Add CI tests for java_cert and java_keystore (#1666)

* Try to run java_cert tests in CI.

* Forgot to add meta/

* Exclude CentOS 6.

* Add basic java_keystore tests.

* Forgot that.

* Without a CN, keytool always claims 'keystore password was incorrect' (sigh).

* Improve/fix tests.
Apparently the module cannot handle changed passwords.

* Update tests/integration/targets/java_keystore/tasks/main.yml

Co-authored-by: Tadej Borovšak <70951+tadeboro@users.noreply.github.com>

* More simpliications.

* Fix typo.

Co-authored-by: Tadej Borovšak <70951+tadeboro@users.noreply.github.com>

tests/integration/targets/java_cert/aliases

@@ -1 +1,7 @@
-unsupported
+destructive
+shippable/posix/group3
+skip/aix
+skip/osx
+skip/macos
+skip/freebsd
+needs/root

tests/integration/targets/java_cert/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - setup_java_keytool

tests/integration/targets/java_cert/tasks/main.yml

@@ -3,56 +3,58 @@
 # WARNING: These are designed specifically for Ansible tests       #
 # and should not be used as examples of how to write Ansible roles #
 ####################################################################
+- when: has_java_keytool
+  block:
 
-- name: prep pkcs12 file
-  copy: src="{{ test_pkcs12_path }}" dest="{{output_dir}}/{{ test_pkcs12_path }}"
+    - name: prep pkcs12 file
+      copy: src="{{ test_pkcs12_path }}" dest="{{output_dir}}/{{ test_pkcs12_path }}"
 
-- name: import pkcs12
-  java_cert:
-     pkcs12_path: "{{output_dir}}/{{ test_pkcs12_path }}"
-     pkcs12_password: changeit
-     pkcs12_alias: default
-     cert_alias: default
-     keystore_path: "{{output_dir}}/{{ test_keystore_path }}"
-     keystore_pass: changeme_keystore
-     keystore_create: yes
-     state: present
-  register: result_success
-- name: verify success
-  assert:
-    that:
-    - result_success is successful
+    - name: import pkcs12
+      java_cert:
+         pkcs12_path: "{{output_dir}}/{{ test_pkcs12_path }}"
+         pkcs12_password: changeit
+         pkcs12_alias: default
+         cert_alias: default
+         keystore_path: "{{output_dir}}/{{ test_keystore_path }}"
+         keystore_pass: changeme_keystore
+         keystore_create: yes
+         state: present
+      register: result_success
+    - name: verify success
+      assert:
+        that:
+        - result_success is successful
 
-- name: import pkcs12 with wrong password
-  java_cert:
-     pkcs12_path: "{{output_dir}}/{{ test_pkcs12_path }}"
-     pkcs12_password: wrong_pass
-     pkcs12_alias: default
-     cert_alias: default_new
-     keystore_path: "{{output_dir}}/{{ test_keystore_path }}"
-     keystore_pass: changeme_keystore
-     keystore_create: yes
-     state: present
-  ignore_errors: true
-  register: result_wrong_pass
+    - name: import pkcs12 with wrong password
+      java_cert:
+         pkcs12_path: "{{output_dir}}/{{ test_pkcs12_path }}"
+         pkcs12_password: wrong_pass
+         pkcs12_alias: default
+         cert_alias: default_new
+         keystore_path: "{{output_dir}}/{{ test_keystore_path }}"
+         keystore_pass: changeme_keystore
+         keystore_create: yes
+         state: present
+      ignore_errors: true
+      register: result_wrong_pass
 
-- name: verify fail with wrong import password
-  assert:
-    that:
-    - result_wrong_pass is failed
+    - name: verify fail with wrong import password
+      assert:
+        that:
+        - result_wrong_pass is failed
 
