From 29ca9d2d4df9f93d7097ee18e1fe32487b860342 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Wed, 19 Feb 2020 18:24:46 +0100 Subject: [PATCH] openssl_* modules: improve test robustness (#67568) * Run Ed25519 and Ed448 tests for openssl_csr and openssl_certificate only if key generation succeeded. * Make openssl_privatekey tests more robust: allow special key generation tests to fail with 'algorithm not supported' on FreeBSD. --- .../openssl_certificate/tasks/ownca.yml | 223 +++++++++--------- .../openssl_certificate/tasks/selfsigned.yml | 80 ++++--- .../tests/validate_ownca.yml | 4 +- .../tests/validate_selfsigned.yml | 4 +- .../targets/openssl_csr/tasks/impl.yml | 54 +++-- .../targets/openssl_csr/tests/validate.yml | 4 +- .../targets/openssl_privatekey/tasks/impl.yml | 15 ++ .../openssl_privatekey/tests/validate.yml | 32 ++- 8 files changed, 231 insertions(+), 185 deletions(-) diff --git a/test/integration/targets/openssl_certificate/tasks/ownca.yml b/test/integration/targets/openssl_certificate/tasks/ownca.yml index 151461a74cc..0d1381ff02e 100644 --- a/test/integration/targets/openssl_certificate/tasks/ownca.yml +++ b/test/integration/targets/openssl_certificate/tasks/ownca.yml @@ -449,122 +449,129 @@ loop: - Ed25519 - Ed448 - - - name: (OwnCA, {{select_crypto_backend}}) Generate CSR - openssl_csr: - path: '{{ output_dir }}/csr_{{ item }}.csr' - privatekey_path: '{{ output_dir }}/privatekey_{{ item }}.pem' - subject: - commonName: www.ansible.com - select_crypto_backend: '{{ select_crypto_backend }}' - loop: - - Ed25519 - - Ed448 + register: ownca_certificate_ed25519_ed448_privatekey ignore_errors: yes - - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate - openssl_certificate: - path: '{{ output_dir }}/ownca_cert_{{ item }}.pem' - csr_path: '{{ output_dir }}/csr_{{ item }}.csr' - ownca_path: '{{ output_dir }}/ca_cert.pem' - ownca_privatekey_path: '{{ output_dir }}/ca_privatekey.pem' - provider: ownca - ownca_digest: sha256 - select_crypto_backend: '{{ select_crypto_backend }}' - loop: - - Ed25519 - - Ed448 - register: ownca_certificate_ed25519_ed448 - ignore_errors: yes + - name: (OwnCA, {{select_crypto_backend}}) Generate CSR etc. if private key generation succeeded + when: ownca_certificate_ed25519_ed448_privatekey is not failed + block: - - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (idempotent) - openssl_certificate: - path: '{{ output_dir }}/ownca_cert_{{ item }}.pem' - csr_path: '{{ output_dir }}/csr_{{ item }}.csr' - ownca_path: '{{ output_dir }}/ca_cert.pem' - ownca_privatekey_path: '{{ output_dir }}/ca_privatekey.pem' - provider: ownca - ownca_digest: sha256 - select_crypto_backend: '{{ select_crypto_backend }}' - loop: - - Ed25519 - - Ed448 - register: ownca_certificate_ed25519_ed448_idempotence - ignore_errors: yes + - name: (OwnCA, {{select_crypto_backend}}) Generate CSR + openssl_csr: + path: '{{ output_dir }}/csr_{{ item }}.csr' + privatekey_path: '{{ output_dir }}/privatekey_{{ item }}.pem' + subject: + commonName: www.ansible.com + select_crypto_backend: '{{ select_crypto_backend }}' + loop: + - Ed25519 + - Ed448 + ignore_errors: yes - - name: (OwnCA, {{select_crypto_backend}}) Generate CA privatekey - openssl_privatekey: - path: '{{ output_dir }}/ca_privatekey_{{ item }}.pem' - type: '{{ item }}' - cipher: auto - passphrase: Test123 - loop: - - Ed25519 - - Ed448 + - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate + openssl_certificate: + path: '{{ output_dir }}/ownca_cert_{{ item }}.pem' + csr_path: '{{ output_dir }}/csr_{{ item }}.csr' + ownca_path: '{{ output_dir }}/ca_cert.pem' + ownca_privatekey_path: '{{ output_dir }}/ca_privatekey.pem' + provider: ownca + ownca_digest: sha256 + select_crypto_backend: '{{ select_crypto_backend }}' + loop: + - Ed25519 + - Ed448 + register: ownca_certificate_ed25519_ed448 + ignore_errors: yes - - name: (OwnCA, {{select_crypto_backend}}) Generate CA CSR - openssl_csr: - path: '{{ output_dir }}/ca_csr_{{ item }}.csr' - privatekey_path: '{{ output_dir }}/ca_privatekey_{{ item }}.pem' - privatekey_passphrase: Test123 - subject: - commonName: Example CA - useCommonNameForSAN: no - basic_constraints: - - 'CA:TRUE' - basic_constraints_critical: yes - key_usage: - - cRLSign - - keyCertSign - loop: - - Ed25519 - - Ed448 - ignore_errors: yes + - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (idempotent) + openssl_certificate: + path: '{{ output_dir }}/ownca_cert_{{ item }}.pem' + csr_path: '{{ output_dir }}/csr_{{ item }}.csr' + ownca_path: '{{ output_dir }}/ca_cert.pem' + ownca_privatekey_path: '{{ output_dir }}/ca_privatekey.pem' + provider: ownca + ownca_digest: sha256 + select_crypto_backend: '{{ select_crypto_backend }}' + loop: + - Ed25519 + - Ed448 + register: ownca_certificate_ed25519_ed448_idempotence + ignore_errors: yes - - name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate - openssl_certificate: - path: '{{ output_dir }}/ca_cert_{{ item }}.pem' - csr_path: '{{ output_dir }}/ca_csr_{{ item }}.csr' - privatekey_path: '{{ output_dir }}/ca_privatekey_{{ item }}.pem' - privatekey_passphrase: Test123 - provider: selfsigned - select_crypto_backend: '{{ select_crypto_backend }}' - loop: - - Ed25519 - - Ed448 - ignore_errors: yes + - name: (OwnCA, {{select_crypto_backend}}) Generate CA privatekey + openssl_privatekey: + path: '{{ output_dir }}/ca_privatekey_{{ item }}.pem' + type: '{{ item }}' + cipher: auto + passphrase: Test123 + ignore_errors: yes + loop: + - Ed25519 + - Ed448 - - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate - openssl_certificate: - path: '{{ output_dir }}/ownca_cert_{{ item }}_2.pem' - csr_path: '{{ output_dir }}/csr.csr' - ownca_path: '{{ output_dir }}/ca_cert_{{ item }}.pem' - ownca_privatekey_path: '{{ output_dir }}/ca_privatekey_{{ item }}.pem' - ownca_privatekey_passphrase: Test123 - provider: ownca - ownca_digest: sha256 - select_crypto_backend: '{{ select_crypto_backend }}' - loop: - - Ed25519 - - Ed448 - register: ownca_certificate_ed25519_ed448_2 - ignore_errors: yes + - name: (OwnCA, {{select_crypto_backend}}) Generate CA CSR + openssl_csr: + path: '{{ output_dir }}/ca_csr_{{ item }}.csr' + privatekey_path: '{{ output_dir }}/ca_privatekey_{{ item }}.pem' + privatekey_passphrase: Test123 + subject: + commonName: Example CA + useCommonNameForSAN: no + basic_constraints: + - 'CA:TRUE' + basic_constraints_critical: yes + key_usage: + - cRLSign + - keyCertSign + loop: + - Ed25519 + - Ed448 + ignore_errors: yes - - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (idempotent) - openssl_certificate: - path: '{{ output_dir }}/ownca_cert_{{ item }}_2.pem' - csr_path: '{{ output_dir }}/csr.csr' - ownca_path: '{{ output_dir }}/ca_cert_{{ item }}.pem' - ownca_privatekey_path: '{{ output_dir }}/ca_privatekey_{{ item }}.pem' - ownca_privatekey_passphrase: Test123 - provider: ownca - ownca_digest: sha256 - select_crypto_backend: '{{ select_crypto_backend }}' - loop: - - Ed25519 - - Ed448 - register: ownca_certificate_ed25519_ed448_2_idempotence - ignore_errors: yes + - name: (OwnCA, {{select_crypto_backend}}) Generate selfsigned CA certificate + openssl_certificate: + path: '{{ output_dir }}/ca_cert_{{ item }}.pem' + csr_path: '{{ output_dir }}/ca_csr_{{ item }}.csr' + privatekey_path: '{{ output_dir }}/ca_privatekey_{{ item }}.pem' + privatekey_passphrase: Test123 + provider: selfsigned + select_crypto_backend: '{{ select_crypto_backend }}' + loop: + - Ed25519 + - Ed448 + ignore_errors: yes + + - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate + openssl_certificate: + path: '{{ output_dir }}/ownca_cert_{{ item }}_2.pem' + csr_path: '{{ output_dir }}/csr.csr' + ownca_path: '{{ output_dir }}/ca_cert_{{ item }}.pem' + ownca_privatekey_path: '{{ output_dir }}/ca_privatekey_{{ item }}.pem' + ownca_privatekey_passphrase: Test123 + provider: ownca + ownca_digest: sha256 + select_crypto_backend: '{{ select_crypto_backend }}' + loop: + - Ed25519 + - Ed448 + register: ownca_certificate_ed25519_ed448_2 + ignore_errors: yes + + - name: (OwnCA, {{select_crypto_backend}}) Generate ownca certificate (idempotent) + openssl_certificate: + path: '{{ output_dir }}/ownca_cert_{{ item }}_2.pem' + csr_path: '{{ output_dir }}/csr.csr' + ownca_path: '{{ output_dir }}/ca_cert_{{ item }}.pem' + ownca_privatekey_path: '{{ output_dir }}/ca_privatekey_{{ item }}.pem' + ownca_privatekey_passphrase: Test123 + provider: ownca + ownca_digest: sha256 + select_crypto_backend: '{{ select_crypto_backend }}' + loop: + - Ed25519 + - Ed448 + register: ownca_certificate_ed25519_ed448_2_idempotence + ignore_errors: yes when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') diff --git a/test/integration/targets/openssl_certificate/tasks/selfsigned.yml b/test/integration/targets/openssl_certificate/tasks/selfsigned.yml index 657d4e25777..5455d40b006 100644 --- a/test/integration/targets/openssl_certificate/tasks/selfsigned.yml +++ b/test/integration/targets/openssl_certificate/tasks/selfsigned.yml @@ -379,46 +379,52 @@ loop: - Ed25519 - Ed448 - - - name: (Selfsigned, {{select_crypto_backend}}) Generate CSR - openssl_csr: - path: '{{ output_dir }}/csr_{{ item }}.csr' - privatekey_path: '{{ output_dir }}/privatekey_{{ item }}.pem' - subject: - commonName: www.ansible.com - select_crypto_backend: '{{ select_crypto_backend }}' - loop: - - Ed25519 - - Ed448 + register: selfsigned_certificate_ed25519_ed448_privatekey ignore_errors: yes - - name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate - openssl_certificate: - path: '{{ output_dir }}/cert_{{ item }}.pem' - csr_path: '{{ output_dir }}/csr_{{ item }}.csr' - privatekey_path: '{{ output_dir }}/privatekey_{{ item }}.pem' - provider: selfsigned - selfsigned_digest: sha256 - select_crypto_backend: '{{ select_crypto_backend }}' - loop: - - Ed25519 - - Ed448 - register: selfsigned_certificate_ed25519_ed448 - ignore_errors: yes + - name: (Selfsigned, {{select_crypto_backend}}) Generate CSR etc. if private key generation succeeded + when: selfsigned_certificate_ed25519_ed448_privatekey is not failed + block: - - name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate - idempotency - openssl_certificate: - path: '{{ output_dir }}/cert_{{ item }}.pem' - csr_path: '{{ output_dir }}/csr_{{ item }}.csr' - privatekey_path: '{{ output_dir }}/privatekey_{{ item }}.pem' - provider: selfsigned - selfsigned_digest: sha256 - select_crypto_backend: '{{ select_crypto_backend }}' - loop: - - Ed25519 - - Ed448 - register: selfsigned_certificate_ed25519_ed448_idempotence - ignore_errors: yes + - name: (Selfsigned, {{select_crypto_backend}}) Generate CSR + openssl_csr: + path: '{{ output_dir }}/csr_{{ item }}.csr' + privatekey_path: '{{ output_dir }}/privatekey_{{ item }}.pem' + subject: + commonName: www.ansible.com + select_crypto_backend: '{{ select_crypto_backend }}' + loop: + - Ed25519 + - Ed448 + ignore_errors: yes + + - name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate + openssl_certificate: + path: '{{ output_dir }}/cert_{{ item }}.pem' + csr_path: '{{ output_dir }}/csr_{{ item }}.csr' + privatekey_path: '{{ output_dir }}/privatekey_{{ item }}.pem' + provider: selfsigned + selfsigned_digest: sha256 + select_crypto_backend: '{{ select_crypto_backend }}' + loop: + - Ed25519 + - Ed448 + register: selfsigned_certificate_ed25519_ed448 + ignore_errors: yes + + - name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate - idempotency + openssl_certificate: + path: '{{ output_dir }}/cert_{{ item }}.pem' + csr_path: '{{ output_dir }}/csr_{{ item }}.csr' + privatekey_path: '{{ output_dir }}/privatekey_{{ item }}.pem' + provider: selfsigned + selfsigned_digest: sha256 + select_crypto_backend: '{{ select_crypto_backend }}' + loop: + - Ed25519 + - Ed448 + register: selfsigned_certificate_ed25519_ed448_idempotence + ignore_errors: yes