openssl_* modules: improve test robustness (#67568)

* Run Ed25519 and Ed448 tests for openssl_csr and openssl_certificate only if key generation succeeded.
* Make openssl_privatekey tests more robust: allow special key generation tests to fail with 'algorithm not supported' on FreeBSD.
This commit is contained in:
Felix Fontein 2020-02-19 18:24:46 +01:00 committed by GitHub
parent e867535a57
commit 29ca9d2d4d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 231 additions and 185 deletions

View file

@ -449,6 +449,12 @@
loop: loop:
- Ed25519 - Ed25519
- Ed448 - Ed448
register: ownca_certificate_ed25519_ed448_privatekey
ignore_errors: yes
- name: (OwnCA, {{select_crypto_backend}}) Generate CSR etc. if private key generation succeeded
when: ownca_certificate_ed25519_ed448_privatekey is not failed
block:
- name: (OwnCA, {{select_crypto_backend}}) Generate CSR - name: (OwnCA, {{select_crypto_backend}}) Generate CSR
openssl_csr: openssl_csr:
@ -498,6 +504,7 @@
type: '{{ item }}' type: '{{ item }}'
cipher: auto cipher: auto
passphrase: Test123 passphrase: Test123
ignore_errors: yes
loop: loop:
- Ed25519 - Ed25519
- Ed448 - Ed448

View file

@ -379,6 +379,12 @@
loop: loop:
- Ed25519 - Ed25519
- Ed448 - Ed448
register: selfsigned_certificate_ed25519_ed448_privatekey
ignore_errors: yes
- name: (Selfsigned, {{select_crypto_backend}}) Generate CSR etc. if private key generation succeeded
when: selfsigned_certificate_ed25519_ed448_privatekey is not failed
block:
- name: (Selfsigned, {{select_crypto_backend}}) Generate CSR - name: (Selfsigned, {{select_crypto_backend}}) Generate CSR
openssl_csr: openssl_csr:

View file

@ -158,7 +158,7 @@
- ownca_certificate_ed25519_ed448_2.results[1] is failed - ownca_certificate_ed25519_ed448_2.results[1] is failed
- ownca_certificate_ed25519_ed448_2_idempotence.results[0] is failed - ownca_certificate_ed25519_ed448_2_idempotence.results[0] is failed
- ownca_certificate_ed25519_ed448_2_idempotence.results[1] is failed - ownca_certificate_ed25519_ed448_2_idempotence.results[1] is failed
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') and ownca_certificate_ed25519_ed448_privatekey is not failed
- name: (OwnCA validation, {{select_crypto_backend}}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.8) - name: (OwnCA validation, {{select_crypto_backend}}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.8)
assert: assert:
@ -175,4 +175,4 @@
- ownca_certificate_ed25519_ed448_2_idempotence is succeeded - ownca_certificate_ed25519_ed448_2_idempotence is succeeded
- ownca_certificate_ed25519_ed448_2_idempotence.results[0] is not changed - ownca_certificate_ed25519_ed448_2_idempotence.results[0] is not changed
- ownca_certificate_ed25519_ed448_2_idempotence.results[1] is not changed - ownca_certificate_ed25519_ed448_2_idempotence.results[1] is not changed
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') and ownca_certificate_ed25519_ed448_privatekey is not failed

