passphrase: hunter2 + + - name: Create CSRs + community.crypto.openssl_csr: + path: "{{ output_dir ~ '/' ~ item.name ~ '.csr' }}" + privatekey_path: "{{ output_dir ~ '/' ~ (item.keyname | default(item.name)) ~ '.key' }}" + privatekey_passphrase: "{{ item.passphrase | default(omit) }}" + commonName: "{{ item.commonName }}" + loop: + - name: cert + commonName: example.com + - name: cert-pw + passphrase: hunter2 + commonName: example.com + - name: cert2 + keyname: cert + commonName: example.org + - name: cert2-pw + keyname: cert-pw + passphrase: hunter2 + commonName: example.org + + - name: Create certificates + community.crypto.x509_certificate: + path: "{{ output_dir ~ '/' ~ item.name ~ '.pem' }}" + csr_path: "{{ output_dir ~ '/' ~ item.name ~ '.csr' }}" + privatekey_path: "{{ output_dir ~ '/' ~ (item.keyname | default(item.name)) ~ '.key' }}" + privatekey_passphrase: "{{ item.passphrase | default(omit) }}" + provider: selfsigned + loop: + - name: cert + commonName: example.com + - name: cert-pw + passphrase: hunter2 + commonName: example.com + - name: cert2 + keyname: cert + commonName: example.org + - name: cert2-pw + keyname: cert-pw + passphrase: hunter2 + commonName: example.org + + - name: Create a Java key store for the given certificates (check mode) + community.general.java_keystore: &create_key_store_data + name: example + certificate: "{{lookup('file', output_dir ~ '/' ~ item.name ~ '.pem') }}" + private_key: "{{lookup('file', output_dir ~ '/' ~ (item.keyname | default(item.name)) ~ '.key') }}" + private_key_passphrase: "{{ item.passphrase | default(omit) }}" + password: changeit + dest: "{{ output_dir ~ '/' ~ item.name ~ '.jks' }}" + loop: &create_key_store_loop + - name: cert + - name: cert-pw + passphrase: hunter2 + check_mode: yes + register: result_check + + - name: Create a Java key store for the given certificates + community.general.java_keystore: *create_key_store_data + loop: *create_key_store_loop + register: result + + - name: Create a Java key store for the given certificates (idempotency, check mode) + community.general.java_keystore: *create_key_store_data + loop: *create_key_store_loop + check_mode: yes + register: result_idem_check + + - name: Create a Java key store for the given certificates (idempotency) + community.general.java_keystore: *create_key_store_data + loop: *create_key_store_loop + register: result_idem + + - name: Create a Java key store for the given certificates (certificate changed, check mode) + community.general.java_keystore: *create_key_store_data + loop: &create_key_store_loop_new_certs + - name: cert2 + keyname: cert + - name: cert2-pw + keyname: cert-pw + passphrase: hunter2 + check_mode: yes + register: result_change_check + + - name: Create a Java key store for the given certificates (certificate changed) + community.general.java_keystore: *create_key_store_data + loop: *create_key_store_loop_new_certs + register: result_change + + - name: Create a Java key store for the given certificates (password changed, check mode) + community.general.java_keystore: + <<: *create_key_store_data + password: hunter2 + loop: *create_key_store_loop_new_certs + check_mode: yes + register: result_pw_change_check + when: false # FIXME: module currently crashes + + - name: Create a Java key store for the given certificates (password changed) + community.general.java_keystore: + <<: *create_key_store_data + password: hunter2 + loop: *create_key_store_loop_new_certs + register: result_pw_change + when: false # FIXME: module currently crashes + + - name: Validate results + assert: + that: + - result is changed + - result_check is changed + - result_idem is not changed + - result_idem_check is not changed + - result_change is changed + - result_change_check is changed + # - result_pw_change is changed # FIXME: module currently crashes + # - result_pw_change_check is changed # FIXME: module currently crashes diff --git a/tests/integration/targets/setup_java_keytool/meta/main.yml b/tests/integration/targets/setup_java_keytool/meta/main.yml new file mode 100644 index 0000000000..2be15776b7 --- /dev/null +++ b/tests/integration/targets/setup_java_keytool/meta/main.yml @@ -0,0 +1,3 @@ +dependencies: + - setup_remote_constraints + - setup_pkg_mgr diff --git a/tests/integration/targets/setup_java_keytool/tasks/main.yml b/tests/integration/targets/setup_java_keytool/tasks/main.yml new file mode 100644 index 0000000000..be84495266 --- /dev/null +++ b/tests/integration/targets/setup_java_keytool/tasks/main.yml @@ -0,0 +1,21 @@ +--- +#################################################################### +# WARNING: These are designed specifically for Ansible tests # +# and should not be used as examples of how to write Ansible roles # +#################################################################### +- set_fact: + has_java_keytool: >- + {{ + ansible_os_family not in ['Darwin', 'FreeBSD'] + and not (ansible_distribution == "CentOS" and ansible_distribution_version is version("7.0", "<")) + }} + +- name: Include OS-specific variables + include_vars: '{{ ansible_os_family }}.yml' + when: has_java_keytool + +- name: Install keytool + package: + name: '{{ keytool_package_name }}' + become: true + when: has_java_keytool diff --git a/tests/integration/targets/setup_java_keytool/vars/Debian.yml b/tests/integration/targets/setup_java_keytool/vars/Debian.yml new file mode 100644 index 0000000000..faace450a7 --- /dev/null +++ b/tests/integration/targets/setup_java_keytool/vars/Debian.yml @@ -0,0 +1,2 @@ +--- +keytool_package_name: ca-certificates-java diff --git a/tests/integration/targets/setup_java_keytool/vars/RedHat.yml b/tests/integration/targets/setup_java_keytool/vars/RedHat.yml new file mode 100644 index 0000000000..d301dff436 --- /dev/null +++ b/tests/integration/targets/setup_java_keytool/vars/RedHat.yml @@ -0,0 +1,2 @@ +--- +keytool_package_name: java-11-openjdk-headless diff --git a/tests/integration/targets/setup_java_keytool/vars/Suse.yml b/tests/integration/targets/setup_java_keytool/vars/Suse.yml new file mode 100644 index 0000000000..d301dff436 --- /dev/null +++ b/tests/integration/targets/setup_java_keytool/vars/Suse.yml @@ -0,0 +1,2 @@ +--- +keytool_package_name: java-11-openjdk-headless