--- - set_fact: system_potentially_has_no_algorithm_support: "{{ ansible_os_family == 'FreeBSD' }}" - name: Validate privatekey1 idempotency and content returned assert: that: - privatekey1_idempotence is not changed - privatekey1.privatekey == lookup('file', output_dir ~ '/privatekey1.pem', rstrip=False) - privatekey1.privatekey == privatekey1_idempotence.privatekey - name: Validate privatekey1 (test - RSA key with size 4096 bits) shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey1.pem | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'" register: privatekey1 - name: Validate privatekey1 (assert - RSA key with size 4096 bits) assert: that: - privatekey1.stdout == '4096' - name: Validate privatekey2 (test - RSA key with size 2048 bits) shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey2.pem | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'" register: privatekey2 - name: Validate privatekey2 (assert - RSA key with size 2048 bits) assert: that: - privatekey2.stdout == '2048' - name: Validate privatekey3 (test - DSA key with size 3072 bits) shell: "openssl dsa -noout -text -in {{ output_dir }}/privatekey3.pem | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'" register: privatekey3 - name: Validate privatekey3 (assert - DSA key with size 3072 bits) assert: that: - privatekey3.stdout == '3072' - name: Validate privatekey4 (test - Ensure key has been removed) stat: path: '{{ output_dir }}/privatekey4.pem' register: privatekey4 - name: Validate privatekey4 (assert - Ensure key has been removed) assert: that: - privatekey4.stat.exists == False - name: Validate privatekey4 removal behavior assert: that: - privatekey4_delete is changed - privatekey4_delete.privatekey is none - privatekey4_delete_idempotence is not changed - name: Validate privatekey5 (test - Passphrase protected key + idempotence) shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey5.pem -passin pass:ansible | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'" register: privatekey5 # Current version of OS/X that runs in the CI (10.11) does not have an up to date version of the OpenSSL library # leading to this test to fail when run in the CI. However, this test has been run for 10.12 and has returned succesfully. when: openssl_version.stdout is version('0.9.8zh', '>=') - name: Validate privatekey5 (assert - Passphrase protected key + idempotence) assert: that: - privatekey5.stdout == '4096' when: openssl_version.stdout is version('0.9.8zh', '>=') - name: Validate privatekey5 idempotence (assert - Passphrase protected key + idempotence) assert: that: - privatekey5_idempotence is not changed - name: Validate privatekey6 (test - Passphrase protected key with non ascii character) shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey6.pem -passin pass:ànsïblé | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'" register: privatekey6 when: openssl_version.stdout is version('0.9.8zh', '>=') - name: Validate privatekey6 (assert - Passphrase protected key with non ascii character) assert: that: - privatekey6.stdout == '4096' when: openssl_version.stdout is version('0.9.8zh', '>=') - name: Validate ECC generation (dump with OpenSSL) shell: "openssl ec -in {{ output_dir }}/privatekey-{{ item.item.curve }}.pem -noout -text | grep 'ASN1 OID: ' | sed 's/ASN1 OID: \\([^ ]*\\)/\\1/'" loop: "{{ privatekey_ecc_generate.results }}" register: privatekey_ecc_dump when: openssl_version.stdout is version('0.9.8zh', '>=') and 'skip_reason' not in item loop_control: label: "{{ item.item.curve }}" - name: Validate ECC generation assert: that: - item is changed loop: "{{ privatekey_ecc_generate.results }}" when: "'skip_reason' not in item" loop_control: label: "{{ item.item.curve }}" - name: Validate ECC generation (curve type) assert: that: - "'skip_reason' in item or item.item.item.openssl_name == item.stdout" loop: "{{ privatekey_ecc_dump.results }}" when: "'skip_reason' not in item" loop_control: label: "{{ item.item.item }} - {{ item.stdout if 'stdout' in item else '' }}" - name: Validate ECC generation idempotency assert: that: - item is not changed loop: "{{ privatekey_ecc_idempotency.results }}" when: "'skip_reason' not in item" loop_control: label: "{{ item.item.curve }}" - name: Validate other type generation (just check changed) assert: that: - (item is succeeded and item is changed) or (item is failed and 'Cryptography backend does not support the algorithm required for ' in item.msg and system_potentially_has_no_algorithm_support) loop: "{{ privatekey_t1_generate.results }}" when: "'skip_reason' not in item" loop_control: label: "{{ item.item.type }}" - name: Validate other type generation idempotency assert: that: - (item is succeeded and item is not changed) or (item is failed and 'Cryptography backend does not support the algorithm required for ' in item.msg and system_potentially_has_no_algorithm_support) loop: "{{ privatekey_t1_idempotency.results }}" when: "'skip_reason' not in item" loop_control: label: "{{ item.item.type }}" - name: Validate passphrase changing assert: that: - passphrase_1 is changed - passphrase_2 is not changed - passphrase_3 is changed - passphrase_4 is not changed - passphrase_5 is changed - passphrase_1.backup_file is undefined - passphrase_2.backup_file is undefined - passphrase_3.backup_file is string - passphrase_4.backup_file is undefined - passphrase_5.backup_file is string - name: Verify that broken key will be regenerated assert: that: - output_broken is changed - name: Validate remove assert: that: - remove_1 is changed - remove_2 is not changed - remove_1.backup_file is string - remove_2.backup_file is undefined - name: Validate mode assert: that: - privatekey_mode_1 is changed - privatekey_mode_1_stat.stat.mode == '0400' - privatekey_mode_2 is not changed - privatekey_mode_3 is changed - privatekey_mode_3_stat.stat.mode == '0400' - privatekey_mode_1_stat.stat.mtime != privatekey_mode_3_stat.stat.mtime - name: Validate format 1 assert: that: - privatekey_fmt_1_step_1 is changed - privatekey_fmt_1_step_2 is not changed - privatekey_fmt_1_step_3 is not changed - privatekey_fmt_1_step_4 is changed - privatekey_fmt_1_step_5 is not changed - privatekey_fmt_1_step_6 is not changed - privatekey_fmt_1_step_7 is changed - privatekey_fmt_1_step_8 is failed - privatekey_fmt_1_step_9 is changed - privatekey_fmt_1_step_9_before.public_key == privatekey_fmt_1_step_9_after.public_key when: 'select_crypto_backend == "cryptography"' - name: Validate format 2 (failed) assert: that: - system_potentially_has_no_algorithm_support - privatekey_fmt_2_step_1 is failed - "'Cryptography backend does not support the algorithm required for ' in privatekey_fmt_2_step_1.msg" when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=") and privatekey_fmt_2_step_1 is failed' - name: Validate format 2 assert: that: - privatekey_fmt_2_step_1 is succeeded and privatekey_fmt_2_step_1 is changed - privatekey_fmt_2_step_2 is succeeded and privatekey_fmt_2_step_2 is not changed - privatekey_fmt_2_step_3 is succeeded and privatekey_fmt_2_step_3 is changed - privatekey_fmt_2_step_4 is succeeded and privatekey_fmt_2_step_4 is not changed - privatekey_fmt_2_step_5 is succeeded and privatekey_fmt_2_step_5 is not changed - privatekey_fmt_2_step_6 is succeeded and privatekey_fmt_2_step_6 is changed when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=") and privatekey_fmt_2_step_1 is not failed'