diff --git a/test/integration/destructive.yml b/test/integration/destructive.yml index b63a315b90..f3400909de 100644 --- a/test/integration/destructive.yml +++ b/test/integration/destructive.yml @@ -21,4 +21,5 @@ - { role: test_zypper, tags: test_zypper} - { role: test_zypper_repository, tags: test_zypper_repository} - { role: test_uri, tags: test_uri } + - { role: test_get_url, tags: test_get_url } - { role: test_apache2_module, tags: test_apache2_module } diff --git a/test/integration/non_destructive.yml b/test/integration/non_destructive.yml index 369b09d16a..59910755d4 100644 --- a/test/integration/non_destructive.yml +++ b/test/integration/non_destructive.yml @@ -38,7 +38,6 @@ - { role: test_command_shell, tags: test_command_shell } - { role: test_script, tags: test_script } - { role: test_authorized_key, tags: test_authorized_key } - - { role: test_get_url, tags: test_get_url } - { role: test_embedded_module, tags: test_embedded_module } - { role: test_add_host, tags: test_add_host } - { role: test_binary, tags: test_binary } diff --git a/test/integration/roles/prepare_http_tests/defaults/main.yml b/test/integration/roles/prepare_http_tests/defaults/main.yml new file mode 100644 index 0000000000..c41faa2bd3 --- /dev/null +++ b/test/integration/roles/prepare_http_tests/defaults/main.yml @@ -0,0 +1,3 @@ +badssl_host: wrong.host.badssl.com +httpbin_host: httpbin.org +sni_host: sni.velox.ch diff --git a/test/integration/roles/prepare_http_tests/tasks/main.yml b/test/integration/roles/prepare_http_tests/tasks/main.yml new file mode 100644 index 0000000000..c3678aad79 --- /dev/null +++ b/test/integration/roles/prepare_http_tests/tasks/main.yml @@ -0,0 +1,35 @@ +# The docker --link functionality gives us an ENV var we can key off of to see if we have access to +# the httptester container +- set_fact: + has_httptester: "{{ lookup('env', 'ANSIBLE.HTTP.TESTS_PORT_80_TCP_ADDR') != '' }}" + +# If we are running with access to a httptester container, grab it's cacert and install it +- block: + # Override hostname defaults with httptester linked names + - include_vars: httptester.yml + + - name: RedHat - Enable the dynamic CA configuration feature + command: update-ca-trust force-enable + when: ansible_os_family == 'RedHat' + + - name: RedHat - Retrieve test cacert + get_url: + url: "http://ansible.http.tests/cacert.pem" + dest: "/etc/pki/ca-trust/source/anchors/ansible.pem" + when: ansible_os_family == 'RedHat' + + - name: Debian - Retrieve test cacert + get_url: + url: "http://ansible.http.tests/cacert.pem" + dest: "/usr/local/share/ca-certificates/ansible.crt" + when: ansible_os_family == 'Debian' + + - name: Redhat - Update ca trust + command: update-ca-trust extract + when: ansible_os_family == 'RedHat' + + - name: Debian - Update ca certificates + command: update-ca-certificates + when: ansible_os_family == 'Debian' + + when: has_httptester|bool diff --git a/test/integration/roles/prepare_http_tests/vars/httptester.yml b/test/integration/roles/prepare_http_tests/vars/httptester.yml new file mode 100644 index 0000000000..e5f46db630 --- /dev/null +++ b/test/integration/roles/prepare_http_tests/vars/httptester.yml @@ -0,0 +1,4 @@ +# these are fake hostnames provided by docker link for the httptester container +badssl_host: fail.ansible.http.tests +httpbin_host: ansible.http.tests +sni_host: sni1.ansible.http.tests diff --git a/test/integration/roles/test_get_url/meta/main.yml b/test/integration/roles/test_get_url/meta/main.yml index 1050c23ce3..b5f2416aed 100644 --- a/test/integration/roles/test_get_url/meta/main.yml +++ b/test/integration/roles/test_get_url/meta/main.yml @@ -1,3 +1,4 @@ -dependencies: +dependencies: - prepare_tests + - prepare_http_tests diff --git a/test/integration/roles/test_get_url/tasks/main.yml b/test/integration/roles/test_get_url/tasks/main.yml index 45ad1ab938..0bb0bfd854 100644 --- a/test/integration/roles/test_get_url/tasks/main.yml +++ b/test/integration/roles/test_get_url/tasks/main.yml @@ -66,27 +66,21 @@ - result.failed - name: test https fetch - get_url: url="https://raw.githubusercontent.com/ansible/ansible/devel/README.md" dest={{output_dir}}/get_url.txt force=yes + get_url: url="https://{{ httpbin_host }}/get" dest={{output_dir}}/get_url.txt force=yes register: result - name: assert the get_url call was successful assert: that: - - result.changed + - result.changed - '"OK" in result.msg' - name: test https fetch to a site with mismatched hostname and certificate get_url: - url: "https://www.kennethreitz.org/" + url: "https://{{ badssl_host }}/" dest: "{{ output_dir }}/shouldnotexist.html" ignore_errors: True register: result - # kennethreitz having trouble staying up. Eventually need to install our own - # certs & web server to test this... also need to install and test it with - # a proxy so the complications are inevitable - until: "'read operation timed out' not in result.msg" - retries: 30 - delay: 10 - stat: path: "{{ output_dir }}/shouldnotexist.html" @@ -101,16 +95,13 @@ - name: test https fetch to a site with mismatched hostname and certificate and validate_certs=no get_url: - url: "https://www.kennethreitz.org/" - dest: "{{ output_dir }}/kreitz.html" + url: "https://{{ badssl_host }}/" + dest: "{{ output_dir }}/get_url_no_validate.html" validate_certs: no register: result - until: "'read operation timed out' not in result.msg" - retries: 30 - delay: 10 - stat: - path: "{{ output_dir }}/kreitz.html" + path: "{{ output_dir }}/get_url_no_validate.html" register: stat_result - name: Assert that the file was downloaded @@ -119,48 +110,44 @@ - "result.changed == true" - "stat_result.stat.exists == true" -# At the moment, AWS can't make an https request to velox.ch... connection -# timed out. So we'll use a different test until/unless the problem is resolved -## SNI Tests -## SNI is only built into the stdlib from python-2.7.9 onwards -#- name: Test that SNI works -# get_url: -# # A test site that returns a page with information on what SNI information -# # the client sent. A failure would have the string: did not send a TLS server name indication extension -# url: 'https://foo.sni.velox.ch/' -# dest: "{{ output_dir }}/sni.html" -# register: get_url_result -# ignore_errors: True -# -#- command: "grep 'sent the following TLS server name indication extension' {{ output_dir}}/sni.html" -# register: data_result -# when: "{{ python_has_ssl_context }}" -# -#- debug: var=get_url_result -#- name: Assert that SNI works with this python version -# assert: -# that: -# - 'data_result.rc == 0' -# - '"failed" not in get_url_result' -# when: "{{ python_has_ssl_context }}" -# -## If the client doesn't support SNI then get_url should have failed with a certificate mismatch -#- name: Assert that hostname verification failed because SNI is not supported on this version of python -# assert: -# that: -# - 'get_url_result["failed"]' -# when: "{{ not python_has_ssl_context }}" +# SNI Tests +# SNI is only built into the stdlib from python-2.7.9 onwards +- name: Test that SNI works + get_url: + url: 'https://{{ sni_host }}/' + dest: "{{ output_dir }}/sni.html" + register: get_url_result + ignore_errors: True + +- command: "grep '{{ sni_host }}' {{ output_dir}}/sni.html" + register: data_result + when: "{{ python_has_ssl_context }}" + +- debug: var=get_url_result +- name: Assert that SNI works with this python version + assert: + that: + - 'data_result.rc == 0' + - '"failed" not in get_url_result' + when: "{{ python_has_ssl_context }}" + +# If the client doesn't support SNI then get_url should have failed with a certificate mismatch +- name: Assert that hostname verification failed because SNI is not supported on this version of python + assert: + that: + - 'get_url_result["failed"]' + when: "{{ not python_has_ssl_context }}" # These tests are just side effects of how the site is hosted. It's not # specifically a test site. So the tests may break due to the hosting changing - name: Test that SNI works get_url: - url: 'https://www.mnot.net/blog/2014/05/09/if_you_can_read_this_youre_sniing' + url: 'https://{{ sni_host }}/' dest: "{{ output_dir }}/sni.html" register: get_url_result ignore_errors: True -- command: "grep '