community.crypto/tests/integration/targets/openssh_keypair/tasks/main.yml

---
####################################################################
# WARNING: These are designed specifically for Ansible tests       #
# and should not be used as examples of how to write Ansible roles #
####################################################################

# Bumps up cryptography and bcrypt versions to be compatible with OpenSSH >= 7.8
- import_tasks: ./setup_bcrypt.yml

- name: Generate privatekey1 - standard (check mode)
  openssh_keypair:
    path: '{{ output_dir }}/privatekey1'
    size: 2048
  register: privatekey1_result_check
  check_mode: true

- name: Generate privatekey1 - standard
  openssh_keypair:
    path: '{{ output_dir }}/privatekey1'
    size: 2048
  register: privatekey1_result

- name: Generate privatekey1 - standard (check mode idempotent)
  openssh_keypair:
    path: '{{ output_dir }}/privatekey1'
    size: 2048
  register: privatekey1_idem_result_check
  check_mode: true

- name: Generate privatekey1 - standard (idempotent)
  openssh_keypair:
    path: '{{ output_dir }}/privatekey1'
    size: 2048
  register: privatekey1_idem_result

- name: Generate privatekey2 - default size
  openssh_keypair:
    path: '{{ output_dir }}/privatekey2'

- name: Generate privatekey3 - type dsa
  openssh_keypair:
    path: '{{ output_dir }}/privatekey3'
    type: dsa

- name: Generate privatekey4 - standard
  openssh_keypair:
    path: '{{ output_dir }}/privatekey4'
    size: 2048

- name: Delete privatekey4 - standard
  openssh_keypair:
    state: absent
    path: '{{ output_dir }}/privatekey4'

- name: Generate privatekey5 - standard
  openssh_keypair:
    path: '{{ output_dir }}/privatekey5'
    size: 2048
  register: publickey_gen

- name: Generate privatekey6
  openssh_keypair:
    path: '{{ output_dir }}/privatekey6'
    type: rsa
    size: 2048

- name: Regenerate privatekey6 via force
  openssh_keypair:
    path: '{{ output_dir }}/privatekey6'
    type: rsa
    size: 2048
    force: yes
  register: output_regenerated_via_force

- name: Create broken key
  copy:
    dest: '{{ item }}'
    content: ''
    mode: '0700'
  loop:
    - '{{ output_dir }}/privatekeybroken'
    - '{{ output_dir }}/privatekeybroken.pub'

- name: Regenerate broken key - should fail
  openssh_keypair:
    path: '{{ output_dir }}/privatekeybroken'
    type: rsa
    size: 2048
  register: output_broken
  ignore_errors: yes

- name: Regenerate broken key with force
  openssh_keypair:
    path: '{{ output_dir }}/privatekeybroken'
    type: rsa
    force: yes
    size: 2048
  register: output_broken_force

- name: Generate read-only private key
  openssh_keypair:
    path: '{{ output_dir }}/privatekeyreadonly'
    type: rsa
    mode: '0200'
    size: 2048

- name: Regenerate read-only private key via force
  openssh_keypair:
    path: '{{ output_dir }}/privatekeyreadonly'
    type: rsa
    force: yes
    size: 2048
  register: output_read_only

- name: Generate privatekey7 - standard with comment
  openssh_keypair:
    path: '{{ output_dir }}/privatekey7'
    comment: 'test@privatekey7'
    size: 2048
  register: privatekey7_result

- name: Modify privatekey7 comment
  openssh_keypair:
    path: '{{ output_dir }}/privatekey7'
    comment: 'test_modified@privatekey7'
    size: 2048
  register: privatekey7_modified_result

- name: Generate password protected key
  command: 'ssh-keygen -f {{ output_dir }}/privatekey8 -N {{ passphrase }}'

- name: Try to modify the password protected key - should fail
  openssh_keypair:
    path: '{{ output_dir }}/privatekey8'
    size: 2048
  register: privatekey8_result
  ignore_errors: yes

- name: Try to modify the password protected key with force=yes
  openssh_keypair:
    path: '{{ output_dir }}/privatekey8'
    force: yes
    size: 2048
  register: privatekey8_result_force

- name: Generate another password protected key
  command: 'ssh-keygen -f {{ output_dir }}/privatekey9 -N {{ passphrase }}'

- name: Try to modify the password protected key with passphrase
  openssh_keypair:
    path: '{{ output_dir }}/privatekey9'
    size: 1024
    passphrase: "{{ passphrase }}"
  register: privatekey9_modified_result
  when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')

- name: Generate another unprotected key
  openssh_keypair:
    path: '{{ output_dir }}/privatekey10'
    size: 2048

- name: Try to Modify unprotected key with passphrase
  openssh_keypair:
    path: '{{ output_dir }}/privatekey10'
    size: 2048
    passphrase: "{{ passphrase }}"
  ignore_errors: true
  register: privatekey10_result
  when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')


- name: Try to force modify the password protected key with force=true
  openssh_keypair:
    path: '{{ output_dir }}/privatekey10'
    size: 2048
    passphrase: "{{ passphrase }}"
    force: true
  register: privatekey10_result_force
  when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')

