206 lines
7.5 KiB
YAML
206 lines
7.5 KiB
YAML
|
---
|
||
|
## Verify that integration_config was specified
|
||
|
- block:
|
||
|
- assert:
|
||
|
that:
|
||
|
- entrust_api_user is defined
|
||
|
- entrust_api_key is defined
|
||
|
- entrust_api_ip_address is defined
|
||
|
- entrust_cloud_ip_address is defined
|
||
|
- entrust_api_client_cert_path is defined or entrust_api_client_cert_contents is defined
|
||
|
- entrust_api_client_cert_key_path is defined or entrust_api_client_cert_key_contents
|
||
|
- cacerts_bundle_path_local is defined
|
||
|
|
||
|
## SET UP TEST ENVIRONMENT ########################################################################
|
||
|
- name: copy the files needed for verifying test server certificate to the host
|
||
|
copy:
|
||
|
src: '{{ cacerts_bundle_path_local }}/'
|
||
|
dest: '{{ cacerts_bundle_path }}'
|
||
|
|
||
|
- name: Update the CA certificates for our QA certs (collection may need updating if new QA environments used)
|
||
|
command: c_rehash {{ cacerts_bundle_path }}
|
||
|
|
||
|
- name: Update hosts file
|
||
|
lineinfile:
|
||
|
path: /etc/hosts
|
||
|
state: present
|
||
|
regexp: 'api.entrust.net$'
|
||
|
line: '{{ entrust_api_ip_address }} api.entrust.net'
|
||
|
|
||
|
- name: Update hosts file
|
||
|
lineinfile:
|
||
|
path: /etc/hosts
|
||
|
state: present
|
||
|
regexp: 'cloud.entrust.net$'
|
||
|
line: '{{ entrust_cloud_ip_address }} cloud.entrust.net'
|
||
|
|
||
|
- name: Clear out the temporary directory for storing the API connection information
|
||
|
file:
|
||
|
path: '{{ tmpdir_path }}'
|
||
|
state: absent
|
||
|
|
||
|
- name: Create a directory for storing the API connection Information
|
||
|
file:
|
||
|
path: '{{ tmpdir_path }}'
|
||
|
state: directory
|
||
|
|
||
|
- name: Copy the files needed for the connection to entrust API to the host
|
||
|
copy:
|
||
|
src: '{{ entrust_api_client_cert_path }}'
|
||
|
dest: '{{ entrust_api_cert }}'
|
||
|
|
||
|
- name: Copy the files needed for the connection to entrust API to the host
|
||
|
copy:
|
||
|
src: '{{ entrust_api_client_cert_key_path }}'
|
||
|
dest: '{{ entrust_api_cert_key }}'
|
||
|
|
||
|
## SETUP CSR TO REQUEST
|
||
|
- name: Generate a 2048 bit RSA private key
|
||
|
openssl_privatekey:
|
||
|
path: '{{ privatekey_path }}'
|
||
|
passphrase: '{{ privatekey_passphrase }}'
|
||
|
cipher: auto
|
||
|
type: RSA
|
||
|
size: 2048
|
||
|
|
||
|
- name: Generate a certificate signing request using the generated key
|
||
|
openssl_csr:
|
||
|
path: '{{ csr_path }}'
|
||
|
privatekey_path: '{{ privatekey_path }}'
|
||
|
privatekey_passphrase: '{{ privatekey_passphrase }}'
|
||
|
common_name: '{{ common_name }}'
|
||
|
organization_name: '{{ organization_name | default(omit) }}'
|
||
|
organizational_unit_name: '{{ organizational_unit_name | default(omit) }}'
|
||
|
country_name: '{{ country_name | default(omit) }}'
|
||
|
state_or_province_name: '{{ state_or_province_name | default(omit) }}'
|
||
|
digest: sha256
|
||
|
|
||
|
- block:
|
||
|
- name: Have ECS generate a signed certificate
|
||
|
ecs_certificate:
|
||
|
backup: True
|
||
|
path: '{{ example1_cert_path }}'
|
||
|
full_chain_path: '{{ example1_chain_path }}'
|
||
|
csr: '{{ csr_path }}'
|
||
|
cert_type: '{{ example1_cert_type }}'
|
||
|
requester_name: '{{ entrust_requester_name }}'
|
||
|
requester_email: '{{ entrust_requester_email }}'
|
||
|
requester_phone: '{{ entrust_requester_phone }}'
|
||
|
entrust_api_user: '{{ entrust_api_user }}'
|
||
|
entrust_api_key: '{{ entrust_api_key }}'
|
||
|
entrust_api_client_cert_path: '{{ entrust_api_cert }}'
|
||
|
entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'
|
||
|
register: example1_result
|
||
|
|
||
|
- assert:
|
||
|
that:
|
||
|
- example1_result is not failed
|
||
|
- example1_result.changed
|
||
|
- example1_result.tracking_id > 0
|
||
|
- example1_result.serial_number is string
|
||
|
|
||
|
# Internal CA refuses to issue certificates with the same DN in a short time frame
|
||
|
- name: Sleep for 5 seconds so we don't run into duplicate-request errors
|
||
|
pause:
|
||
|
seconds: 5
|
||
|
|
||
|
