1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

Extend test coverage for openssl modules (#27548)

* openssl_privatekey: Extend test coverage

Extend the coverage of the integration test for the module
openssl_privatekey.

New tests have been added:

  * passphrase
  * idempotence
  * removal

Co-Authored-By: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr>

* openssl_publickey: Extend test coverage

Extend the coverage on the integration test for the module
openssl_publickey.

New tests have been added:

  * OpenSSH format
  * passphrase
  * idempotence
  * removal
This commit is contained in:
Yanis Guenane 2017-08-21 13:19:41 +02:00 committed by John R Barker
parent 4653f892c8
commit d4e7b045b7
7 changed files with 183 additions and 15 deletions

View file

@ -29,6 +29,7 @@ import hashlib
import os
from ansible.module_utils import six
from ansible.module_utils._text import to_bytes
class OpenSSLObjectError(Exception):
@ -63,7 +64,7 @@ def load_privatekey(path, passphrase=None):
if passphrase:
privatekey = crypto.load_privatekey(crypto.FILETYPE_PEM,
open(path, 'rb').read(),
passphrase)
to_bytes(passphrase))
else:
privatekey = crypto.load_privatekey(crypto.FILETYPE_PEM,
open(path, 'rb').read())

View file

@ -134,7 +134,7 @@ else:
pyopenssl_found = True
from ansible.module_utils import crypto as crypto_utils
from ansible.module_utils._text import to_native
from ansible.module_utils._text import to_native, to_bytes
from ansible.module_utils.basic import AnsibleModule
@ -181,11 +181,11 @@ class PrivateKey(crypto_utils.OpenSSLObject):
os.O_WRONLY | os.O_CREAT | os.O_TRUNC,
self.mode)
extras = {}
if self.cipher and self.passphrase:
extras = {'cipher': self.cipher, 'passphrase': self.passphrase}
os.write(privatekey_file, crypto.dump_privatekey(crypto.FILETYPE_PEM, self.privatekey, **extras))
os.write(privatekey_file, crypto.dump_privatekey(crypto.FILETYPE_PEM, self.privatekey,
self.cipher, to_bytes(self.passphrase)))
else:
os.write(privatekey_file, crypto.dump_privatekey(crypto.FILETYPE_PEM, self.privatekey))
os.close(privatekey_file)
self.changed = True
except IOError as exc:

View file

@ -12,4 +12,32 @@
path: '{{ output_dir }}/privatekey3.pem'
type: DSA
- name: Generate privatekey4 - standard
openssl_privatekey:
path: '{{ output_dir }}/privatekey4.pem'
- name: Delete privatekey4 - standard
openssl_privatekey:
state: absent
path: '{{ output_dir }}/privatekey4.pem'
- name: Generate privatekey5 - standard - with passphrase
openssl_privatekey:
path: '{{ output_dir }}/privatekey5.pem'
passphrase: ansible
cipher: aes256
- name: Generate privatekey5 - standard - idempotence
openssl_privatekey:
path: '{{ output_dir }}/privatekey5.pem'
passphrase: ansible
cipher: aes256
register: privatekey5_idempotence
- name: Generate privatekey6 - standard - with non-ASCII passphrase
openssl_privatekey:
path: '{{ output_dir }}/privatekey6.pem'
passphrase: ànsïblé
cipher: aes256
- import_tasks: ../tests/validate.yml

View file

@ -1,28 +1,70 @@
- name: Validate privatekey1 (test)
- name: Validate privatekey1 (test - RSA key with size 4096 bits)
shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey1.pem | grep Private | sed 's/Private-Key: (\\(.*\\) bit)/\\1/'"
register: privatekey1
- name: Validate privatekey1 (assert)
- name: Validate privatekey1 (assert - RSA key with size 4096 bits)
assert:
that:
- privatekey1.stdout == '4096'
- name: Validate privatekey2 (test)
- name: Validate privatekey2 (test - RSA key with size 2048 bits)
shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey2.pem | grep Private | sed 's/Private-Key: (\\(.*\\) bit)/\\1/'"
register: privatekey2
- name: Validate privatekey2 (assert)
- name: Validate privatekey2 (assert - RSA key with size 2048 bits)
assert:
that:
- privatekey2.stdout == '2048'
- name: Validate privatekey3 (test)
- name: Validate privatekey3 (test - DSA key with size 4096 bits)
shell: "openssl dsa -noout -text -in {{ output_dir }}/privatekey3.pem | grep Private | sed 's/Private-Key: (\\(.*\\) bit)/\\1/'"
register: privatekey3
- name: Validate privatekey3 (assert)
- name: Validate privatekey3 (assert - DSA key with size 4096 bits)
assert:
that:
- privatekey1.stdout == '4096'
- privatekey3.stdout == '4096'
- name: Validate privatekey4 (test - Ensure key has been removed)
stat:
path: '{{ output_dir }}/privatekey4.pem'
register: privatekey4
- name: Validate privatekey4 (assert - Ensure key has been removed)
assert:
that:
- privatekey4.stat.exists == False
- name: Validate privatekey5 (test - Passphrase protected key + idempotence)
shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey5.pem -passin pass:ansible | grep Private | sed 's/Private-Key: (\\(.*\\) bit)/\\1/'"
register: privatekey5
# Current version of OS/X that runs in the CI (10.11) does not have an up to date version of the OpenSSL library
# leading to this test to fail when run in the CI. However, this test has been run for 10.12 and has returned succesfully.
when: openssl_version.stdout|version_compare('0.9.8zh', '>=')
- name: Validate privatekey5 (assert - Passphrase protected key + idempotence)
assert:
that:
- privatekey5.stdout == '4096'
when: openssl_version.stdout|version_compare('0.9.8zh', '>=')
- name: Validate privatekey5 idempotence (assert - Passphrase protected key + idempotence)
assert:
that:
- not privatekey5_idempotence|changed
- name: Validate privatekey6 (test - Passphrase protected key with non ascii character)
shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey6.pem -passin pass:ànsïblé | grep Private | sed 's/Private-Key: (\\(.*\\) bit)/\\1/'"
register: privatekey6
when: openssl_version.stdout|version_compare('0.9.8zh', '>=')
- name: Validate privatekey6 (assert - Passphrase protected key with non ascii character)
assert:
that:
- privatekey6.stdout == '4096'
when: openssl_version.stdout|version_compare('0.9.8zh', '>=')