View file

@ -150,7 +150,7 @@
- selfsigned_certificate_ed25519_ed448.results[1] is failed - selfsigned_certificate_ed25519_ed448.results[1] is failed
- selfsigned_certificate_ed25519_ed448_idempotence.results[0] is failed - selfsigned_certificate_ed25519_ed448_idempotence.results[0] is failed
- selfsigned_certificate_ed25519_ed448_idempotence.results[1] is failed - selfsigned_certificate_ed25519_ed448_idempotence.results[1] is failed
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') and selfsigned_certificate_ed25519_ed448_privatekey is not failed
- name: (Selfsigned validation, {{select_crypto_backend}}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.8) - name: (Selfsigned validation, {{select_crypto_backend}}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.8)
assert: assert:
@ -161,4 +161,4 @@
- selfsigned_certificate_ed25519_ed448_idempotence is succeeded - selfsigned_certificate_ed25519_ed448_idempotence is succeeded
- selfsigned_certificate_ed25519_ed448_idempotence.results[0] is not changed - selfsigned_certificate_ed25519_ed448_idempotence.results[0] is not changed
- selfsigned_certificate_ed25519_ed448_idempotence.results[1] is not changed - selfsigned_certificate_ed25519_ed448_idempotence.results[1] is not changed
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') and selfsigned_certificate_ed25519_ed448_privatekey is not failed

View file

@ -731,6 +731,12 @@
loop: loop:
- Ed25519 - Ed25519
- Ed448 - Ed448
register: generate_csr_ed25519_ed448_privatekey
ignore_errors: yes
- name: Generate CSR if private key generation succeeded
when: generate_csr_ed25519_ed448_privatekey is not failed
block:
- name: Generate CSR - name: Generate CSR
openssl_csr: openssl_csr:

View file

@ -194,7 +194,7 @@
- generate_csr_ed25519_ed448.results[1].msg == 'Signing with Ed25519 and Ed448 keys requires cryptography 2.8 or newer.' - generate_csr_ed25519_ed448.results[1].msg == 'Signing with Ed25519 and Ed448 keys requires cryptography 2.8 or newer.'
- generate_csr_ed25519_ed448_idempotent.results[0] is failed - generate_csr_ed25519_ed448_idempotent.results[0] is failed
- generate_csr_ed25519_ed448_idempotent.results[1] is failed - generate_csr_ed25519_ed448_idempotent.results[1] is failed
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') and generate_csr_ed25519_ed448_privatekey is not failed
- name: Verify Ed25519 and Ed448 tests (for cryptography >= 2.8) - name: Verify Ed25519 and Ed448 tests (for cryptography >= 2.8)
assert: assert:
@ -205,4 +205,4 @@
- generate_csr_ed25519_ed448_idempotent is succeeded - generate_csr_ed25519_ed448_idempotent is succeeded
- generate_csr_ed25519_ed448_idempotent.results[0] is not changed - generate_csr_ed25519_ed448_idempotent.results[0] is not changed
- generate_csr_ed25519_ed448_idempotent.results[1] is not changed - generate_csr_ed25519_ed448_idempotent.results[1] is not changed
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') and generate_csr_ed25519_ed448_privatekey is not failed