- name: Attempt to have ECS generate a signed certificate, but existing one is valid
|
||
|
ecs_certificate:
|
||
|
backup: True
|
||
|
path: '{{ example1_cert_path }}'
|
||
|
full_chain_path: '{{ example1_chain_path }}'
|
||
|
csr: '{{ csr_path }}'
|
||
|
cert_type: '{{ example1_cert_type }}'
|
||
|
requester_name: '{{ entrust_requester_name }}'
|
||
|
requester_email: '{{ entrust_requester_email }}'
|
||
|
requester_phone: '{{ entrust_requester_phone }}'
|
||
|
entrust_api_user: '{{ entrust_api_user }}'
|
||
|
entrust_api_key: '{{ entrust_api_key }}'
|
||
|
entrust_api_client_cert_path: '{{ entrust_api_cert }}'
|
||
|
entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'
|
||
|
register: example2_result
|
||
|
|
||
|
- assert:
|
||
|
that:
|
||
|
- example2_result is not failed
|
||
|
- not example2_result.changed
|
||
|
- example2_result.backup_file is undefined
|
||
|
- example2_result.backup_full_chain_file is undefined
|
||
|
- example2_result.serial_number == example1_result.serial_number
|
||
|
- example2_result.tracking_id == example1_result.tracking_id
|
||
|
|
||
|
# Internal CA refuses to issue certificates with the same DN in a short time frame
|
||
|
- name: Sleep for 5 seconds so we don't run into duplicate-request errors
|
||
|
pause:
|
||
|
seconds: 5
|
||
|
|
||
|
- name: Force a reissue with no CSR, verify that contents changed
|
||
|
ecs_certificate:
|
||
|
backup: True
|
||
|
force: True
|
||
|
path: '{{ example1_cert_path }}'
|
||
|
full_chain_path: '{{ example1_chain_path }}'
|
||
|
cert_type: '{{ example1_cert_type }}'
|
||
|
request_type: reissue
|
||
|
requester_name: '{{ entrust_requester_name }}'
|
||
|
requester_email: '{{ entrust_requester_email }}'
|
||
|
requester_phone: '{{ entrust_requester_phone }}'
|
||
|
entrust_api_user: '{{ entrust_api_user }}'
|
||
|
entrust_api_key: '{{ entrust_api_key }}'
|
||
|
entrust_api_client_cert_path: '{{ entrust_api_cert }}'
|
||
|
entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'
|
||
|
register: example3_result
|
||
|
|
||
|
- assert:
|
||
|
that:
|
||
|
- example3_result is not failed
|
||
|
- example3_result.changed
|
||
|
- example3_result.backup_file is string
|
||
|
- example3_result.backup_full_chain_file is string
|
||
|
- example3_result.tracking_id > 0
|
||
|
- example3_result.tracking_id != example1_result.tracking_id
|
||
|
- example3_result.serial_number != example1_result.serial_number
|
||
|
|
||
|
# Internal CA refuses to issue certificates with the same DN in a short time frame
|
||
|
- name: Sleep for 5 seconds so we don't run into duplicate-request errors
|
||
|
pause:
|
||
|
seconds: 5
|
||
|
|
||
|
- name: Test a request with all of the various optional possible fields populated
|
||
|
ecs_certificate:
|
||
|
path: '{{ example4_cert_path }}'
|
||
|
csr: '{{ csr_path }}'
|
||
|
subject_alt_name: '{{ example4_subject_alt_name }}'
|
||
|
eku: '{{ example4_eku }}'
|
||
|
ct_log: True
|
||
|
cert_type: '{{ example4_cert_type }}'
|
||
|
org: '{{ example4_org }}'
|
||
|
ou: '{{ example4_ou }}'
|
||
|
tracking_info: '{{ example4_tracking_info }}'
|
||
|
additional_emails: '{{ example4_additional_emails }}'
|
||
|
custom_fields: '{{ example4_custom_fields }}'
|
||
|
cert_expiry: '{{ example4_cert_expiry }}'
|
||
|
requester_name: '{{ entrust_requester_name }}'
|
||
|
requester_email: '{{ entrust_requester_email }}'
|
||
|
requester_phone: '{{ entrust_requester_phone }}'
|
||
|
entrust_api_user: '{{ entrust_api_user }}'
|
||
|
entrust_api_key: '{{ entrust_api_key }}'
|
||
|
entrust_api_client_cert_path: '{{ entrust_api_cert }}'
|
||
|
entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'
|
||
|
register: example4_result
|
||
|
|
||
|
- assert:
|
||
|
that:
|
||
|
- example4_result is not failed
|
||
|
- example4_result.changed
|
||
|
- example4_result.backup_file is undefined
|
||
|
- example4_result.backup_full_chain_file is undefined
|
||
|
- example4_result.tracking_id > 0
|
||
|
- example4_result.serial_number is string
|
||
|
|
||
|
always:
|
||
|
- name: clean-up temporary folder
|
||
|
file:
|
||
|
path: '{{ tmpdir_path }}'
|
||
|
state: absent
|