- name: Ensure that ssh-keygen can read keys generated with passphrase
  command: 'ssh-keygen -yf {{ output_dir }}/privatekey10 -P {{ passphrase }}'
  register: privatekey10_result_sshkeygen
  when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')

- name: Generate PEM encoded key with passphrase
  command: 'ssh-keygen -f {{ output_dir }}/privatekey11 -N {{ passphrase }} -m PEM'
  when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')

- name: Try to verify a PEM encoded key
  openssh_keypair:
    path: '{{ output_dir }}/privatekey11'
    size: 2048
    passphrase: "{{ passphrase }}"
  register: privatekey11_result
  when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')

- import_tasks: ../tests/validate.yml


# Test regenerate option

- name: Regenerate - setup simple keys
  openssh_keypair:
    path: '{{ output_dir }}/regenerate-a-{{ item }}'
    type: rsa
    size: 1024
  loop: "{{ regenerate_values }}"
- name: Regenerate - setup password protected keys
  command: 'ssh-keygen -f {{ output_dir }}/regenerate-b-{{ item }} -N {{ passphrase }}'
  loop: "{{ regenerate_values }}"

- name: Regenerate - setup broken keys
  copy:
    dest: '{{ output_dir }}/regenerate-c-{{ item.0 }}{{ item.1 }}'
    content: 'broken key'
    mode: '0700'
  with_nested:
    - "{{ regenerate_values }}"
    - [ '', '.pub' ]
    -
- name: Regenerate - setup password protected keys for passphrse test
  command: 'ssh-keygen -f {{ output_dir }}/regenerate-d-{{ item }} -N {{ passphrase }}'
  loop: "{{ regenerate_values }}"

- name: Regenerate - modify broken keys (check mode)
  openssh_keypair:
    path: '{{ output_dir }}/regenerate-c-{{ item }}'
    type: rsa
    size: 1024
    regenerate: '{{ item }}'
  check_mode: yes
  loop: "{{ regenerate_values }}"
  ignore_errors: yes
  register: result
- assert:
    that:
      - result.results[0] is failed
      - "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[0].msg"
      - result.results[1] is failed
      - "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[1].msg"
      - result.results[2] is failed
      - "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[2].msg"
      - result.results[3] is changed
      - result.results[4] is changed

- name: Regenerate - modify broken keys
  openssh_keypair:
    path: '{{ output_dir }}/regenerate-c-{{ item }}'
    type: rsa
    size: 1024
    regenerate: '{{ item }}'
  loop: "{{ regenerate_values }}"
  ignore_errors: yes
  register: result
- assert:
    that:
      - result.results[0] is failed
      - "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[0].msg"
      - result.results[1] is failed
      - "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[1].msg"
      - result.results[2] is failed
      - "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[2].msg"
      - result.results[3] is changed
      - result.results[4] is changed

- name: Regenerate - modify password protected keys (check mode)
  openssh_keypair:
    path: '{{ output_dir }}/regenerate-b-{{ item }}'
    type: rsa
    size: 1024
    regenerate: '{{ item }}'
  check_mode: yes
  loop: "{{ regenerate_values }}"
  ignore_errors: yes
  register: result
- assert:
    that:
      - result.results[0] is failed
      - "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[0].msg"
      - result.results[1] is failed
      - "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[1].msg"
      - result.results[2] is failed
      - "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[2].msg"
      - result.results[3] is changed
      - result.results[4] is changed

- name: Regenerate - modify password protected keys with passphrase (check mode)
  openssh_keypair:
    path: '{{ output_dir }}/regenerate-b-{{ item }}'
    type: rsa
    size: 1024
    passphrase: "{{ passphrase }}"
    regenerate: '{{ item }}'
  check_mode: yes
  loop: "{{ regenerate_values }}"
  ignore_errors: yes
  register: result
  when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')

- assert:
    that:
      - result.results[0] is success
      - result.results[1] is failed
      - "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
      - result.results[2] is changed
      - result.results[3] is changed
      - result.results[4] is changed
  when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')

- name: Regenerate - modify password protected keys
  openssh_keypair:
    path: '{{ output_dir }}/regenerate-b-{{ item }}'
    type: rsa
    size: 1024
    regenerate: '{{ item }}'
  loop: "{{ regenerate_values }}"
  ignore_errors: yes
  register: result
- assert:
    that:
      - result.results[0] is failed
      - "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[0].msg"
      - result.results[1] is failed
      - "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[1].msg"
      - result.results[2] is failed
      - "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[2].msg"
      - result.results[3] is changed
      - result.results[4] is changed

- name: Regenerate - modify password protected keys with passphrase
  openssh_keypair:
    path: '{{ output_dir }}/regenerate-d-{{ item }}'
    type: rsa
    size: 1024
    passphrase: "{{ passphrase }}"
    regenerate: '{{ item }}'
  loop: "{{ regenerate_values }}"
  ignore_errors: yes
  register: result
  when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')

