diff --git a/test/integration/destructive.yml b/test/integration/destructive.yml index b63a315b90..f3400909de 100644 --- a/test/integration/destructive.yml +++ b/test/integration/destructive.yml @@ -21,4 +21,5 @@ - { role: test_zypper, tags: test_zypper} - { role: test_zypper_repository, tags: test_zypper_repository} - { role: test_uri, tags: test_uri } + - { role: test_get_url, tags: test_get_url } - { role: test_apache2_module, tags: test_apache2_module } diff --git a/test/integration/non_destructive.yml b/test/integration/non_destructive.yml index 369b09d16a..59910755d4 100644 --- a/test/integration/non_destructive.yml +++ b/test/integration/non_destructive.yml @@ -38,7 +38,6 @@ - { role: test_command_shell, tags: test_command_shell } - { role: test_script, tags: test_script } - { role: test_authorized_key, tags: test_authorized_key } - - { role: test_get_url, tags: test_get_url } - { role: test_embedded_module, tags: test_embedded_module } - { role: test_add_host, tags: test_add_host } - { role: test_binary, tags: test_binary } diff --git a/test/integration/roles/prepare_http_tests/defaults/main.yml b/test/integration/roles/prepare_http_tests/defaults/main.yml new file mode 100644 index 0000000000..c41faa2bd3 --- /dev/null +++ b/test/integration/roles/prepare_http_tests/defaults/main.yml @@ -0,0 +1,3 @@ +badssl_host: wrong.host.badssl.com +httpbin_host: httpbin.org +sni_host: sni.velox.ch diff --git a/test/integration/roles/prepare_http_tests/tasks/main.yml b/test/integration/roles/prepare_http_tests/tasks/main.yml new file mode 100644 index 0000000000..c3678aad79 --- /dev/null +++ b/test/integration/roles/prepare_http_tests/tasks/main.yml @@ -0,0 +1,35 @@ +# The docker --link functionality gives us an ENV var we can key off of to see if we have access to +# the httptester container +- set_fact: + has_httptester: "{{ lookup('env', 'ANSIBLE.HTTP.TESTS_PORT_80_TCP_ADDR') != '' }}" + +# If we are running with access to a httptester container, grab it's cacert and install it +- block: + # Override hostname defaults with httptester linked names + - include_vars: httptester.yml + + - name: RedHat - Enable the dynamic CA configuration feature + command: update-ca-trust force-enable + when: ansible_os_family == 'RedHat' + + - name: RedHat - Retrieve test cacert + get_url: + url: "http://ansible.http.tests/cacert.pem" + dest: "/etc/pki/ca-trust/source/anchors/ansible.pem" + when: ansible_os_family == 'RedHat' + + - name: Debian - Retrieve test cacert + get_url: + url: "http://ansible.http.tests/cacert.pem" + dest: "/usr/local/share/ca-certificates/ansible.crt" + when: ansible_os_family == 'Debian' + + - name: Redhat - Update ca trust + command: update-ca-trust extract + when: ansible_os_family == 'RedHat' + + - name: Debian - Update ca certificates + command: update-ca-certificates + when: ansible_os_family == 'Debian' + + when: has_httptester|bool diff --git a/test/integration/roles/prepare_http_tests/vars/httptester.yml b/test/integration/roles/prepare_http_tests/vars/httptester.yml new file mode 100644 index 0000000000..e5f46db630 --- /dev/null +++ b/test/integration/roles/prepare_http_tests/vars/httptester.yml @@ -0,0 +1,4 @@ +# these are fake hostnames provided by docker link for the httptester container +badssl_host: fail.ansible.http.tests +httpbin_host: ansible.http.tests +sni_host: sni1.ansible.http.tests diff --git a/test/integration/roles/test_get_url/meta/main.yml b/test/integration/roles/test_get_url/meta/main.yml index 1050c23ce3..b5f2416aed 100644 --- a/test/integration/roles/test_get_url/meta/main.yml +++ b/test/integration/roles/test_get_url/meta/main.yml @@ -1,3 +1,4 @@ -dependencies: +dependencies: - prepare_tests + - prepare_http_tests diff --git a/test/integration/roles/test_get_url/tasks/main.yml b/test/integration/roles/test_get_url/tasks/main.yml index 45ad1ab938..0bb0bfd854 100644 --- a/test/integration/roles/test_get_url/tasks/main.yml +++ b/test/integration/roles/test_get_url/tasks/main.yml @@ -66,27 +66,21 @@ - result.failed - name: test https fetch - get_url: url="https://raw.githubusercontent.com/ansible/ansible/devel/README.md" dest={{output_dir}}/get_url.txt force=yes + get_url: url="https://{{ httpbin_host }}/get" dest={{output_dir}}/get_url.txt force=yes register: result - name: assert the get_url call was successful assert: that: - - result.changed + - result.changed - '"OK" in result.msg' - name: test https fetch to a site with mismatched hostname and certificate get_url: - url: "https://www.kennethreitz.org/" + url: "https://{{ badssl_host }}/" dest: "{{ output_dir }}/shouldnotexist.html" ignore_errors: True register: result - # kennethreitz having trouble staying up. Eventually need to install our own - # certs & web server to test this... also need to install and test it with - # a proxy so the complications are inevitable - until: "'read operation timed out' not in result.msg" - retries: 30 - delay: 10 - stat: path: "{{ output_dir }}/shouldnotexist.html" @@ -101,16 +95,13 @@ - name: test https fetch to a site with mismatched hostname and certificate and validate_certs=no get_url: - url: "https://www.kennethreitz.org/" - dest: "{{ output_dir }}/kreitz.html" + url: "https://{{ badssl_host }}/" + dest: "{{ output_dir }}/get_url_no_validate.html" validate_certs: no register: result - until: "'read operation timed out' not in result.msg" - retries: 30 - delay: 10 - stat: - path: "{{ output_dir }}/kreitz.html" + path: "{{ output_dir }}/get_url_no_validate.html" register: stat_result - name: Assert that the file was downloaded @@ -119,48 +110,44 @@ - "result.changed == true" - "stat_result.stat.exists == true" -# At the moment, AWS can't make an https request to velox.ch... connection -# timed out. So we'll use a different test until/unless the problem is resolved -## SNI Tests -## SNI is only built into the stdlib from python-2.7.9 onwards -#- name: Test that SNI works -# get_url: -# # A test site that returns a page with information on what SNI information -# # the client sent. A failure would have the string: did not send a TLS server name indication extension -# url: 'https://foo.sni.velox.ch/' -# dest: "{{ output_dir }}/sni.html" -# register: get_url_result -# ignore_errors: True -# -#- command: "grep 'sent the following TLS server name indication extension' {{ output_dir}}/sni.html" -# register: data_result -# when: "{{ python_has_ssl_context }}" -# -#- debug: var=get_url_result -#- name: Assert that SNI works with this python version -# assert: -# that: -# - 'data_result.rc == 0' -# - '"failed" not in get_url_result' -# when: "{{ python_has_ssl_context }}" -# -## If the client doesn't support SNI then get_url should have failed with a certificate mismatch -#- name: Assert that hostname verification failed because SNI is not supported on this version of python -# assert: -# that: -# - 'get_url_result["failed"]' -# when: "{{ not python_has_ssl_context }}" +# SNI Tests +# SNI is only built into the stdlib from python-2.7.9 onwards +- name: Test that SNI works + get_url: + url: 'https://{{ sni_host }}/' + dest: "{{ output_dir }}/sni.html" + register: get_url_result + ignore_errors: True + +- command: "grep '{{ sni_host }}' {{ output_dir}}/sni.html" + register: data_result + when: "{{ python_has_ssl_context }}" + +- debug: var=get_url_result +- name: Assert that SNI works with this python version + assert: + that: + - 'data_result.rc == 0' + - '"failed" not in get_url_result' + when: "{{ python_has_ssl_context }}" + +# If the client doesn't support SNI then get_url should have failed with a certificate mismatch +- name: Assert that hostname verification failed because SNI is not supported on this version of python + assert: + that: + - 'get_url_result["failed"]' + when: "{{ not python_has_ssl_context }}" # These tests are just side effects of how the site is hosted. It's not # specifically a test site. So the tests may break due to the hosting changing - name: Test that SNI works get_url: - url: 'https://www.mnot.net/blog/2014/05/09/if_you_can_read_this_youre_sniing' + url: 'https://{{ sni_host }}/' dest: "{{ output_dir }}/sni.html" register: get_url_result ignore_errors: True -- command: "grep '

