1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

Add CI tests for java_cert and java_keystore (#1666)

* Try to run java_cert tests in CI.

* Forgot to add meta/

* Exclude CentOS 6.

* Add basic java_keystore tests.

* Forgot that.

* Without a CN, keytool always claims 'keystore password was incorrect' (sigh).

* Improve/fix tests.
Apparently the module cannot handle changed passwords.

* Update tests/integration/targets/java_keystore/tasks/main.yml

Co-authored-by: Tadej Borovšak <70951+tadeboro@users.noreply.github.com>

* More simpliications.

* Fix typo.

Co-authored-by: Tadej Borovšak <70951+tadeboro@users.noreply.github.com>
This commit is contained in:
Felix Fontein 2021-01-24 16:51:02 +01:00 committed by GitHub
parent 1dd5e71cff
commit b3d3b108bf
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 236 additions and 49 deletions

View file

@ -1 +1,7 @@
unsupported
destructive
shippable/posix/group3
skip/aix
skip/osx
skip/macos
skip/freebsd
needs/root

View file

@ -0,0 +1,2 @@
dependencies:
- setup_java_keytool

View file

@ -3,11 +3,13 @@
# WARNING: These are designed specifically for Ansible tests #
# and should not be used as examples of how to write Ansible roles #
####################################################################
- when: has_java_keytool
block:
- name: prep pkcs12 file
- name: prep pkcs12 file
copy: src="{{ test_pkcs12_path }}" dest="{{output_dir}}/{{ test_pkcs12_path }}"
- name: import pkcs12
- name: import pkcs12
java_cert:
pkcs12_path: "{{output_dir}}/{{ test_pkcs12_path }}"
pkcs12_password: changeit
@ -18,12 +20,12 @@
keystore_create: yes
state: present
register: result_success
- name: verify success
- name: verify success
assert:
that:
- result_success is successful
- name: import pkcs12 with wrong password
- name: import pkcs12 with wrong password
java_cert:
pkcs12_path: "{{output_dir}}/{{ test_pkcs12_path }}"
pkcs12_password: wrong_pass
@ -36,12 +38,12 @@
ignore_errors: true
register: result_wrong_pass
- name: verify fail with wrong import password
- name: verify fail with wrong import password
assert:
that:
- result_wrong_pass is failed
- name: test fail on mutually exclusive params
- name: test fail on mutually exclusive params
java_cert:
cert_path: ca.crt
pkcs12_path: "{{output_dir}}/{{ test_pkcs12_path }}"
@ -52,7 +54,7 @@
state: present
ignore_errors: true
register: result_excl_params
- name: verify failed exclusive params
- name: verify failed exclusive params
assert:
that:
- result_excl_params is failed

View file

@ -0,0 +1,7 @@
destructive
shippable/posix/group3
skip/aix
skip/osx
skip/macos
skip/freebsd
needs/root

