ACME: improve tests (new Pebble version, strict mode) (#44518)

* Bump ACME test container version.

* Re-adding key rollover test.

test/integration/targets/acme_account/tasks/impl.yml

@@ -100,72 +100,23 @@
 - name: Parse account key (to ease debugging some test failures)
   command: openssl ec -in {{ output_dir }}/accountkey2.pem -noout -text
 
-# Note that pebble has no change key endpoint implemented yet!
+- name: Change account key
-# When it has (and the container was updated), uncomment the
+  acme_account:
-# uncomment the following tests, and delete the ones below the
+    select_crypto_backend: "{{ select_crypto_backend }}"
-# out-commented ones.
+    account_key_src: "{{ output_dir }}/accountkey.pem"
-
+    acme_version: 2
-# - name: Change account key
+    acme_directory: https://{{ acme_host }}:14000/dir
-#   acme_account:
+    validate_certs: no
-#     select_crypto_backend: "{{ select_crypto_backend }}"
+    new_account_key_src: "{{ output_dir }}/accountkey2.pem"
-#     account_key_src: "{{ output_dir }}/accountkey.pem"
+    state: changed_key
-#     acme_version: 2
+    contact:
-#     acme_directory: https://{{ acme_host }}:14000/dir
+    - mailto:example@example.com
-#     validate_certs: no
+  register: account_change_key
-#     new_account_key_src: "{{ output_dir }}/accountkey2.pem"
-#     state: changed_key
-#     contact:
-#     - mailto:example@example.com
-#   register: account_change_key
-
-# - name: Deactivate account
-#   acme_account:
-#     select_crypto_backend: "{{ select_crypto_backend }}"
-#     account_key_src: "{{ output_dir }}/accountkey2.pem"
-#     acme_version: 2
-#     acme_directory: https://{{ acme_host }}:14000/dir
-#     validate_certs: no
-#     state: absent
-#   register: account_deactivate
-
-# - name: Deactivate account (idempotent)
-#   acme_account:
-#     select_crypto_backend: "{{ select_crypto_backend }}"
-#     account_key_src: "{{ output_dir }}/accountkey2.pem"
-#     acme_version: 2
-#     acme_directory: https://{{ acme_host }}:14000/dir
-#     validate_certs: no
-#     state: absent
-#   register: account_deactivate_idempotent
-
-# - name: Do not try to create account II
-#   acme_account:
-#     select_crypto_backend: "{{ select_crypto_backend }}"
-#     account_key_src: "{{ output_dir }}/accountkey2.pem"
-#     acme_version: 2
-#     acme_directory: https://{{ acme_host }}:14000/dir
-#     validate_certs: no
-#     state: present
-#     allow_creation: no
-#   ignore_errors: yes
-#   register: account_not_created_2
-
-# - name: Do not try to create account III
-#   acme_account:
-#     select_crypto_backend: "{{ select_crypto_backend }}"
-#     account_key_src: "{{ output_dir }}/accountkey.pem"
-#     acme_version: 2
-#     acme_directory: https://{{ acme_host }}:14000/dir
-#     validate_certs: no
-#     state: present
-#     allow_creation: no
-#   ignore_errors: yes
-#   register: account_not_created_3
 
 - name: Deactivate account
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ output_dir }}/accountkey2.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -175,7 +126,7 @@
 - name: Deactivate account (idempotent)
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ output_dir }}/accountkey2.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -185,7 +136,7 @@
 - name: Do not try to create account II
   acme_account:
     select_crypto_backend: "{{ select_crypto_backend }}"
-    account_key_src: "{{ output_dir }}/accountkey.pem"
+    account_key_src: "{{ output_dir }}/accountkey2.pem"
     acme_version: 2
     acme_directory: https://{{ acme_host }}:14000/dir
     validate_certs: no
@@ -193,3 +144,15 @@
     allow_creation: no
   ignore_errors: yes
   register: account_not_created_2
+
+- name: Do not try to create account III
+  acme_account:
+    select_crypto_backend: "{{ select_crypto_backend }}"
+    account_key_src: "{{ output_dir }}/accountkey.pem"
+    acme_version: 2
+    acme_directory: https://{{ acme_host }}:14000/dir
+    validate_certs: no
+    state: present
+    allow_creation: no
+  ignore_errors: yes
+  register: account_not_created_3

test/integration/targets/acme_account/tests/validate.yml

@@ -39,38 +39,11 @@
       - account_modified_2_idempotent is not changed
       - account_modified_2_idempotent.account_uri is not none
 
-# Note that pebble has no change key endpoint implemented yet!
+- name: Validate that the account key was changed
-# When it has (and the container was updated), uncomment the
+  assert:
-# following validations, and delete the ones below the
+    that:
-# out-commented ones:
+      - account_change_key is changed
-
+      - account_change_key.account_uri is not none
-#- name: Validate that the account key was changed
-#  assert:
-#    that:
-#      - account_change_key is changed
-#      - account_change_key.account_uri is not none
-#
-#- name: Validate that the account was deactivated
-#  assert:
-#    that:
-#      - account_deactivate is changed
-#      - account_deactivate.account_uri is not none
-#
-#- name: Validate that the account was really deactivated (idempotency)
-#  assert:
-#    that:
-#      - account_deactivate_idempotent is not changed
-#      - account_deactivate_idempotent.account_uri is not none
-#
-#- name: Validate that the account is gone (new account key)
-#  assert:
-#    that:
-#      - account_not_created_2 is failed
-#
-#- name: Validate that the account is gone (old account key)
-#  assert:
-#    that:
-#      - account_not_created_3 is failed
 
 - name: Validate that the account was deactivated
   assert:
@@ -84,7 +57,12 @@
       - account_deactivate_idempotent is not changed
       - account_deactivate_idempotent.account_uri is not none
 
-- name: Validate that the account is gone
+- name: Validate that the account is gone (new account key)
   assert:
     that:
       - account_not_created_2 is failed
+
+- name: Validate that the account is gone (old account key)
+  assert:
+    that:
+      - account_not_created_3 is failed

test/runner/lib/cloud/acme.py

@@ -50,7 +50,7 @@ class ACMEProvider(CloudProvider):
         if os.environ.get('ANSIBLE_ACME_CONTAINER'):
             self.image = os.environ.get('ANSIBLE_ACME_CONTAINER')
         else:
-            self.image = 'quay.io/ansible/acme-test-container:1.2.0'
+            self.image = 'quay.io/ansible/acme-test-container:1.3.0'
         self.container_name = ''
 
     def _wait_for_service(self, protocol, acme_host, port, local_part, name):