If You Can Read This, You.re SNIing

' {{ output_dir}}/sni.html" +- command: "grep '{{ sni_host }}' {{ output_dir}}/sni.html" register: data_result when: "{{ python_has_ssl_context }}" @@ -182,12 +169,12 @@ - name: Test get_url with redirect get_url: - url: 'http://httpbin.org/redirect/6' + url: 'http://{{ httpbin_host }}/redirect/6' dest: "{{ output_dir }}/redirect.json" - name: Test that setting file modes work get_url: - url: 'http://httpbin.org/' + url: 'http://{{ httpbin_host }}/' dest: '{{ output_dir }}/test' mode: '0707' register: result @@ -204,7 +191,7 @@ - name: Test that setting file modes on an already downlaoded file work get_url: - url: 'http://httpbin.org/' + url: 'http://{{ httpbin_host }}/' dest: '{{ output_dir }}/test' mode: '0070' register: result diff --git a/test/integration/roles/test_lookups/tasks/main.yml b/test/integration/roles/test_lookups/tasks/main.yml index 5b179690f1..72fa11be79 100644 --- a/test/integration/roles/test_lookups/tasks/main.yml +++ b/test/integration/roles/test_lookups/tasks/main.yml @@ -84,7 +84,7 @@ # ENV LOOKUP - name: get first environment var name - shell: env | head -n1 | cut -d\= -f1 + shell: env | fgrep -v '.' | head -n1 | cut -d\= -f1 register: known_var_name - name: get first environment var value diff --git a/test/integration/roles/test_uri/meta/main.yml b/test/integration/roles/test_uri/meta/main.yml index 07faa21776..a5f3f70736 100644 --- a/test/integration/roles/test_uri/meta/main.yml +++ b/test/integration/roles/test_uri/meta/main.yml @@ -1,2 +1,3 @@ dependencies: - prepare_tests + - prepare_http_tests diff --git a/test/integration/roles/test_uri/tasks/main.yml b/test/integration/roles/test_uri/tasks/main.yml index 6b84a963eb..7f2ee952a4 100644 --- a/test/integration/roles/test_uri/tasks/main.yml +++ b/test/integration/roles/test_uri/tasks/main.yml @@ -94,16 +94,10 @@ - name: test https fetch to a site with mismatched hostname and certificate uri: - url: "https://www.kennethreitz.org/" + url: "https://{{ badssl_host }}/" dest: "{{ output_dir }}/shouldnotexist.html" ignore_errors: True register: result - # kennethreitz having trouble staying up. Eventually need to install our own - # certs & web server to test this... also need to install and test it with - # a proxy so the complications are inevitable - until: "'read operation timed out' not in result.msg" - retries: 30 - delay: 10 - stat: path: "{{ output_dir }}/shouldnotexist.html" @@ -123,13 +117,10 @@ - name: test https fetch to a site with mismatched hostname and certificate and validate_certs=no uri: - url: "https://www.kennethreitz.org/" + url: "https://{{ badssl_host }}/" dest: "{{ output_dir }}/kreitz.html" validate_certs: no register: result - until: "'read operation timed out' not in result.msg" - retries: 30 - delay: 10 - stat: path: "{{ output_dir }}/kreitz.html" @@ -143,7 +134,7 @@ - name: test redirect without follow_redirects uri: - url: 'http://httpbin.org/redirect/2' + url: 'http://{{ httpbin_host }}/redirect/2' follow_redirects: 'none' status_code: 302 register: result @@ -151,21 +142,21 @@ - name: Assert location header assert: that: - - 'result.location|default("") == "http://httpbin.org/relative-redirect/1"' + - 'result.location|default("") == "http://{{ httpbin_host }}/relative-redirect/1"' - name: Check SSL with redirect uri: - url: 'https://httpbin.org/redirect/2' + url: 'https://{{ httpbin_host }}/redirect/2' register: result - name: Assert SSL with redirect assert: that: - - 'result.url|default("") == "https://httpbin.org/get"' + - 'result.url|default("") == "https://{{ httpbin_host }}/get"' - name: redirect to bad SSL