View file

@ -0,0 +1,3 @@
dependencies:
- setup_java_keytool
- setup_openssl

View file

@ -0,0 +1,137 @@
---
####################################################################
# WARNING: These are designed specifically for Ansible tests #
# and should not be used as examples of how to write Ansible roles #
####################################################################
- when: has_java_keytool
block:
- name: Create private keys
community.crypto.openssl_privatekey:
path: "{{ output_dir ~ '/' ~ (item.keyname | default(item.name)) ~ '.key' }}"
size: 2048 # this should work everywhere
# The following is more efficient, but might not work everywhere:
# type: ECC
# curve: secp384r1
cipher: "{{ 'auto' if item.passphrase is defined else omit }}"
passphrase: "{{ item.passphrase | default(omit) }}"
loop:
- name: cert
- name: cert-pw
passphrase: hunter2
- name: Create CSRs
community.crypto.openssl_csr:
path: "{{ output_dir ~ '/' ~ item.name ~ '.csr' }}"
privatekey_path: "{{ output_dir ~ '/' ~ (item.keyname | default(item.name)) ~ '.key' }}"
privatekey_passphrase: "{{ item.passphrase | default(omit) }}"
commonName: "{{ item.commonName }}"
loop:
- name: cert
commonName: example.com
- name: cert-pw
passphrase: hunter2
commonName: example.com
- name: cert2
keyname: cert
commonName: example.org
- name: cert2-pw
keyname: cert-pw
passphrase: hunter2
commonName: example.org
- name: Create certificates
community.crypto.x509_certificate:
path: "{{ output_dir ~ '/' ~ item.name ~ '.pem' }}"
csr_path: "{{ output_dir ~ '/' ~ item.name ~ '.csr' }}"
privatekey_path: "{{ output_dir ~ '/' ~ (item.keyname | default(item.name)) ~ '.key' }}"
privatekey_passphrase: "{{ item.passphrase | default(omit) }}"
provider: selfsigned
loop:
- name: cert
commonName: example.com
- name: cert-pw
passphrase: hunter2
commonName: example.com
- name: cert2
keyname: cert
commonName: example.org
- name: cert2-pw
keyname: cert-pw
passphrase: hunter2
commonName: example.org
- name: Create a Java key store for the given certificates (check mode)
community.general.java_keystore: &create_key_store_data
name: example
certificate: "{{lookup('file', output_dir ~ '/' ~ item.name ~ '.pem') }}"
private_key: "{{lookup('file', output_dir ~ '/' ~ (item.keyname | default(item.name)) ~ '.key') }}"
private_key_passphrase: "{{ item.passphrase | default(omit) }}"
password: changeit
dest: "{{ output_dir ~ '/' ~ item.name ~ '.jks' }}"
loop: &create_key_store_loop
- name: cert
- name: cert-pw
passphrase: hunter2
check_mode: yes
register: result_check
- name: Create a Java key store for the given certificates
community.general.java_keystore: *create_key_store_data
loop: *create_key_store_loop
register: result
- name: Create a Java key store for the given certificates (idempotency, check mode)
community.general.java_keystore: *create_key_store_data
loop: *create_key_store_loop
check_mode: yes
register: result_idem_check
- name: Create a Java key store for the given certificates (idempotency)
community.general.java_keystore: *create_key_store_data
loop: *create_key_store_loop
register: result_idem
- name: Create a Java key store for the given certificates (certificate changed, check mode)
community.general.java_keystore: *create_key_store_data
loop: &create_key_store_loop_new_certs
- name: cert2
keyname: cert
- name: cert2-pw
keyname: cert-pw
passphrase: hunter2
check_mode: yes
register: result_change_check
- name: Create a Java key store for the given certificates (certificate changed)
community.general.java_keystore: *create_key_store_data
loop: *create_key_store_loop_new_certs
register: result_change
- name: Create a Java key store for the given certificates (password changed, check mode)
community.general.java_keystore:
<<: *create_key_store_data
password: hunter2
loop: *create_key_store_loop_new_certs
check_mode: yes
register: result_pw_change_check
when: false # FIXME: module currently crashes
- name: Create a Java key store for the given certificates (password changed)
community.general.java_keystore:
<<: *create_key_store_data
password: hunter2
loop: *create_key_store_loop_new_certs
register: result_pw_change
when: false # FIXME: module currently crashes
- name: Validate results
assert:
that:
- result is changed
- result_check is changed
- result_idem is not changed
- result_idem_check is not changed
- result_change is changed
- result_change_check is changed
# - result_pw_change is changed # FIXME: module currently crashes
# - result_pw_change_check is changed # FIXME: module currently crashes

View file

@ -0,0 +1,3 @@
dependencies:
- setup_remote_constraints
- setup_pkg_mgr

View file

@ -0,0 +1,21 @@
---
####################################################################
# WARNING: These are designed specifically for Ansible tests #
# and should not be used as examples of how to write Ansible roles #
####################################################################
- set_fact:
has_java_keytool: >-
{{
ansible_os_family not in ['Darwin', 'FreeBSD']
and not (ansible_distribution == "CentOS" and ansible_distribution_version is version("7.0", "<"))
}}
- name: Include OS-specific variables
include_vars: '{{ ansible_os_family }}.yml'
when: has_java_keytool
- name: Install keytool
package:
name: '{{ keytool_package_name }}'
become: true
when: has_java_keytool

View file

@ -0,0 +1,2 @@
---
keytool_package_name: ca-certificates-java

View file

@ -0,0 +1,2 @@
---
keytool_package_name: java-11-openjdk-headless

View file

@ -0,0 +1,2 @@
---
keytool_package_name: java-11-openjdk-headless