when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') diff --git a/test/integration/targets/openssl_certificate/tests/validate_ownca.yml b/test/integration/targets/openssl_certificate/tests/validate_ownca.yml index 0a68b092d89..19ab61988e9 100644 --- a/test/integration/targets/openssl_certificate/tests/validate_ownca.yml +++ b/test/integration/targets/openssl_certificate/tests/validate_ownca.yml @@ -158,7 +158,7 @@ - ownca_certificate_ed25519_ed448_2.results[1] is failed - ownca_certificate_ed25519_ed448_2_idempotence.results[0] is failed - ownca_certificate_ed25519_ed448_2_idempotence.results[1] is failed - when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') + when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') and ownca_certificate_ed25519_ed448_privatekey is not failed - name: (OwnCA validation, {{select_crypto_backend}}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.8) assert: @@ -175,4 +175,4 @@ - ownca_certificate_ed25519_ed448_2_idempotence is succeeded - ownca_certificate_ed25519_ed448_2_idempotence.results[0] is not changed - ownca_certificate_ed25519_ed448_2_idempotence.results[1] is not changed - when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') + when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') and ownca_certificate_ed25519_ed448_privatekey is not failed diff --git a/test/integration/targets/openssl_certificate/tests/validate_selfsigned.yml b/test/integration/targets/openssl_certificate/tests/validate_selfsigned.yml index a178338fee5..85df20c54e1 100644 --- a/test/integration/targets/openssl_certificate/tests/validate_selfsigned.yml +++ b/test/integration/targets/openssl_certificate/tests/validate_selfsigned.yml @@ -150,7 +150,7 @@ - selfsigned_certificate_ed25519_ed448.results[1] is failed - selfsigned_certificate_ed25519_ed448_idempotence.results[0] is failed - selfsigned_certificate_ed25519_ed448_idempotence.results[1] is failed - when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') + when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') and selfsigned_certificate_ed25519_ed448_privatekey is not failed - name: (Selfsigned validation, {{select_crypto_backend}}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.8) assert: @@ -161,4 +161,4 @@ - selfsigned_certificate_ed25519_ed448_idempotence is succeeded - selfsigned_certificate_ed25519_ed448_idempotence.results[0] is not changed - selfsigned_certificate_ed25519_ed448_idempotence.results[1] is not changed - when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') + when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') and selfsigned_certificate_ed25519_ed448_privatekey is not failed diff --git a/test/integration/targets/openssl_csr/tasks/impl.yml b/test/integration/targets/openssl_csr/tasks/impl.yml index ef0bde709a7..77d23ff5a8e 100644 --- a/test/integration/targets/openssl_csr/tasks/impl.yml +++ b/test/integration/targets/openssl_csr/tasks/impl.yml @@ -731,31 +731,37 @@ loop: - Ed25519 - Ed448 - - - name: Generate CSR - openssl_csr: - path: '{{ output_dir }}/csr_{{ item }}.csr' - privatekey_path: '{{ output_dir }}/privatekey_{{ item }}.pem' - subject: - commonName: www.ansible.com - select_crypto_backend: '{{ select_crypto_backend }}' - loop: - - Ed25519 - - Ed448 - register: generate_csr_ed25519_ed448 + register: generate_csr_ed25519_ed448_privatekey ignore_errors: yes - - name: Generate CSR (idempotent) - openssl_csr: - path: '{{ output_dir }}/csr_{{ item }}.csr' - privatekey_path: '{{ output_dir }}/privatekey_{{ item }}.pem' - subject: - commonName: www.ansible.com - select_crypto_backend: '{{ select_crypto_backend }}' - loop: - - Ed25519 - - Ed448 - register: generate_csr_ed25519_ed448_idempotent - ignore_errors: yes + - name: Generate CSR if private key generation succeeded + when: generate_csr_ed25519_ed448_privatekey is not failed + block: + + - name: Generate CSR + openssl_csr: + path: '{{ output_dir }}/csr_{{ item }}.csr' + privatekey_path: '{{ output_dir }}/privatekey_{{ item }}.pem' + subject: + commonName: www.ansible.com + select_crypto_backend: '{{ select_crypto_backend }}' + loop: + - Ed25519 + - Ed448 + register: generate_csr_ed25519_ed448 + ignore_errors: yes + + - name: Generate CSR (idempotent) + openssl_csr: + path: '{{ output_dir }}/csr_{{ item }}.csr' + privatekey_path: '{{ output_dir }}/privatekey_{{ item }}.pem' + subject: + commonName: www.ansible.com + select_crypto_backend: '{{ select_crypto_backend }}' + loop: + - Ed25519 + - Ed448 + register: generate_csr_ed25519_ed448_idempotent + ignore_errors: yes when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') diff --git a/test/integration/targets/openssl_csr/tests/validate.yml b/test/integration/targets/openssl_csr/tests/validate.yml index f321837a40c..bdf4b859cc0 100644 --- a/test/integration/targets/openssl_csr/tests/validate.yml +++ b/test/integration/targets/openssl_csr/tests/validate.yml @@ -194,7 +194,7 @@ - generate_csr_ed25519_ed448.results[1].msg == 'Signing with Ed25519 and Ed448 keys requires cryptography 2.8 or newer.' - generate_csr_ed25519_ed448_idempotent.results[0] is failed - generate_csr_ed25519_ed448_idempotent.results[1] is failed - when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') + when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') and generate_csr_ed25519_ed448_privatekey is not failed - name: Verify Ed25519 and Ed448 tests (for cryptography >= 2.8) assert: @@ -205,4 +205,4 @@ - generate_csr_ed25519_ed448_idempotent is succeeded - generate_csr_ed25519_ed448_idempotent.results[0] is not changed - generate_csr_ed25519_ed448_idempotent.results[1] is not changed - when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') + when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') and generate_csr_ed25519_ed448_privatekey is not failed diff --git a/test/integration/targets/openssl_privatekey/tasks/impl.yml b/test/integration/targets/openssl_privatekey/tasks/impl.yml index 03f92e94fd5..a1e501cd078 100644 --- a/test/integration/targets/openssl_privatekey/tasks/impl.yml +++ b/test/integration/targets/openssl_privatekey/tasks/impl.yml @@ -170,6 +170,7 @@ loop: "{{ types }}" loop_control: label: "{{ item.type }}" + ignore_errors: yes register: privatekey_t1_generate - name: Test other type generation (idempotency) @@ -181,6 +182,7 @@ loop: "{{ types }}" loop_control: label: "{{ item.type }}" + ignore_errors: yes register: privatekey_t1_idempotency when: select_crypto_backend == 'cryptography' @@ -383,6 +385,7 @@ type: X448 format: pkcs8 select_crypto_backend: '{{ select_crypto_backend }}' + ignore_errors: yes register: privatekey_fmt_2_step_1 - name: Generate privatekey_fmt_2 - PKCS8 format (idempotent) @@ -391,6 +394,7 @@ type: X448 format: pkcs8 select_crypto_backend: '{{ select_crypto_backend }}' + ignore_errors: yes register: privatekey_fmt_2_step_2 - name: Generate privatekey_fmt_2 - raw format @@ -400,17 +404,20 @@ format: raw select_crypto_backend: '{{ select_crypto_backend }}' return_content: yes + ignore_errors: yes register: privatekey_fmt_2_step_3 - name: Read privatekey_fmt_2.pem slurp: src: "{{ output_dir }}/privatekey_fmt_2.pem" + ignore_errors: yes register: content - name: Generate privatekey_fmt_2 - verify that returned content is base64 encoded assert: that: - privatekey_fmt_2_step_3.privatekey == content.content + when: privatekey_fmt_2_step_1 is not failed - name: Generate privatekey_fmt_2 - raw format (idempotent) openssl_privatekey: @@ -419,17 +426,20 @@ format: raw select_crypto_backend: '{{ select_crypto_backend }}' return_content: yes + ignore_errors: yes register: privatekey_fmt_2_step_4 - name: Read privatekey_fmt_2.pem slurp: src: "{{ output_dir }}/privatekey_fmt_2.pem" + ignore_errors: yes register: content - name: Generate privatekey_fmt_2 - verify that returned content is base64 encoded assert: that: - privatekey_fmt_2_step_4.privatekey == content.content + when: privatekey_fmt_2_step_1 