ansible/test/integration/targets/postgresql/tasks/ssl.yml

106 lines
3 KiB
YAML
Raw Normal View History

# Copyright: (c) 2019, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# The aim of this test is to be sure that SSL options work in general
# and preparing the environment for testing these options in
# the following PostgreSQL modules (ssl_db, ssl_user, certs).
# Configured by https://www.postgresql.org/docs/current/ssl-tcp.html
####################
# Prepare for tests:
- name: postgresql SSL - create database
become_user: "{{ pg_user }}"
become: yes
postgresql_db:
name: "{{ ssl_db }}"
- name: postgresql SSL - create role
become_user: "{{ pg_user }}"
become: yes
postgresql_user:
name: "{{ ssl_user }}"
role_attr_flags: SUPERUSER
password: "{{ ssl_pass }}"
- name: postgresql SSL - install openssl
become: yes
package: name=openssl state=present
- name: postgresql SSL - create certs 1
become_user: "{{ pg_user }}"
become: yes
shell: 'openssl req -new -nodes -text -out ~{{ pg_user }}/root.csr \
-keyout ~{{ pg_user }}/root.key -subj "/CN=localhost.local"'
- name: postgresql SSL - set right permissions to root.key
become_user: "{{ pg_user }}"
become: yes
file:
path: '~{{ pg_user }}/root.key'
mode: 0770
- name: postgresql SSL - create certs 3
become_user: "{{ pg_user }}"
become: yes
shell: 'openssl x509 -req -in ~{{ pg_user }}/root.csr -text -days 3650 \
-extensions v3_ca -signkey ~{{ pg_user }}/root.key -out ~{{ pg_user }}/root.crt'
- name: postgresql SSL - create certs 4
become_user: "{{ pg_user }}"
become: yes
shell: 'openssl req -new -nodes -text -out ~{{ pg_user }}/server.csr \
-keyout ~{{ pg_user }}/server.key -subj "/CN=localhost.local"'
- name: postgresql SSL - set right permissions to server.key
become_user: "{{ pg_user }}"
become: yes
file:
path: '~{{ pg_user }}/server.key'
mode: 0770
- name: postgresql SSL - create certs 5
become_user: "{{ pg_user }}"
become: yes
shell: 'openssl x509 -req -in ~{{ pg_user }}/server.csr -text -days 365 \
-CA ~{{ pg_user }}/root.crt -CAkey ~{{ pg_user }}/root.key -CAcreateserial -out server.crt'
- name: postgresql SSL - enable SSL
become_user: "{{ pg_user }}"
become: yes
postgresql_set:
login_user: "{{ pg_user }}"
db: postgres
name: ssl
value: on
- name: postgresql SSL - reload PostgreSQL to enable ssl on
become: yes
service:
name: "{{ postgresql_service }}"
state: reloaded
###############
# Do main tests
- name: postgresql SSL - ping DB with SSL
become_user: "{{ pg_user }}"
become: yes
postgresql_ping:
db: "{{ ssl_db }}"
login_user: "{{ ssl_user }}"
login_password: "{{ ssl_pass }}"
login_host: 127.0.0.1
login_port: 5432
ssl_mode: require
ca_cert: '{{ ssl_rootcert }}'
register: result
- assert:
that:
- result.is_available == true
###################################################
# I decided not to clean ssl_db, ssl_user and certs
# for testing options related with SSL in other modules