- assert:
    that:
      - result.results[0] is success
      - result.results[1] is failed
      - "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
      - result.results[2] is changed
      - result.results[3] is changed
      - result.results[4] is changed
  when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')

- name: Regenerate - not modify regular keys (check mode)
  openssh_keypair:
    path: '{{ output_dir }}/regenerate-a-{{ item }}'
    type: rsa
    size: 1024
    regenerate: '{{ item }}'
  check_mode: yes
  loop: "{{ regenerate_values }}"
  register: result
- assert:
    that:
      - result.results[0] is not changed
      - result.results[1] is not changed
      - result.results[2] is not changed
      - result.results[3] is not changed
      - result.results[4] is changed

- name: Regenerate - not modify regular keys
  openssh_keypair:
    path: '{{ output_dir }}/regenerate-a-{{ item }}'
    type: rsa
    size: 1024
    regenerate: '{{ item }}'
  loop: "{{ regenerate_values }}"
  register: result
- assert:
    that:
      - result.results[0] is not changed
      - result.results[1] is not changed
      - result.results[2] is not changed
      - result.results[3] is not changed
      - result.results[4] is changed

- name: Regenerate - adjust key size (check mode)
  openssh_keypair:
    path: '{{ output_dir }}/regenerate-a-{{ item }}'
    type: rsa
    size: 1048
    regenerate: '{{ item }}'
  check_mode: yes
  loop: "{{ regenerate_values }}"
  ignore_errors: yes
  register: result
- assert:
    that:
      - result.results[0] is success and result.results[0] is not changed
      - result.results[1] is failed
      - "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
      - result.results[2] is changed
      - result.results[3] is changed
      - result.results[4] is changed

- name: Regenerate - adjust key size
  openssh_keypair:
    path: '{{ output_dir }}/regenerate-a-{{ item }}'
    type: rsa
    size: 1048
    regenerate: '{{ item }}'
  loop: "{{ regenerate_values }}"
  ignore_errors: yes
  register: result
- assert:
    that:
      - result.results[0] is success and result.results[0] is not changed
      - result.results[1] is failed
      - "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
      - result.results[2] is changed
      - result.results[3] is changed
      - result.results[4] is changed

- name: Regenerate - redistribute keys
  copy:
    src: '{{ output_dir }}/regenerate-a-always{{ item.1 }}'
    dest: '{{ output_dir }}/regenerate-a-{{ item.0 }}{{ item.1 }}'
    remote_src: true
  with_nested:
    - "{{ regenerate_values }}"
    - [ '', '.pub' ]
  when: "item.0 != 'always'"

- name: Regenerate - adjust key type (check mode)
  openssh_keypair:
    path: '{{ output_dir }}/regenerate-a-{{ item }}'
    type: dsa
    size: 1024
    regenerate: '{{ item }}'
  check_mode: yes
  loop: "{{ regenerate_values }}"
  ignore_errors: yes
  register: result
- assert:
    that:
      - result.results[0] is success and result.results[0] is not changed
      - result.results[1] is failed
      - "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
      - result.results[2] is changed
      - result.results[3] is changed
      - result.results[4] is changed

- name: Regenerate - adjust key type
  openssh_keypair:
    path: '{{ output_dir }}/regenerate-a-{{ item }}'
    type: dsa
    size: 1024
    regenerate: '{{ item }}'
  loop: "{{ regenerate_values }}"
  ignore_errors: yes
  register: result
- assert:
    that:
      - result.results[0] is success and result.results[0] is not changed
      - result.results[1] is failed
      - "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
      - result.results[2] is changed
      - result.results[3] is changed
      - result.results[4] is changed

- name: Regenerate - redistribute keys
  copy:
    src: '{{ output_dir }}/regenerate-a-always{{ item.1 }}'
    dest: '{{ output_dir }}/regenerate-a-{{ item.0 }}{{ item.1 }}'
    remote_src: true
  with_nested:
    - "{{ regenerate_values }}"
    - [ '', '.pub' ]
  when: "item.0 != 'always'"

- name: Regenerate - adjust comment (check mode)
  openssh_keypair:
    path: '{{ output_dir }}/regenerate-a-{{ item }}'
    type: dsa
    size: 1024
    comment: test comment
    regenerate: '{{ item }}'
  check_mode: yes
  loop: "{{ regenerate_values }}"
  ignore_errors: yes
  register: result
- assert:
    that:
      - result is changed

- name: Regenerate - adjust comment
  openssh_keypair:
    path: '{{ output_dir }}/regenerate-a-{{ item }}'
    type: dsa
    size: 1024
    comment: test comment
    regenerate: '{{ item }}'
  loop: "{{ regenerate_values }}"
  register: result
- assert:
    that:
      - result is changed
      # for all values but 'always', the key should have not been regenerated.
      # verify this by comparing fingerprints:
      - result.results[0].fingerprint == result.results[1].fingerprint
      - result.results[0].fingerprint == result.results[2].fingerprint
      - result.results[0].fingerprint == result.results[3].fingerprint
      - result.results[0].fingerprint != result.results[4].fingerprint