site uri: - url: 'http://wrong.host.badssl.com' + url: 'http://{{ badssl_host }}' register: result ignore_errors: true @@ -173,30 +164,30 @@ assert: that: - result|failed - - '"wrong.host.badssl.com" in result.msg' + - 'badssl_host in result.msg' - name: test basic auth uri: - url: 'http://httpbin.org/basic-auth/user/passwd' + url: 'http://{{ httpbin_host }}/basic-auth/user/passwd' user: user password: passwd - name: test basic forced auth uri: - url: 'http://httpbin.org/hidden-basic-auth/user/passwd' + url: 'http://{{ httpbin_host }}/hidden-basic-auth/user/passwd' force_basic_auth: true user: user password: passwd - name: test PUT uri: - url: 'http://httpbin.org/put' + url: 'http://{{ httpbin_host }}/put' method: PUT body: 'foo=bar' - name: test OPTIONS uri: - url: 'http://httpbin.org/' + url: 'http://{{ httpbin_host }}/' method: OPTIONS register: result @@ -217,7 +208,7 @@ # test run. - name: Test that SNI succeeds on python versions that have SNI uri: - url: "{{ SNI_URI }}" + url: 'https://{{ sni_host }}/' return_content: true when: ansible_python.has_sslcontext register: result @@ -225,13 +216,13 @@ - name: Assert SNI verification succeeds on new python assert: that: - - result|success - - "\"

If You Can Read This, You're SNIing

\" in result.content" + - result|success + - 'sni_host == result.content' when: ansible_python.has_sslcontext - name: Verify SNI verification fails on old python without urllib3 contrib uri: - url: '{{ SNI_URI }}' + url: 'https://{{ sni_host }}' ignore_errors: true when: not ansible_python.has_sslcontext register: result @@ -257,7 +248,7 @@ - name: Verify SNI verificaiton succeeds on old python with urllib3 contrib uri: - url: '{{ SNI_URI }}' + url: 'https://{{ sni_host }}' return_content: true when: not ansible_python.has_sslcontext and not is_ubuntu_precise|bool register: result @@ -266,8 +257,7 @@ assert: that: - result|success - #- '"Great! Your client" in result.content' - - "\"

If You Can Read This, You're SNIing

\" in result.content" + - 'sni_host == result.content' when: not ansible_python.has_sslcontext and not is_ubuntu_precise|bool - name: Uninstall ndg-httpsclient and urllib3 @@ -287,7 +277,7 @@ - name: validate the status_codes are correct uri: - url: https://httpbin.org/status/202 + url: "https://{{ httpbin_host }}/status/202" status_code: 202 method: POST body: foo diff --git a/test/utils/run_tests.sh b/test/utils/run_tests.sh index f58b108386..e2bdef321e 100755 --- a/test/utils/run_tests.sh +++ b/test/utils/run_tests.sh @@ -4,6 +4,8 @@ set -e set -u set -x +LINKS="--link=httptester:ansible.http.tests --link=httptester:sni1.ansible.http.tests --link=httptester:sni2.ansible.http.tests --link=httptester:fail.ansible.http.tests" + if [ "${TARGET}" = "sanity" ]; then ./test/code-smell/replace-urlopen.sh . ./test/code-smell/use-compat-six.sh lib @@ -12,9 +14,13 @@ if [ "${TARGET}" = "sanity" ]; then if test x"$TOXENV" != x'py24' ; then tox ; fi if test x"$TOXENV" = x'py24' ; then python2.4 -V && python2.4 -m compileall -fq -x 'module_utils/(a10|rax|openstack|ec2|gce|docker_common|azure_rm_common).py' lib/ansible/module_utils ; fi else + if [ ! -e /tmp/cid_httptester ]; then + docker pull sivel/httptester + docker run -d --name=httptester sivel/httptester > /tmp/cid_httptester + fi export C_NAME="testAbull_$$_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 8 | head -n 1)" docker pull ansible/ansible:${TARGET} - docker run -d --volume="${PWD}:/root/ansible:Z" --name "${C_NAME}" ${TARGET_OPTIONS:=''} ansible/ansible:${TARGET} > /tmp/cid_${TARGET} + docker run -d --volume="${PWD}:/root/ansible:Z" $LINKS --name "${C_NAME}" ${TARGET_OPTIONS:=''} ansible/ansible:${TARGET} > /tmp/cid_${TARGET} docker exec -ti $(cat /tmp/cid_${TARGET}) /bin/sh -c "export TEST_FLAGS='${TEST_FLAGS:-''}'; cd /root/ansible; . hacking/env-setup; (cd test/integration; LC_ALL=en_US.utf-8 make ${MAKE_TARGET:-})" docker kill $(cat /tmp/cid_${TARGET})