openssl_* modules: improve test robustness (#67568)
* Run Ed25519 and Ed448 tests for openssl_csr and openssl_certificate only if key generation succeeded. * Make openssl_privatekey tests more robust: allow special key generation tests to fail with 'algorithm not supported' on FreeBSD.
This commit is contained in:
parent
e867535a57
commit
29ca9d2d4d
8 changed files with 231 additions and 185 deletions
|
@ -449,6 +449,12 @@
|
|||
loop:
|
||||
- Ed25519
|
||||
- Ed448
|
||||
register: ownca_certificate_ed25519_ed448_privatekey
|
||||
ignore_errors: yes
|
||||
|
||||
- name: (OwnCA, {{select_crypto_backend}}) Generate CSR etc. if private key generation succeeded
|
||||
when: ownca_certificate_ed25519_ed448_privatekey is not failed
|
||||
block:
|
||||
|
||||
- name: (OwnCA, {{select_crypto_backend}}) Generate CSR
|
||||
openssl_csr:
|
||||
|
@ -498,6 +504,7 @@
|
|||
type: '{{ item }}'
|
||||
cipher: auto
|
||||
passphrase: Test123
|
||||
ignore_errors: yes
|
||||
loop:
|
||||
- Ed25519
|
||||
- Ed448
|
||||
|
|
|
@ -379,6 +379,12 @@
|
|||
loop:
|
||||
- Ed25519
|
||||
- Ed448
|
||||
register: selfsigned_certificate_ed25519_ed448_privatekey
|
||||
ignore_errors: yes
|
||||
|
||||
- name: (Selfsigned, {{select_crypto_backend}}) Generate CSR etc. if private key generation succeeded
|
||||
when: selfsigned_certificate_ed25519_ed448_privatekey is not failed
|
||||
block:
|
||||
|
||||
- name: (Selfsigned, {{select_crypto_backend}}) Generate CSR
|
||||
openssl_csr:
|
||||
|
|
|
@ -158,7 +158,7 @@
|
|||
- ownca_certificate_ed25519_ed448_2.results[1] is failed
|
||||
- ownca_certificate_ed25519_ed448_2_idempotence.results[0] is failed
|
||||
- ownca_certificate_ed25519_ed448_2_idempotence.results[1] is failed
|
||||
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<')
|
||||
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') and ownca_certificate_ed25519_ed448_privatekey is not failed
|
||||
|
||||
- name: (OwnCA validation, {{select_crypto_backend}}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.8)
|
||||
assert:
|
||||
|
@ -175,4 +175,4 @@
|
|||
- ownca_certificate_ed25519_ed448_2_idempotence is succeeded
|
||||
- ownca_certificate_ed25519_ed448_2_idempotence.results[0] is not changed
|
||||
- ownca_certificate_ed25519_ed448_2_idempotence.results[1] is not changed
|
||||
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=')
|
||||
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') and ownca_certificate_ed25519_ed448_privatekey is not failed
|
||||
|
|
|
@ -150,7 +150,7 @@
|
|||
- selfsigned_certificate_ed25519_ed448.results[1] is failed
|
||||
- selfsigned_certificate_ed25519_ed448_idempotence.results[0] is failed
|
||||
- selfsigned_certificate_ed25519_ed448_idempotence.results[1] is failed
|
||||
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<')
|
||||
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') and selfsigned_certificate_ed25519_ed448_privatekey is not failed
|
||||
|
||||
- name: (Selfsigned validation, {{select_crypto_backend}}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.8)
|
||||
assert:
|
||||
|
@ -161,4 +161,4 @@
|
|||
- selfsigned_certificate_ed25519_ed448_idempotence is succeeded
|
||||
- selfsigned_certificate_ed25519_ed448_idempotence.results[0] is not changed
|
||||
- selfsigned_certificate_ed25519_ed448_idempotence.results[1] is not changed
|
||||
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=')
|
||||
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') and selfsigned_certificate_ed25519_ed448_privatekey is not failed
|
||||
|
|
|
@ -731,6 +731,12 @@
|
|||
loop:
|
||||
- Ed25519
|
||||
- Ed448
|
||||
register: generate_csr_ed25519_ed448_privatekey
|
||||
ignore_errors: yes
|
||||
|
||||
- name: Generate CSR if private key generation succeeded
|
||||
when: generate_csr_ed25519_ed448_privatekey is not failed
|
||||
block:
|
||||
|
||||
- name: Generate CSR
|
||||
openssl_csr:
|
||||
|
|
|
@ -194,7 +194,7 @@
|
|||
- generate_csr_ed25519_ed448.results[1].msg == 'Signing with Ed25519 and Ed448 keys requires cryptography 2.8 or newer.'