-- name: test fail on mutually exclusive params
-  java_cert:
-     cert_path: ca.crt
-     pkcs12_path: "{{output_dir}}/{{ test_pkcs12_path }}"
-     cert_alias: default
-     keystore_path: "{{output_dir}}/{{ test_keystore_path }}"
-     keystore_pass: changeme_keystore
-     keystore_create: yes
-     state: present
-  ignore_errors: true
-  register: result_excl_params
-- name: verify failed exclusive params
-  assert:
-    that:
-    - result_excl_params is failed
+    - name: test fail on mutually exclusive params
+      java_cert:
+         cert_path: ca.crt
+         pkcs12_path: "{{output_dir}}/{{ test_pkcs12_path }}"
+         cert_alias: default
+         keystore_path: "{{output_dir}}/{{ test_keystore_path }}"
+         keystore_pass: changeme_keystore
+         keystore_create: yes
+         state: present
+      ignore_errors: true
+      register: result_excl_params
+    - name: verify failed exclusive params
+      assert:
+        that:
+        - result_excl_params is failed

tests/integration/targets/java_keystore/aliases

@@ -0,0 +1,7 @@
+destructive
+shippable/posix/group3
+skip/aix
+skip/osx
+skip/macos
+skip/freebsd
+needs/root

tests/integration/targets/java_keystore/meta/main.yml

@@ -0,0 +1,3 @@
+dependencies:
+  - setup_java_keytool
+  - setup_openssl

tests/integration/targets/java_keystore/tasks/main.yml

@@ -0,0 +1,137 @@
+---
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+- when: has_java_keytool
+  block:
+    - name: Create private keys
+      community.crypto.openssl_privatekey:
+        path: "{{ output_dir ~ '/' ~ (item.keyname | default(item.name)) ~ '.key' }}"
+        size: 2048  # this should work everywhere
+        # The following is more efficient, but might not work everywhere:
+        # type: ECC
+        # curve: secp384r1
+        cipher: "{{ 'auto' if item.passphrase is defined else omit }}"
+        passphrase: "{{ item.passphrase | default(omit) }}"
+      loop:
+        - name: cert
+        - name: cert-pw
+          passphrase: hunter2
+
+    - name: Create CSRs
+      community.crypto.openssl_csr:
+        path: "{{ output_dir ~ '/' ~ item.name ~ '.csr' }}"
+        privatekey_path: "{{ output_dir ~ '/' ~ (item.keyname | default(item.name)) ~ '.key' }}"
+        privatekey_passphrase: "{{ item.passphrase | default(omit) }}"
+        commonName: "{{ item.commonName }}"
+      loop:
+        - name: cert
+          commonName: example.com
+        - name: cert-pw
+          passphrase: hunter2
+          commonName: example.com
+        - name: cert2
+          keyname: cert
+          commonName: example.org
+        - name: cert2-pw
+          keyname: cert-pw
+          passphrase: hunter2
+          commonName: example.org
+
+    - name: Create certificates
+      community.crypto.x509_certificate:
+        path: "{{ output_dir ~ '/' ~ item.name ~ '.pem' }}"
+        csr_path: "{{ output_dir ~ '/' ~ item.name ~ '.csr' }}"
+        privatekey_path: "{{ output_dir ~ '/' ~ (item.keyname | default(item.name)) ~ '.key' }}"
+        privatekey_passphrase: "{{ item.passphrase | default(omit) }}"
+        provider: selfsigned
+      loop:
+        - name: cert
+          commonName: example.com
+        - name: cert-pw
+          passphrase: hunter2
+          commonName: example.com
+        - name: cert2
+          keyname: cert
+          commonName: example.org
+        - name: cert2-pw
+          keyname: cert-pw
+          passphrase: hunter2
+          commonName: example.org
+
+    - name: Create a Java key store for the given certificates (check mode)
+      community.general.java_keystore: &create_key_store_data
+        name: example
+        certificate: "{{lookup('file', output_dir ~ '/' ~ item.name ~ '.pem') }}"
+        private_key: "{{lookup('file', output_dir ~ '/' ~ (item.keyname | default(item.name)) ~ '.key') }}"