View file

@ -3,11 +3,51 @@
openssl_privatekey:
path: '{{ output_dir }}/privatekey.pem'
- name: Generate publickey
- name: Generate publickey - PEM format
openssl_publickey:
path: '{{ output_dir }}/publickey.pub'
privatekey_path: '{{ output_dir }}/privatekey.pem'
- name: Generate publickey - OpenSSH format
openssl_publickey:
path: '{{ output_dir }}/publickey-ssh.pub'
privatekey_path: '{{ output_dir }}/privatekey.pem'
format: OpenSSH
# cryptography.hazmat.primitives import serialization.Encoding.OpenSSH and
# cryptography.hazmat.primitives import serialization.PublicFormat.OpenSSH constants
# appeared in version 1.4 of cryptography
when: cryptography_version.stdout|version_compare('1.4.0', '>=')
- name: Generate publickey2 - standard
openssl_publickey:
path: '{{ output_dir }}/publickey2.pub'
privatekey_path: '{{ output_dir }}/privatekey.pem'
- name: Delete publickey2 - standard
openssl_publickey:
state: absent
path: '{{ output_dir }}/publickey2.pub'
privatekey_path: '{{ output_dir }}/privatekey.pem'
- name: Generate privatekey3 - with passphrase
openssl_privatekey:
path: '{{ output_dir }}/privatekey3.pem'
passphrase: ansible
cipher: aes256
- name: Generate publickey3 - with passphrase protected privatekey
openssl_publickey:
path: '{{ output_dir }}/publickey3.pub'
privatekey_path: '{{ output_dir }}/privatekey3.pem'
privatekey_passphrase: ansible
- name: Generate publickey3 - with passphrase protected privatekey - idempotence
openssl_publickey:
path: '{{ output_dir }}/publickey3.pub'
privatekey_path: '{{ output_dir }}/privatekey3.pem'
privatekey_passphrase: ansible
register: publickey3_idempotence
- import_tasks: ../tests/validate.yml
when: pyopenssl_version.stdout|version_compare('16.0.0', '>=')

View file

@ -10,3 +10,52 @@
assert:
that:
- publickey_modulus.stdout == privatekey_modulus.stdout
- name: Validate public key - OpenSSH format (test - privatekey's publickey)
shell: 'ssh-keygen -y -f {{ output_dir }}/privatekey.pem'
register: privatekey_publickey
when: cryptography_version.stdout|version_compare('1.4.0', '>=')
- name: Validate public key - OpenSSH format (test - publickey)
slurp:
src: '{{ output_dir }}/publickey-ssh.pub'
register: publickey
when: cryptography_version.stdout|version_compare('1.4.0', '>=')
- name: Validate public key - OpenSSH format (assert)
assert:
that:
- privatekey_publickey.stdout == '{{ publickey.content|b64decode }}'
when: cryptography_version.stdout|version_compare('1.4.0', '>=')
- name: Validate publickey2 (test - Ensure key has been removed)
stat:
path: '{{ output_dir }}/publickey2.pub'
register: publickey2
- name: Validate publickey2 (assert - Ensure key has been removed)
assert:
that:
- publickey2.stat.exists == False
- name: Validate publickey3 (test - privatekey modulus)
shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey3.pem -passin pass:ansible | openssl md5'
register: privatekey3_modulus
when: openssl_version.stdout|version_compare('0.9.8zh', '>=')
- name: Validate publickey3 (test - publickey modulus)
shell: 'openssl rsa -pubin -noout -modulus < {{ output_dir }}/publickey3.pub | openssl md5'
register: publickey3_modulus
when: openssl_version.stdout|version_compare('0.9.8zh', '>=')
- name: Validate publickey3 (assert)
assert:
that:
- publickey3_modulus.stdout == privatekey3_modulus.stdout
when: openssl_version.stdout|version_compare('0.9.8zh', '>=')
- name: Validate publickey3 idempotence (assert)
assert:
that:
- not publickey3_idempotence|changed

View file

@ -20,6 +20,14 @@
name: pyOpenSSL
when: ansible_os_family == 'Darwin'
- name: register openssl version
- name: register pyOpenSSL version
command: python -c 'import OpenSSL; print(OpenSSL.__version__)'
register: pyopenssl_version
- name: register openssl version
shell: "openssl version | cut -d' ' -f2"
register: openssl_version
- name: register cryptography version
command: python -c 'import cryptography; print(cryptography.__version__)'
register: cryptography_version