View file

@ -170,6 +170,7 @@
loop: "{{ types }}" loop: "{{ types }}"
loop_control: loop_control:
label: "{{ item.type }}" label: "{{ item.type }}"
ignore_errors: yes
register: privatekey_t1_generate register: privatekey_t1_generate
- name: Test other type generation (idempotency) - name: Test other type generation (idempotency)
@ -181,6 +182,7 @@
loop: "{{ types }}" loop: "{{ types }}"
loop_control: loop_control:
label: "{{ item.type }}" label: "{{ item.type }}"
ignore_errors: yes
register: privatekey_t1_idempotency register: privatekey_t1_idempotency
when: select_crypto_backend == 'cryptography' when: select_crypto_backend == 'cryptography'
@ -383,6 +385,7 @@
type: X448 type: X448
format: pkcs8 format: pkcs8
select_crypto_backend: '{{ select_crypto_backend }}' select_crypto_backend: '{{ select_crypto_backend }}'
ignore_errors: yes
register: privatekey_fmt_2_step_1 register: privatekey_fmt_2_step_1
- name: Generate privatekey_fmt_2 - PKCS8 format (idempotent) - name: Generate privatekey_fmt_2 - PKCS8 format (idempotent)
@ -391,6 +394,7 @@
type: X448 type: X448
format: pkcs8 format: pkcs8
select_crypto_backend: '{{ select_crypto_backend }}' select_crypto_backend: '{{ select_crypto_backend }}'
ignore_errors: yes
register: privatekey_fmt_2_step_2 register: privatekey_fmt_2_step_2
- name: Generate privatekey_fmt_2 - raw format - name: Generate privatekey_fmt_2 - raw format
@ -400,17 +404,20 @@
format: raw format: raw
select_crypto_backend: '{{ select_crypto_backend }}' select_crypto_backend: '{{ select_crypto_backend }}'
return_content: yes return_content: yes
ignore_errors: yes
register: privatekey_fmt_2_step_3 register: privatekey_fmt_2_step_3
- name: Read privatekey_fmt_2.pem - name: Read privatekey_fmt_2.pem
slurp: slurp:
src: "{{ output_dir }}/privatekey_fmt_2.pem" src: "{{ output_dir }}/privatekey_fmt_2.pem"
ignore_errors: yes
register: content register: content
- name: Generate privatekey_fmt_2 - verify that returned content is base64 encoded - name: Generate privatekey_fmt_2 - verify that returned content is base64 encoded
assert: assert:
that: that:
- privatekey_fmt_2_step_3.privatekey == content.content - privatekey_fmt_2_step_3.privatekey == content.content
when: privatekey_fmt_2_step_1 is not failed
- name: Generate privatekey_fmt_2 - raw format (idempotent) - name: Generate privatekey_fmt_2 - raw format (idempotent)
openssl_privatekey: openssl_privatekey:
@ -419,17 +426,20 @@
format: raw format: raw
select_crypto_backend: '{{ select_crypto_backend }}' select_crypto_backend: '{{ select_crypto_backend }}'
return_content: yes return_content: yes
ignore_errors: yes
register: privatekey_fmt_2_step_4 register: privatekey_fmt_2_step_4
- name: Read privatekey_fmt_2.pem - name: Read privatekey_fmt_2.pem
slurp: slurp:
src: "{{ output_dir }}/privatekey_fmt_2.pem" src: "{{ output_dir }}/privatekey_fmt_2.pem"
ignore_errors: yes
register: content register: content
- name: Generate privatekey_fmt_2 - verify that returned content is base64 encoded - name: Generate privatekey_fmt_2 - verify that returned content is base64 encoded
assert: assert:
that: that:
- privatekey_fmt_2_step_4.privatekey == content.content - privatekey_fmt_2_step_4.privatekey == content.content
when: privatekey_fmt_2_step_1 is not failed
- name: Generate privatekey_fmt_2 - auto format (ignore) - name: Generate privatekey_fmt_2 - auto format (ignore)
openssl_privatekey: openssl_privatekey:
@ -438,17 +448,20 @@
format: auto_ignore format: auto_ignore
select_crypto_backend: '{{ select_crypto_backend }}' select_crypto_backend: '{{ select_crypto_backend }}'
return_content: yes return_content: yes
ignore_errors: yes
register: privatekey_fmt_2_step_5 register: privatekey_fmt_2_step_5
- name: Read privatekey_fmt_2.pem - name: Read privatekey_fmt_2.pem
slurp: slurp:
src: "{{ output_dir }}/privatekey_fmt_2.pem" src: "{{ output_dir }}/privatekey_fmt_2.pem"
ignore_errors: yes
register: content register: content
- name: Generate privatekey_fmt_2 - verify that returned content is base64 encoded - name: Generate privatekey_fmt_2 - verify that returned content is base64 encoded
assert: assert:
that: that:
- privatekey_fmt_2_step_5.privatekey == content.content - privatekey_fmt_2_step_5.privatekey == content.content
when: privatekey_fmt_2_step_1 is not failed
- name: Generate privatekey_fmt_2 - auto format (no ignore) - name: Generate privatekey_fmt_2 - auto format (no ignore)
openssl_privatekey: openssl_privatekey:
@ -457,12 +470,14 @@
format: auto format: auto
select_crypto_backend: '{{ select_crypto_backend }}' select_crypto_backend: '{{ select_crypto_backend }}'
return_content: yes return_content: yes
ignore_errors: yes
register: privatekey_fmt_2_step_6 register: privatekey_fmt_2_step_6
- name: Generate privatekey_fmt_2 - verify that returned content is not base64 encoded - name: Generate privatekey_fmt_2 - verify that returned content is not base64 encoded
assert: assert:
that: that:
- privatekey_fmt_2_step_6.privatekey == lookup('file', output_dir ~ '/privatekey_fmt_2.pem', rstrip=False) - privatekey_fmt_2_step_6.privatekey == lookup('file', output_dir ~ '/privatekey_fmt_2.pem', rstrip=False)
when: privatekey_fmt_2_step_1 is not failed
when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=")' when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=")'