|
||||
- generate_csr_ed25519_ed448_idempotent.results[0] is failed
|
||||
- generate_csr_ed25519_ed448_idempotent.results[1] is failed
|
||||
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<')
|
||||
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') and generate_csr_ed25519_ed448_privatekey is not failed
|
||||
|
||||
- name: Verify Ed25519 and Ed448 tests (for cryptography >= 2.8)
|
||||
assert:
|
||||
|
@ -205,4 +205,4 @@
|
|||
- generate_csr_ed25519_ed448_idempotent is succeeded
|
||||
- generate_csr_ed25519_ed448_idempotent.results[0] is not changed
|
||||
- generate_csr_ed25519_ed448_idempotent.results[1] is not changed
|
||||
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=')
|
||||
when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') and generate_csr_ed25519_ed448_privatekey is not failed
|
||||
|
|
|
@ -170,6 +170,7 @@
|
|||
loop: "{{ types }}"
|
||||
loop_control:
|
||||
label: "{{ item.type }}"
|
||||
ignore_errors: yes
|
||||
register: privatekey_t1_generate
|
||||
|
||||
- name: Test other type generation (idempotency)
|
||||
|
@ -181,6 +182,7 @@
|
|||
loop: "{{ types }}"
|
||||
loop_control:
|
||||
label: "{{ item.type }}"
|
||||
ignore_errors: yes
|
||||
register: privatekey_t1_idempotency
|
||||
|
||||
when: select_crypto_backend == 'cryptography'
|
||||
|
@ -383,6 +385,7 @@
|
|||
type: X448
|
||||
format: pkcs8
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
ignore_errors: yes
|
||||
register: privatekey_fmt_2_step_1
|
||||
|
||||
- name: Generate privatekey_fmt_2 - PKCS8 format (idempotent)
|
||||
|
@ -391,6 +394,7 @@
|
|||
type: X448
|
||||
format: pkcs8
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
ignore_errors: yes
|
||||
register: privatekey_fmt_2_step_2
|
||||
|
||||
- name: Generate privatekey_fmt_2 - raw format
|
||||
|
@ -400,17 +404,20 @@
|
|||
format: raw
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
return_content: yes
|
||||
ignore_errors: yes
|
||||
register: privatekey_fmt_2_step_3
|
||||
|
||||
- name: Read privatekey_fmt_2.pem
|
||||
slurp:
|
||||
src: "{{ output_dir }}/privatekey_fmt_2.pem"
|
||||
ignore_errors: yes
|
||||
register: content
|
||||
|
||||
- name: Generate privatekey_fmt_2 - verify that returned content is base64 encoded
|
||||
assert:
|
||||
that:
|
||||
- privatekey_fmt_2_step_3.privatekey == content.content
|
||||
when: privatekey_fmt_2_step_1 is not failed
|
||||
|
||||
- name: Generate privatekey_fmt_2 - raw format (idempotent)
|
||||
openssl_privatekey:
|
||||
|
@ -419,17 +426,20 @@
|
|||
format: raw
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
return_content: yes
|
||||
ignore_errors: yes
|
||||
register: privatekey_fmt_2_step_4
|
||||
|
||||
- name: Read privatekey_fmt_2.pem
|
||||
slurp:
|
||||
src: "{{ output_dir }}/privatekey_fmt_2.pem"
|
||||
ignore_errors: yes
|
||||
register: content
|
||||
|
||||
- name: Generate privatekey_fmt_2 - verify that returned content is base64 encoded
|
||||
assert:
|
||||
that:
|
||||
- privatekey_fmt_2_step_4.privatekey == content.content
|
||||
when: privatekey_fmt_2_step_1 is not failed
|
||||
|
||||
- name: Generate privatekey_fmt_2 - auto format (ignore)
|
||||
openssl_privatekey:
|
||||
|
@ -438,17 +448,20 @@
|
|||
format: auto_ignore
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
return_content: yes
|
||||
ignore_errors: yes
|
||||
register: privatekey_fmt_2_step_5
|
||||
|
||||
- name: Read privatekey_fmt_2.pem
|
||||
slurp:
|
||||
src: "{{ output_dir }}/privatekey_fmt_2.pem"
|
||||
ignore_errors: yes
|
||||
register: content
|
||||
|
||||
- name: Generate privatekey_fmt_2 - verify that returned content is base64 encoded
|
||||
assert:
|
||||
