ansible/test/integration/targets/openssl_publickey/tests/validate.yml
Felix Fontein caf7fd2245 openssl_*: improve passphrase handling for private keys in PyOpenSSL (#53489)
* Raise OpenSSLBadPassphraseError if passphrase is wrong.

* Improve handling of passphrase errors.

Current behavior for modules is: if passphrase is wrong (or wrongly specified), fail.
Current behavior for openssl_privatekey is: if passphrase is worng (or wrongly specified), regenerate.

* Add changelog.

* Add tests.

* Adjustments for some versions of PyOpenSSL.

* Update lib/ansible/modules/crypto/openssl_certificate.py

Improve text.

Co-Authored-By: felixfontein <felix@fontein.de>
2019-03-08 16:21:18 +00:00

108 lines
3.8 KiB
YAML

---
- name: Validate public key (test - privatekey modulus)
shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
register: privatekey_modulus
- name: Validate public key (test - publickey modulus)
shell: 'openssl rsa -pubin -noout -modulus < {{ output_dir }}/publickey.pub'
register: publickey_modulus
- name: Validate public key (assert)
assert:
that:
- publickey_modulus.stdout == privatekey_modulus.stdout
- name: Validate public key - OpenSSH format (test - privatekey's publickey)
shell: 'ssh-keygen -y -f {{ output_dir }}/privatekey.pem'
register: privatekey_publickey
when: cryptography_version.stdout is version('1.4.0', '>=')
- name: Validate public key - OpenSSH format (test - publickey)
slurp:
src: '{{ output_dir }}/publickey-ssh.pub'
register: publickey
when: cryptography_version.stdout is version('1.4.0', '>=')
- name: Validate public key - OpenSSH format (assert)
assert:
that:
- privatekey_publickey.stdout == '{{ publickey.content|b64decode }}'
when: cryptography_version.stdout is version('1.4.0', '>=')
- name: Validate public key - OpenSSH format - test idempotence (issue 33256)
assert:
that:
- publickey_ssh_idempotence is not changed
when: cryptography_version.stdout is version('1.4.0', '>=')
- name: Validate publickey2 (test - Ensure key has been removed)
stat:
path: '{{ output_dir }}/publickey2.pub'
register: publickey2
- name: Validate publickey2 (assert - Ensure key has been removed)
assert:
that:
- publickey2.stat.exists == False
- name: Validate publickey3 (test - privatekey modulus)
shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey3.pem -passin pass:ansible'
register: privatekey3_modulus
when: openssl_version.stdout is version('0.9.8zh', '>=')
- name: Validate publickey3 (test - publickey modulus)
shell: 'openssl rsa -pubin -noout -modulus < {{ output_dir }}/publickey3.pub'
register: publickey3_modulus
when: openssl_version.stdout is version('0.9.8zh', '>=')
- name: Validate publickey3 (assert)
assert:
that:
- publickey3_modulus.stdout == privatekey3_modulus.stdout
when: openssl_version.stdout is version('0.9.8zh', '>=')
- name: Validate publickey3 idempotence (assert)
assert:
that:
- publickey3_idempotence is not changed
- name: Validate publickey4 (test - privatekey modulus)
shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem'
register: privatekey4_modulus
when: openssl_version.stdout is version('0.9.8zh', '>=')
- name: Validate publickey4 (test - publickey modulus)
shell: 'openssl rsa -pubin -noout -modulus < {{ output_dir }}/publickey4.pub'
register: publickey4_modulus
when: openssl_version.stdout is version('0.9.8zh', '>=')
- name: Validate publickey4 (assert)
assert:
that:
- publickey4_modulus.stdout == privatekey4_modulus.stdout
when: openssl_version.stdout is version('0.9.8zh', '>=')
- name: Validate public key 5 (test - privatekey's pubkey)
command: 'openssl ec -in {{ output_dir }}/privatekey5.pem -pubout'
register: privatekey5_pubkey
- name: Validate public key 5 (test - publickey pubkey)
# Fancy way of writing "cat {{ output_dir }}/publickey5.pub"
command: 'openssl ec -pubin -in {{ output_dir }}/publickey5.pub -pubout'
register: publickey5_pubkey
- name: Validate public key 5 (assert)
assert:
that:
- publickey5_pubkey.stdout == privatekey5_pubkey.stdout
- name:
assert:
that:
- passphrase_error_1 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_1.msg"
- passphrase_error_2 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_2.msg"
- passphrase_error_3 is failed
- "'assphrase' in passphrase_error_1.msg or 'assword' in passphrase_error_3.msg"