View file

@ -1,4 +1,7 @@
--- ---
- set_fact:
system_potentially_has_no_algorithm_support: "{{ ansible_os_family == 'FreeBSD' }}"
- name: Validate privatekey1 idempotency and content returned - name: Validate privatekey1 idempotency and content returned
assert: assert:
that: that:
@ -123,17 +126,18 @@
- name: Validate other type generation (just check changed) - name: Validate other type generation (just check changed)
assert: assert:
that: that:
- item is changed - (item is succeeded and item is changed) or
(item is failed and 'Cryptography backend does not support the algorithm required for ' in item.msg and system_potentially_has_no_algorithm_support)
loop: "{{ privatekey_t1_generate.results }}" loop: "{{ privatekey_t1_generate.results }}"
when: "'skip_reason' not in item" when: "'skip_reason' not in item"
loop_control: loop_control:
label: "{{ item.item.type }}" label: "{{ item.item.type }}"
- name: Validate other type generation idempotency - name: Validate other type generation idempotency
assert: assert:
that: that:
- item is not changed - (item is succeeded and item is not changed) or
(item is failed and 'Cryptography backend does not support the algorithm required for ' in item.msg and system_potentially_has_no_algorithm_support)
loop: "{{ privatekey_t1_idempotency.results }}" loop: "{{ privatekey_t1_idempotency.results }}"
when: "'skip_reason' not in item" when: "'skip_reason' not in item"
loop_control: loop_control:
@ -191,13 +195,21 @@
- privatekey_fmt_1_step_9_before.public_key == privatekey_fmt_1_step_9_after.public_key - privatekey_fmt_1_step_9_before.public_key == privatekey_fmt_1_step_9_after.public_key
when: 'select_crypto_backend == "cryptography"' when: 'select_crypto_backend == "cryptography"'
- name: Validate format 2 (failed)
assert:
that:
- system_potentially_has_no_algorithm_support
- privatekey_fmt_2_step_1 is failed
- "'Cryptography backend does not support the algorithm required for ' in privatekey_fmt_2_step_1.msg"
when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=") and privatekey_fmt_2_step_1 is failed'
- name: Validate format 2 - name: Validate format 2
assert: assert:
that: that:
- privatekey_fmt_2_step_1 is changed - privatekey_fmt_2_step_1 is succeeded and privatekey_fmt_2_step_1 is changed
- privatekey_fmt_2_step_2 is not changed - privatekey_fmt_2_step_2 is succeeded and privatekey_fmt_2_step_2 is not changed
- privatekey_fmt_2_step_3 is changed - privatekey_fmt_2_step_3 is succeeded and privatekey_fmt_2_step_3 is changed
- privatekey_fmt_2_step_4 is not changed - privatekey_fmt_2_step_4 is succeeded and privatekey_fmt_2_step_4 is not changed
- privatekey_fmt_2_step_5 is not changed - privatekey_fmt_2_step_5 is succeeded and privatekey_fmt_2_step_5 is not changed
- privatekey_fmt_2_step_6 is changed - privatekey_fmt_2_step_6 is succeeded and privatekey_fmt_2_step_6 is changed
when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=")' when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=") and privatekey_fmt_2_step_1 is not failed'