2acfa0e08c
* Elevate privileges for luks_device integration tests Several tests in `key-management.yml` don't `become` before executing, despite needing elevated privileges. This commit fixes that. * Add passphrase support for luks_device Previously, the luks_device module only worked with keyfiles. The implication was that the key had to be written to disk before the module could be used. This commit implements support for opening, adding and removing passphrases supplied as strings to the module. Closes #52408
168 lines
3.6 KiB
YAML
168 lines
3.6 KiB
YAML
---
|
|
- name: Create with keyfile1
|
|
luks_device:
|
|
device: "{{ cryptfile_device }}"
|
|
state: closed
|
|
keyfile: "{{ role_path }}/files/keyfile1"
|
|
become: yes
|
|
|
|
# Access: keyfile1
|
|
|
|
- name: Try to open with keyfile1
|
|
luks_device:
|
|
device: "{{ cryptfile_device }}"
|
|
state: opened
|
|
keyfile: "{{ role_path }}/files/keyfile1"
|
|
become: yes
|
|
ignore_errors: yes
|
|
register: open_try
|
|
- assert:
|
|
that:
|
|
- open_try is not failed
|
|
- name: Close
|
|
luks_device:
|
|
device: "{{ cryptfile_device }}"
|
|
state: closed
|
|
become: yes
|
|
|
|
- name: Try to open with keyfile2
|
|
luks_device:
|
|
device: "{{ cryptfile_device }}"
|
|
state: opened
|
|
keyfile: "{{ role_path }}/files/keyfile2"
|
|
become: yes
|
|
ignore_errors: yes
|
|
register: open_try
|
|
- assert:
|
|
that:
|
|
- open_try is failed
|
|
|
|
- name: Give access to keyfile2
|
|
luks_device:
|
|
device: "{{ cryptfile_device }}"
|
|
state: closed
|
|
keyfile: "{{ role_path }}/files/keyfile1"
|
|
new_keyfile: "{{ role_path }}/files/keyfile2"
|
|
become: yes
|
|
|
|
# Access: keyfile1 and keyfile2
|
|
|
|
- name: Try to open with keyfile2
|
|
luks_device:
|
|
device: "{{ cryptfile_device }}"
|
|
state: opened
|
|
keyfile: "{{ role_path }}/files/keyfile2"
|
|
become: yes
|
|
ignore_errors: yes
|
|
register: open_try
|
|
- assert:
|
|
that:
|
|
- open_try is not failed
|
|
- name: Close
|
|
luks_device:
|
|
device: "{{ cryptfile_device }}"
|
|
state: closed
|
|
become: yes
|
|
|
|
- name: Dump LUKS header
|
|
command: "cryptsetup luksDump {{ cryptfile_device }}"
|
|
become: yes
|
|
|
|
- name: Remove access from keyfile1
|
|
luks_device:
|
|
device: "{{ cryptfile_device }}"
|
|
state: closed
|
|
keyfile: "{{ role_path }}/files/keyfile1"
|
|
remove_keyfile: "{{ role_path }}/files/keyfile1"
|
|
become: yes
|
|
|
|
# Access: keyfile2
|
|
|
|
- name: Try to open with keyfile1
|
|
luks_device:
|
|
device: "{{ cryptfile_device }}"
|
|
state: opened
|
|
keyfile: "{{ role_path }}/files/keyfile1"
|
|
become: yes
|
|
ignore_errors: yes
|
|
register: open_try
|
|
- assert:
|
|
that:
|
|
- open_try is failed
|
|
|
|
- name: Try to open with keyfile2
|
|
luks_device:
|
|
device: "{{ cryptfile_device }}"
|
|
state: opened
|
|
keyfile: "{{ role_path }}/files/keyfile2"
|
|
become: yes
|
|
ignore_errors: yes
|
|
register: open_try
|
|
- assert:
|
|
that:
|
|
- open_try is not failed
|
|
- name: Close
|
|
luks_device:
|
|
device: "{{ cryptfile_device }}"
|
|
state: closed
|
|
become: yes
|
|
|
|
- name: Dump LUKS header
|
|
command: "cryptsetup luksDump {{ cryptfile_device }}"
|
|
become: yes
|
|
|
|
- name: Remove access from keyfile2
|
|
luks_device:
|
|
device: "{{ cryptfile_device }}"
|
|
state: closed
|
|
keyfile: "{{ role_path }}/files/keyfile2"
|
|
remove_keyfile: "{{ role_path }}/files/keyfile2"
|
|
become: yes
|
|
ignore_errors: yes
|
|
register: remove_last_key
|
|
- assert:
|
|
that:
|
|
- remove_last_key is failed
|
|
- "'force_remove_last_key' in remove_last_key.msg"
|
|
|
|
# Access: keyfile2
|
|
|
|
- name: Try to open with keyfile2
|
|
luks_device:
|
|
device: "{{ cryptfile_device }}"
|
|
state: opened
|
|
keyfile: "{{ role_path }}/files/keyfile2"
|
|
become: yes
|
|
ignore_errors: yes
|
|
register: open_try
|
|
- assert:
|
|
that:
|
|
- open_try is not failed
|
|
- name: Close
|
|
luks_device:
|
|
device: "{{ cryptfile_device }}"
|
|
state: closed
|
|
become: yes
|
|
|
|
- name: Remove access from keyfile2
|
|
luks_device:
|
|
device: "{{ cryptfile_device }}"
|
|
state: closed
|
|
keyfile: "{{ role_path }}/files/keyfile2"
|
|
remove_keyfile: "{{ role_path }}/files/keyfile2"
|
|
force_remove_last_key: yes
|
|
become: yes
|
|
|
|
# Access: none
|
|
|
|
- name: Try to open with keyfile2
|
|
luks_device:
|
|
device: "{{ cryptfile_device }}"
|
|
state: opened
|
|
keyfile: "{{ role_path }}/files/keyfile2"
|
|
become: yes
|
|
ignore_errors: yes
|
|
register: open_try
|
|
- assert:
|
|
that:
|
|
- open_try is failed
|