is not failed - name: Generate privatekey_fmt_2 - auto format (ignore) openssl_privatekey: @@ -438,17 +448,20 @@ format: auto_ignore select_crypto_backend: '{{ select_crypto_backend }}' return_content: yes + ignore_errors: yes register: privatekey_fmt_2_step_5 - name: Read privatekey_fmt_2.pem slurp: src: "{{ output_dir }}/privatekey_fmt_2.pem" + ignore_errors: yes register: content - name: Generate privatekey_fmt_2 - verify that returned content is base64 encoded assert: that: - privatekey_fmt_2_step_5.privatekey == content.content + when: privatekey_fmt_2_step_1 is not failed - name: Generate privatekey_fmt_2 - auto format (no ignore) openssl_privatekey: @@ -457,12 +470,14 @@ format: auto select_crypto_backend: '{{ select_crypto_backend }}' return_content: yes + ignore_errors: yes register: privatekey_fmt_2_step_6 - name: Generate privatekey_fmt_2 - verify that returned content is not base64 encoded assert: that: - privatekey_fmt_2_step_6.privatekey == lookup('file', output_dir ~ '/privatekey_fmt_2.pem', rstrip=False) + when: privatekey_fmt_2_step_1 is not failed when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=")' diff --git a/test/integration/targets/openssl_privatekey/tests/validate.yml b/test/integration/targets/openssl_privatekey/tests/validate.yml index b6594cf5d73..56649715544 100644 --- a/test/integration/targets/openssl_privatekey/tests/validate.yml +++ b/test/integration/targets/openssl_privatekey/tests/validate.yml @@ -1,4 +1,7 @@ --- +- set_fact: + system_potentially_has_no_algorithm_support: "{{ ansible_os_family == 'FreeBSD' }}" + - name: Validate privatekey1 idempotency and content returned assert: that: @@ -123,17 +126,18 @@ - name: Validate other type generation (just check changed) assert: that: - - item is changed + - (item is succeeded and item is changed) or + (item is failed and 'Cryptography backend does not support the algorithm required for ' in item.msg and system_potentially_has_no_algorithm_support) loop: "{{ privatekey_t1_generate.results }}" when: "'skip_reason' not in item" loop_control: label: "{{ item.item.type }}" - - name: Validate other type generation idempotency assert: that: - - item is not changed + - (item is succeeded and item is not changed) or + (item is failed and 'Cryptography backend does not support the algorithm required for ' in item.msg and system_potentially_has_no_algorithm_support) loop: "{{ privatekey_t1_idempotency.results }}" when: "'skip_reason' not in item" loop_control: @@ -191,13 +195,21 @@ - privatekey_fmt_1_step_9_before.public_key == privatekey_fmt_1_step_9_after.public_key when: 'select_crypto_backend == "cryptography"' +- name: Validate format 2 (failed) + assert: + that: + - system_potentially_has_no_algorithm_support + - privatekey_fmt_2_step_1 is failed + - "'Cryptography backend does not support the algorithm required for ' in privatekey_fmt_2_step_1.msg" + when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=") and privatekey_fmt_2_step_1 is failed' + - name: Validate format 2 assert: that: - - privatekey_fmt_2_step_1 is changed - - privatekey_fmt_2_step_2 is not changed - - privatekey_fmt_2_step_3 is changed - - privatekey_fmt_2_step_4 is not changed - - privatekey_fmt_2_step_5 is not changed - - privatekey_fmt_2_step_6 is changed - when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=")' + - privatekey_fmt_2_step_1 is succeeded and privatekey_fmt_2_step_1 is changed + - privatekey_fmt_2_step_2 is succeeded and privatekey_fmt_2_step_2 is not changed + - privatekey_fmt_2_step_3 is succeeded and privatekey_fmt_2_step_3 is changed + - privatekey_fmt_2_step_4 is succeeded and privatekey_fmt_2_step_4 is not changed + - privatekey_fmt_2_step_5 is succeeded and privatekey_fmt_2_step_5 is not changed + - privatekey_fmt_2_step_6 is succeeded and privatekey_fmt_2_step_6 is changed + when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=") and privatekey_fmt_2_step_1 is not failed'