Adjust ARI tests to new Pebble (#837)

* Adjust ARI tests to new Pebble. * Fix key size for certificates to 2048 on all systems.
2025-01-13 21:43:29 +01:00 · 2025-01-13 21:43:29 +01:00 · ae35be3437
parent 01e7bf1f33
commit ae35be3437
5 changed files with 134 additions and 101 deletions
--- a/tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml
+++ b/tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml
@ -8,33 +8,43 @@
 # and should not be used as examples of how to write Ansible roles #
 ####################################################################

- block:
-  - name: Running tests with OpenSSL backend
-    include_tasks: impl.yml
-    vars:
-      select_crypto_backend: openssl
+- vars:
+    # ARI and profiles have been added in https://github.com/ansible/ansible/pull/TODO
+    # See also https://github.com/ansible/acme-test-container/pull/25
+    supports_ari: "{{ ansible_version.full is version('2.19', '>=') }}"
+    supports_profile: "{{ ansible_version.full is version('2.19', '>=') }}"

-  - import_tasks: ../tests/validate.yml
+    acme_certificate_profile: "{{ 'default' if supports_profile else omit }}"

-  # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
-  when: openssl_version.stdout is version('1.0.0', '>=')
+  block:

- name: Remove output directory
-  file:
-    path: "{{ remote_tmp_dir }}"
-    state: absent
+    - block:
+      - name: Running tests with OpenSSL backend
+        include_tasks: impl.yml
+        vars:
+          select_crypto_backend: openssl

- name: Re-create output directory
-  file:
-    path: "{{ remote_tmp_dir }}"
-    state: directory
+      - import_tasks: ../tests/validate.yml

- block:
-  - name: Running tests with cryptography backend
-    include_tasks: impl.yml
-    vars:
-      select_crypto_backend: cryptography
+      # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
+      when: openssl_version.stdout is version('1.0.0', '>=')

-  - import_tasks: ../tests/validate.yml
+    - name: Remove output directory
+      file:
+        path: "{{ remote_tmp_dir }}"
+        state: absent

-  when: cryptography_version.stdout is version('1.5', '>=')
+    - name: Re-create output directory
+      file:
+        path: "{{ remote_tmp_dir }}"
+        state: directory
+
+    - block:
+      - name: Running tests with cryptography backend
+        include_tasks: impl.yml
+        vars:
+          select_crypto_backend: cryptography
+
+      - import_tasks: ../tests/validate.yml
+
+      when: cryptography_version.stdout is version('1.5', '>=')
--- a/tests/integration/targets/acme_certificate_renewal_info/tests/validate.yml
+++ b/tests/integration/targets/acme_certificate_renewal_info/tests/validate.yml
@ -3,74 +3,102 @@
 # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
 # SPDX-License-Identifier: GPL-3.0-or-later