that:
|
||||
- privatekey_fmt_2_step_5.privatekey == content.content
|
||||
when: privatekey_fmt_2_step_1 is not failed
|
||||
|
||||
- name: Generate privatekey_fmt_2 - auto format (no ignore)
|
||||
openssl_privatekey:
|
||||
|
@ -457,12 +470,14 @@
|
|||
format: auto
|
||||
select_crypto_backend: '{{ select_crypto_backend }}'
|
||||
return_content: yes
|
||||
ignore_errors: yes
|
||||
register: privatekey_fmt_2_step_6
|
||||
|
||||
- name: Generate privatekey_fmt_2 - verify that returned content is not base64 encoded
|
||||
assert:
|
||||
that:
|
||||
- privatekey_fmt_2_step_6.privatekey == lookup('file', output_dir ~ '/privatekey_fmt_2.pem', rstrip=False)
|
||||
when: privatekey_fmt_2_step_1 is not failed
|
||||
|
||||
when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=")'
|
||||
|
||||
|
|
|
@ -1,4 +1,7 @@
|
|||
---
|
||||
- set_fact:
|
||||
system_potentially_has_no_algorithm_support: "{{ ansible_os_family == 'FreeBSD' }}"
|
||||
|
||||
- name: Validate privatekey1 idempotency and content returned
|
||||
assert:
|
||||
that:
|
||||
|
@ -123,17 +126,18 @@
|
|||
- name: Validate other type generation (just check changed)
|
||||
assert:
|
||||
that:
|
||||
- item is changed
|
||||
- (item is succeeded and item is changed) or
|
||||
(item is failed and 'Cryptography backend does not support the algorithm required for ' in item.msg and system_potentially_has_no_algorithm_support)
|
||||
loop: "{{ privatekey_t1_generate.results }}"
|
||||
when: "'skip_reason' not in item"
|
||||
loop_control:
|
||||
label: "{{ item.item.type }}"
|
||||
|
||||
|
||||
- name: Validate other type generation idempotency
|
||||
assert:
|
||||
that:
|
||||
- item is not changed
|
||||
- (item is succeeded and item is not changed) or
|
||||
(item is failed and 'Cryptography backend does not support the algorithm required for ' in item.msg and system_potentially_has_no_algorithm_support)
|
||||
loop: "{{ privatekey_t1_idempotency.results }}"
|
||||
when: "'skip_reason' not in item"
|
||||
loop_control:
|
||||
|
@ -191,13 +195,21 @@
|
|||
- privatekey_fmt_1_step_9_before.public_key == privatekey_fmt_1_step_9_after.public_key
|
||||
when: 'select_crypto_backend == "cryptography"'
|
||||
|
||||
- name: Validate format 2 (failed)
|
||||
assert:
|
||||
that:
|
||||
- system_potentially_has_no_algorithm_support
|
||||
- privatekey_fmt_2_step_1 is failed
|
||||
- "'Cryptography backend does not support the algorithm required for ' in privatekey_fmt_2_step_1.msg"
|
||||
when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=") and privatekey_fmt_2_step_1 is failed'
|
||||
|
||||
- name: Validate format 2
|
||||
assert:
|
||||
that:
|
||||
- privatekey_fmt_2_step_1 is changed
|
||||
- privatekey_fmt_2_step_2 is not changed
|
||||
- privatekey_fmt_2_step_3 is changed
|
||||
- privatekey_fmt_2_step_4 is not changed
|
||||
- privatekey_fmt_2_step_5 is not changed
|
||||
- privatekey_fmt_2_step_6 is changed
|
||||
when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=")'
|
||||
- privatekey_fmt_2_step_1 is succeeded and privatekey_fmt_2_step_1 is changed
|
||||
- privatekey_fmt_2_step_2 is succeeded and privatekey_fmt_2_step_2 is not changed
|
||||
- privatekey_fmt_2_step_3 is succeeded and privatekey_fmt_2_step_3 is changed
|
||||
- privatekey_fmt_2_step_4 is succeeded and privatekey_fmt_2_step_4 is not changed
|
||||
- privatekey_fmt_2_step_5 is succeeded and privatekey_fmt_2_step_5 is not changed
|
||||
- privatekey_fmt_2_step_6 is succeeded and privatekey_fmt_2_step_6 is changed
|
||||
when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=") and privatekey_fmt_2_step_1 is not failed'
|
||||
|
|
Loading…
Reference in a new issue