+        private_key_passphrase: "{{ item.passphrase | default(omit) }}"
+        password: changeit
+        dest: "{{ output_dir ~ '/' ~ item.name ~ '.jks' }}"
+      loop: &create_key_store_loop
+        - name: cert
+        - name: cert-pw
+          passphrase: hunter2
+      check_mode: yes
+      register: result_check
+
+    - name: Create a Java key store for the given certificates
+      community.general.java_keystore: *create_key_store_data
+      loop: *create_key_store_loop
+      register: result
+
+    - name: Create a Java key store for the given certificates (idempotency, check mode)
+      community.general.java_keystore: *create_key_store_data
+      loop: *create_key_store_loop
+      check_mode: yes
+      register: result_idem_check
+
+    - name: Create a Java key store for the given certificates (idempotency)
+      community.general.java_keystore: *create_key_store_data
+      loop: *create_key_store_loop
+      register: result_idem
+
+    - name: Create a Java key store for the given certificates (certificate changed, check mode)
+      community.general.java_keystore: *create_key_store_data
+      loop: &create_key_store_loop_new_certs
+        - name: cert2
+          keyname: cert
+        - name: cert2-pw
+          keyname: cert-pw
+          passphrase: hunter2
+      check_mode: yes
+      register: result_change_check
+
+    - name: Create a Java key store for the given certificates (certificate changed)
+      community.general.java_keystore: *create_key_store_data
+      loop: *create_key_store_loop_new_certs
+      register: result_change
+
+    - name: Create a Java key store for the given certificates (password changed, check mode)
+      community.general.java_keystore:
+        <<: *create_key_store_data
+        password: hunter2
+      loop: *create_key_store_loop_new_certs
+      check_mode: yes
+      register: result_pw_change_check
+      when: false  # FIXME: module currently crashes
+
+    - name: Create a Java key store for the given certificates (password changed)
+      community.general.java_keystore:
+        <<: *create_key_store_data
+        password: hunter2
+      loop: *create_key_store_loop_new_certs
+      register: result_pw_change
+      when: false  # FIXME: module currently crashes
+
+    - name: Validate results
+      assert:
+        that:
+          - result is changed
+          - result_check is changed
+          - result_idem is not changed
+          - result_idem_check is not changed
+          - result_change is changed
+          - result_change_check is changed
+          # - result_pw_change is changed        # FIXME: module currently crashes
+          # - result_pw_change_check is changed  # FIXME: module currently crashes

tests/integration/targets/setup_java_keytool/meta/main.yml

@@ -0,0 +1,3 @@
+dependencies:
+  - setup_remote_constraints
+  - setup_pkg_mgr

tests/integration/targets/setup_java_keytool/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+- set_fact:
+    has_java_keytool: >-
+      {{
+        ansible_os_family not in ['Darwin', 'FreeBSD']
+        and not (ansible_distribution == "CentOS" and ansible_distribution_version is version("7.0", "<"))
+      }}
+
+- name: Include OS-specific variables
+  include_vars: '{{ ansible_os_family }}.yml'
+  when: has_java_keytool
+
+- name: Install keytool
+  package:
+    name: '{{ keytool_package_name }}'
+  become: true
+  when: has_java_keytool

tests/integration/targets/setup_java_keytool/vars/Debian.yml

@@ -0,0 +1,2 @@
+---
+keytool_package_name: ca-certificates-java

tests/integration/targets/setup_java_keytool/vars/RedHat.yml

@@ -0,0 +1,2 @@
+---
+keytool_package_name: java-11-openjdk-headless

tests/integration/targets/setup_java_keytool/vars/Suse.yml

@@ -0,0 +1,2 @@
+---
+keytool_package_name: java-11-openjdk-headless