- name: Validate results
-  assert:
-    that:
-      - cert_1_renewal_1.should_renew == false
-      - cert_1_renewal_1.msg == 'The certificate is still valid and no condition was reached'
-      - cert_1_renewal_1.supports_ari == supports_ari
-      - cert_1_renewal_1.cert_id is string or not can_have_cert_id
-      - cert_1_renewal_1.exists == true
-      - cert_1_renewal_1.parsable == true
-      - cert_1_renewal_2.should_renew == false
-      - cert_1_renewal_2.msg == 'The certificate is still valid and no condition was reached'
-      - cert_1_renewal_2.supports_ari == supports_ari
-      - cert_1_renewal_2.cert_id is string or not can_have_cert_id
-      - cert_1_renewal_2.exists == true
-      - cert_1_renewal_2.parsable == true
-      - cert_1_renewal_3.should_renew == false
-      - cert_1_renewal_3.msg == 'The certificate is still valid and no condition was reached'
-      - cert_1_renewal_3.supports_ari == supports_ari
-      - cert_1_renewal_3.cert_id is string or not can_have_cert_id
-      - cert_1_renewal_3.exists == true
-      - cert_1_renewal_3.parsable == true
-      - cert_1_renewal_4.should_renew == true
-      - cert_1_renewal_4.msg == 'The certificate expires in 25 days'
-      - cert_1_renewal_4.supports_ari == supports_ari
-      - cert_1_renewal_4.cert_id is string or not can_have_cert_id
-      - cert_1_renewal_4.exists == true
-      - cert_1_renewal_4.parsable == true
-      - cert_1_renewal_5.should_renew == true
-      - cert_1_renewal_5.msg == 'The certificate expires in 25 days'
-      - cert_1_renewal_5.supports_ari == supports_ari
-      - cert_1_renewal_5.cert_id is string or not can_have_cert_id
-      - cert_1_renewal_5.exists == true
-      - cert_1_renewal_5.parsable == true
-      - cert_1_renewal_6.should_renew == true
-      - cert_1_renewal_6.msg.startswith("The remaining percentage 3.0% of the certificate's lifespan was reached on ")
-      - cert_1_renewal_6.supports_ari == supports_ari
-      - cert_1_renewal_6.cert_id is string or not can_have_cert_id
-      - cert_1_renewal_6.exists == true
-      - cert_1_renewal_6.parsable == true
-      - cert_1_renewal_7.should_renew == true
-      - cert_1_renewal_7.msg == 'The certificate has already expired'
-      - cert_1_renewal_7.supports_ari == false
-      - cert_1_renewal_7.cert_id is string or not can_have_cert_id
-      - cert_1_renewal_7.exists == true
-      - cert_1_renewal_7.parsable == true
-      - cert_1_renewal_8.should_renew == true
-      - cert_1_renewal_8.msg == 'No certificate was specified'
-      - cert_1_renewal_8.supports_ari == false
-      - cert_1_renewal_8.cert_id is not defined
-      - cert_1_renewal_8.exists == false
-      - cert_1_renewal_8.parsable == false
-      - cert_1_renewal_9.should_renew == true
-      - cert_1_renewal_9.msg == 'The certificate file does not exist'
-      - cert_1_renewal_9.supports_ari == false
-      - cert_1_renewal_9.cert_id is not defined
-      - cert_1_renewal_9.exists == false
-      - cert_1_renewal_9.parsable == false
-      - cert_1_renewal_10 is failed
-      - cert_1_renewal_10.msg.startswith('Error while running ') or
-        cert_1_renewal_10.msg.startswith('Cannot parse certificate ')
-      - cert_1_renewal_11.should_renew == true
-      - >-
-        cert_1_renewal_11.msg.startswith('Certificate cannot be parsed: Error while running ') or
-        cert_1_renewal_11.msg.startswith('Certificate cannot be parsed: Cannot parse certificate ')
-      - cert_1_renewal_11.supports_ari == false
-      - cert_1_renewal_11.cert_id is not defined
-      - cert_1_renewal_11.exists == true
-      - cert_1_renewal_11.parsable == false
-  vars:
+- vars:
    can_have_cert_id: cert_1_info.authority_key_identifier is string
-    supports_ari: false
+
+  block:
+
+    - name: Validate results (generic)
+      assert:
+        that:
+          - cert_1_renewal_1.should_renew == false
+          - cert_1_renewal_1.msg == 'The certificate is still valid and no condition was reached'
+          - cert_1_renewal_1.cert_id is string or not can_have_cert_id
+          - cert_1_renewal_1.exists == true
+          - cert_1_renewal_1.parsable == true
+          - cert_1_renewal_2.should_renew == false
+          - cert_1_renewal_2.msg == 'The certificate is still valid and no condition was reached'
+          - cert_1_renewal_2.cert_id is string or not can_have_cert_id
+          - cert_1_renewal_2.exists == true
+          - cert_1_renewal_2.parsable == true
+          - cert_1_renewal_3.cert_id is string or not can_have_cert_id
+          - cert_1_renewal_3.exists == true
+          - cert_1_renewal_3.parsable == true
+          - cert_1_renewal_4.cert_id is string or not can_have_cert_id
+          - cert_1_renewal_4.exists == true
+          - cert_1_renewal_4.parsable == true
+          - cert_1_renewal_5.cert_id is string or not can_have_cert_id
+          - cert_1_renewal_5.exists == true
+          - cert_1_renewal_5.parsable == true
+          - cert_1_renewal_6.cert_id is string or not can_have_cert_id
+          - cert_1_renewal_6.exists == true
+          - cert_1_renewal_6.parsable == true
