106 lines
3 KiB
YAML
106 lines
3 KiB
YAML
|
# Copyright: (c) 2019, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru>
|
||
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||
|
|
||
|
# The aim of this test is to be sure that SSL options work in general
|
||
|
# and preparing the environment for testing these options in
|
||
|
# the following PostgreSQL modules (ssl_db, ssl_user, certs).
|
||
|
# Configured by https://www.postgresql.org/docs/current/ssl-tcp.html
|
||
|
|
||
|
####################
|
||
|
# Prepare for tests:
|
||
|
|
||
|
- name: postgresql SSL - create database
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
postgresql_db:
|
||
|
name: "{{ ssl_db }}"
|
||
|
|
||
|
- name: postgresql SSL - create role
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
postgresql_user:
|
||
|
name: "{{ ssl_user }}"
|
||
|
role_attr_flags: SUPERUSER
|
||
|
password: "{{ ssl_pass }}"
|
||
|
|
||
|
- name: postgresql SSL - install openssl
|
||
|
become: yes
|
||
|
package: name=openssl state=present
|
||
|
|
||
|
- name: postgresql SSL - create certs 1
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
shell: 'openssl req -new -nodes -text -out ~{{ pg_user }}/root.csr \
|
||
|
-keyout ~{{ pg_user }}/root.key -subj "/CN=localhost.local"'
|
||
|
|
||
|
- name: postgresql SSL - set right permissions to root.key
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
file:
|
||
|
path: '~{{ pg_user }}/root.key'
|
||
|
mode: 0770
|
||
|
|
||
|
- name: postgresql SSL - create certs 3
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
shell: 'openssl x509 -req -in ~{{ pg_user }}/root.csr -text -days 3650 \
|
||
|
-extensions v3_ca -signkey ~{{ pg_user }}/root.key -out ~{{ pg_user }}/root.crt'
|
||
|
|
||
|
- name: postgresql SSL - create certs 4
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
shell: 'openssl req -new -nodes -text -out ~{{ pg_user }}/server.csr \
|
||
|
-keyout ~{{ pg_user }}/server.key -subj "/CN=localhost.local"'
|
||
|
|
||
|
- name: postgresql SSL - set right permissions to server.key
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
file:
|
||
|
path: '~{{ pg_user }}/server.key'
|
||
|
mode: 0770
|
||
|
|
||
|
- name: postgresql SSL - create certs 5
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
shell: 'openssl x509 -req -in ~{{ pg_user }}/server.csr -text -days 365 \
|
||
|
-CA ~{{ pg_user }}/root.crt -CAkey ~{{ pg_user }}/root.key -CAcreateserial -out server.crt'
|
||
|
|
||
|
- name: postgresql SSL - enable SSL
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
postgresql_set:
|
||
|
login_user: "{{ pg_user }}"
|
||
|
db: postgres
|
||
|
name: ssl
|
||
|
value: on
|
||
|
|
||
|
- name: postgresql SSL - reload PostgreSQL to enable ssl on
|
||
|
become: yes
|
||
|
service:
|
||
|
name: "{{ postgresql_service }}"
|
||
|
state: reloaded
|
||
|
|
||
|
###############
|
||
|
# Do main tests
|
||
|
|
||
|
- name: postgresql SSL - ping DB with SSL
|
||
|
become_user: "{{ pg_user }}"
|
||
|
become: yes
|
||
|
postgresql_ping:
|
||
|
db: "{{ ssl_db }}"
|
||
|
login_user: "{{ ssl_user }}"
|
||
|
login_password: "{{ ssl_pass }}"
|
||
|
login_host: 127.0.0.1
|
||
|
login_port: 5432
|
||
|
ssl_mode: require
|
||
|
ca_cert: '{{ ssl_rootcert }}'
|
||
|
register: result
|
||
|
|
||
|
- assert:
|
||
|
that:
|
||
|
- result.is_available == true
|
||
|
|
||
|
###################################################
|
||
|
# I decided not to clean ssl_db, ssl_user and certs
|
||
|
# for testing options related with SSL in other modules
|