+          - cert_1_renewal_7.should_renew == true
+          - cert_1_renewal_7.msg == 'The certificate has already expired'
+          - cert_1_renewal_7.cert_id is string or not can_have_cert_id
+          - cert_1_renewal_7.exists == true
+          - cert_1_renewal_7.parsable == true
+          - cert_1_renewal_8.should_renew == true
+          - cert_1_renewal_8.msg == 'No certificate was specified'
+          - cert_1_renewal_8.supports_ari == false
+          - cert_1_renewal_8.cert_id is not defined
+          - cert_1_renewal_8.exists == false
+          - cert_1_renewal_8.parsable == false
+          - cert_1_renewal_9.should_renew == true
+          - cert_1_renewal_9.msg == 'The certificate file does not exist'
+          - cert_1_renewal_9.supports_ari == false
+          - cert_1_renewal_9.cert_id is not defined
+          - cert_1_renewal_9.exists == false
+          - cert_1_renewal_9.parsable == false
+          - cert_1_renewal_10 is failed
+          - cert_1_renewal_10.msg.startswith('Error while running ') or
+            cert_1_renewal_10.msg.startswith('Cannot parse certificate ')
+          - cert_1_renewal_11.should_renew == true
+          - >-
+            cert_1_renewal_11.msg.startswith('Certificate cannot be parsed: Error while running ') or
+            cert_1_renewal_11.msg.startswith('Certificate cannot be parsed: Cannot parse certificate ')
+          - cert_1_renewal_11.supports_ari == false
+          - cert_1_renewal_11.cert_id is not defined
+          - cert_1_renewal_11.exists == true
+          - cert_1_renewal_11.parsable == false
+      when: not supports_ari
+
+    - name: Validate results without ARI
+      assert:
+        that:
+          - cert_1_renewal_1.supports_ari == false
+          - cert_1_renewal_2.supports_ari == false
+          - cert_1_renewal_3.should_renew == false
+          - cert_1_renewal_3.msg == 'The certificate is still valid and no condition was reached'
+          - cert_1_renewal_3.supports_ari == false
+          - cert_1_renewal_4.should_renew == true
+          - cert_1_renewal_4.msg == 'The certificate expires in 25 days'
+          - cert_1_renewal_4.supports_ari == false
+          - cert_1_renewal_5.should_renew == true
+          - cert_1_renewal_5.msg == 'The certificate expires in 25 days'
+          - cert_1_renewal_5.supports_ari == false
+          - cert_1_renewal_6.should_renew == true
+          - cert_1_renewal_6.msg.startswith("The remaining percentage 3.0% of the certificate's lifespan was reached on ")
+          - cert_1_renewal_6.supports_ari == false
+          - cert_1_renewal_7.supports_ari == false
+      when: not supports_ari
+
+    - name: Validate results with ARI
+      assert:
+        that:
+          - cert_1_renewal_1.supports_ari == supports_ari
+          - cert_1_renewal_2.supports_ari == supports_ari
+          - cert_1_renewal_3.should_renew == true
+          - cert_1_renewal_3.msg == 'The suggested renewal interval provided by ARI is in the past'
+          - cert_1_renewal_3.supports_ari == supports_ari
+          - cert_1_renewal_4.should_renew == true
+          - cert_1_renewal_4.msg == 'The suggested renewal interval provided by ARI is in the past'
+          - cert_1_renewal_4.supports_ari == supports_ari
+          - cert_1_renewal_5.should_renew == true
+          - cert_1_renewal_5.msg == 'The suggested renewal interval provided by ARI is in the past'
+          - cert_1_renewal_5.supports_ari == supports_ari
+          - cert_1_renewal_6.should_renew == true
+          - cert_1_renewal_6.msg == 'The suggested renewal interval provided by ARI is in the past'
+          - cert_1_renewal_6.supports_ari == supports_ari
+          - cert_1_renewal_7.supports_ari == false
+      when: supports_ari
--- a/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml
+++ b/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml
@ -22,7 +22,7 @@
      certgen_title: Certificate 1
      certificate_name: cert-1
      key_type: rsa
-      rsa_bits: "{{ default_rsa_key_size }}"
+      rsa_bits: "{{ default_rsa_key_size_certificates }}"
      subject_alt_name: "DNS:example.com"
      subject_alt_name_critical: false
      account_key: account-ec256
--- a/tests/integration/targets/setup_acme/tasks/obtain-cert.yml
+++ b/tests/integration/targets/setup_acme/tasks/obtain-cert.yml
@ -49,6 +49,7 @@
    remaining_days: "{{ remaining_days }}"
    terms_agreed: "{{ terms_agreed }}"
    account_email: "{{ account_email }}"
+    profile: "{{ acme_certificate_profile | default(omit) }}"
  register: challenge_data
 - name: ({{ certgen_title }}) Print challenge data
  debug:
--- a/tests/integration/targets/setup_openssl/vars/main.yml
+++ b/tests/integration/targets/setup_openssl/vars/main.yml
@ -4,10 +4,4 @@
 # SPDX-License-Identifier: GPL-3.0-or-later

 default_rsa_key_size: 1024
-default_rsa_key_size_certificates: >-
-  {{
-      2048 if
-        (ansible_os_family == "RedHat" and ansible_facts.distribution_major_version | int >= 8) or
-        (ansible_distribution == "Ubuntu" and ansible_facts.distribution_major_version | int >= 20)
-      else 1024
-  }}
+default_rsa_key_size_certificates: 2048