From ae35be3437605f60379b6bedfbe9ced2c08546fa Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Mon, 13 Jan 2025 21:43:29 +0100 Subject: [PATCH] Adjust ARI tests to new Pebble (#837) * Adjust ARI tests to new Pebble. * Fix key size for certificates to 2048 on all systems. --- .../tasks/main.yml | 56 +++--- .../tests/validate.yml | 168 ++++++++++-------- .../acme_challenge_cert_helper/tasks/main.yml | 2 +- .../targets/setup_acme/tasks/obtain-cert.yml | 1 + .../targets/setup_openssl/vars/main.yml | 8 +- 5 files changed, 134 insertions(+), 101 deletions(-) diff --git a/tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml b/tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml index 68d47973..f7e9714c 100644 --- a/tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml +++ b/tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml @@ -8,33 +8,43 @@ # and should not be used as examples of how to write Ansible roles # #################################################################### -- block: - - name: Running tests with OpenSSL backend - include_tasks: impl.yml - vars: - select_crypto_backend: openssl +- vars: + # ARI and profiles have been added in https://github.com/ansible/ansible/pull/TODO + # See also https://github.com/ansible/acme-test-container/pull/25 + supports_ari: "{{ ansible_version.full is version('2.19', '>=') }}" + supports_profile: "{{ ansible_version.full is version('2.19', '>=') }}" - - import_tasks: ../tests/validate.yml + acme_certificate_profile: "{{ 'default' if supports_profile else omit }}" - # Old 0.9.8 versions have insufficient CLI support for signing with EC keys - when: openssl_version.stdout is version('1.0.0', '>=') + block: -- name: Remove output directory - file: - path: "{{ remote_tmp_dir }}" - state: absent + - block: + - name: Running tests with OpenSSL backend + include_tasks: impl.yml + vars: + select_crypto_backend: openssl -- name: Re-create output directory - file: - path: "{{ remote_tmp_dir }}" - state: directory + - import_tasks: ../tests/validate.yml -- block: - - name: Running tests with cryptography backend - include_tasks: impl.yml - vars: - select_crypto_backend: cryptography + # Old 0.9.8 versions have insufficient CLI support for signing with EC keys + when: openssl_version.stdout is version('1.0.0', '>=') - - import_tasks: ../tests/validate.yml + - name: Remove output directory + file: + path: "{{ remote_tmp_dir }}" + state: absent - when: cryptography_version.stdout is version('1.5', '>=') + - name: Re-create output directory + file: + path: "{{ remote_tmp_dir }}" + state: directory + + - block: + - name: Running tests with cryptography backend + include_tasks: impl.yml + vars: + select_crypto_backend: cryptography + + - import_tasks: ../tests/validate.yml + + when: cryptography_version.stdout is version('1.5', '>=') diff --git a/tests/integration/targets/acme_certificate_renewal_info/tests/validate.yml b/tests/integration/targets/acme_certificate_renewal_info/tests/validate.yml index ecf752e3..ac8bce5e 100644 --- a/tests/integration/targets/acme_certificate_renewal_info/tests/validate.yml +++ b/tests/integration/targets/acme_certificate_renewal_info/tests/validate.yml @@ -3,74 +3,102 @@ # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) # SPDX-License-Identifier: GPL-3.0-or-later -- name: Validate results - assert: - that: - - cert_1_renewal_1.should_renew == false - - cert_1_renewal_1.msg == 'The certificate is still valid and no condition was reached' - - cert_1_renewal_1.supports_ari == supports_ari - - cert_1_renewal_1.cert_id is string or not can_have_cert_id - - cert_1_renewal_1.exists == true - - cert_1_renewal_1.parsable == true - - cert_1_renewal_2.should_renew == false - - cert_1_renewal_2.msg == 'The certificate is still valid and no condition was reached' - - cert_1_renewal_2.supports_ari == supports_ari - - cert_1_renewal_2.cert_id is string or not can_have_cert_id - - cert_1_renewal_2.exists == true - - cert_1_renewal_2.parsable == true - - cert_1_renewal_3.should_renew == false - - cert_1_renewal_3.msg == 'The certificate is still valid and no condition was reached' - - cert_1_renewal_3.supports_ari == supports_ari - - cert_1_renewal_3.cert_id is string or not can_have_cert_id - - cert_1_renewal_3.exists == true - - cert_1_renewal_3.parsable == true - - cert_1_renewal_4.should_renew == true - - cert_1_renewal_4.msg == 'The certificate expires in 25 days' - - cert_1_renewal_4.supports_ari == supports_ari - - cert_1_renewal_4.cert_id is string or not can_have_cert_id - - cert_1_renewal_4.exists == true - - cert_1_renewal_4.parsable == true - - cert_1_renewal_5.should_renew == true - - cert_1_renewal_5.msg == 'The certificate expires in 25 days' - - cert_1_renewal_5.supports_ari == supports_ari - - cert_1_renewal_5.cert_id is string or not can_have_cert_id - - cert_1_renewal_5.exists == true - - cert_1_renewal_5.parsable == true - - cert_1_renewal_6.should_renew == true - - cert_1_renewal_6.msg.startswith("The remaining percentage 3.0% of the certificate's lifespan was reached on ") - - cert_1_renewal_6.supports_ari == supports_ari - - cert_1_renewal_6.cert_id is string or not can_have_cert_id - - cert_1_renewal_6.exists == true - - cert_1_renewal_6.parsable == true - - cert_1_renewal_7.should_renew == true - - cert_1_renewal_7.msg == 'The certificate has already expired' - - cert_1_renewal_7.supports_ari == false - - cert_1_renewal_7.cert_id is string or not can_have_cert_id - - cert_1_renewal_7.exists == true - - cert_1_renewal_7.parsable == true - - cert_1_renewal_8.should_renew == true - - cert_1_renewal_8.msg == 'No certificate was specified' - - cert_1_renewal_8.supports_ari == false - - cert_1_renewal_8.cert_id is not defined - - cert_1_renewal_8.exists == false - - cert_1_renewal_8.parsable == false - - cert_1_renewal_9.should_renew == true - - cert_1_renewal_9.msg == 'The certificate file does not exist' - - cert_1_renewal_9.supports_ari == false - - cert_1_renewal_9.cert_id is not defined - - cert_1_renewal_9.exists == false - - cert_1_renewal_9.parsable == false - - cert_1_renewal_10 is failed - - cert_1_renewal_10.msg.startswith('Error while running ') or - cert_1_renewal_10.msg.startswith('Cannot parse certificate ') - - cert_1_renewal_11.should_renew == true - - >- - cert_1_renewal_11.msg.startswith('Certificate cannot be parsed: Error while running ') or - cert_1_renewal_11.msg.startswith('Certificate cannot be parsed: Cannot parse certificate ') - - cert_1_renewal_11.supports_ari == false - - cert_1_renewal_11.cert_id is not defined - - cert_1_renewal_11.exists == true - - cert_1_renewal_11.parsable == false - vars: +- vars: can_have_cert_id: cert_1_info.authority_key_identifier is string - supports_ari: false + + block: + + - name: Validate results (generic) + assert: + that: + - cert_1_renewal_1.should_renew == false + - cert_1_renewal_1.msg == 'The certificate is still valid and no condition was reached' + - cert_1_renewal_1.cert_id is string or not can_have_cert_id + - cert_1_renewal_1.exists == true + - cert_1_renewal_1.parsable == true + - cert_1_renewal_2.should_renew == false + - cert_1_renewal_2.msg == 'The certificate is still valid and no condition was reached' + - cert_1_renewal_2.cert_id is string or not can_have_cert_id + - cert_1_renewal_2.exists == true + - cert_1_renewal_2.parsable == true + - cert_1_renewal_3.cert_id is string or not can_have_cert_id + - cert_1_renewal_3.exists == true + - cert_1_renewal_3.parsable == true + - cert_1_renewal_4.cert_id is string or not can_have_cert_id + - cert_1_renewal_4.exists == true + - cert_1_renewal_4.parsable == true + - cert_1_renewal_5.cert_id is string or not can_have_cert_id + - cert_1_renewal_5.exists == true + - cert_1_renewal_5.parsable == true + - cert_1_renewal_6.cert_id is string or not can_have_cert_id + - cert_1_renewal_6.exists == true + - cert_1_renewal_6.parsable == true + - cert_1_renewal_7.should_renew == true + - cert_1_renewal_7.msg == 'The certificate has already expired' + - cert_1_renewal_7.cert_id is string or not can_have_cert_id + - cert_1_renewal_7.exists == true + - cert_1_renewal_7.parsable == true + - cert_1_renewal_8.should_renew == true + - cert_1_renewal_8.msg == 'No certificate was specified' + - cert_1_renewal_8.supports_ari == false + - cert_1_renewal_8.cert_id is not defined + - cert_1_renewal_8.exists == false + - cert_1_renewal_8.parsable == false + - cert_1_renewal_9.should_renew == true + - cert_1_renewal_9.msg == 'The certificate file does not exist' + - cert_1_renewal_9.supports_ari == false + - cert_1_renewal_9.cert_id is not defined + - cert_1_renewal_9.exists == false + - cert_1_renewal_9.parsable == false + - cert_1_renewal_10 is failed + - cert_1_renewal_10.msg.startswith('Error while running ') or + cert_1_renewal_10.msg.startswith('Cannot parse certificate ') + - cert_1_renewal_11.should_renew == true + - >- + cert_1_renewal_11.msg.startswith('Certificate cannot be parsed: Error while running ') or + cert_1_renewal_11.msg.startswith('Certificate cannot be parsed: Cannot parse certificate ') + - cert_1_renewal_11.supports_ari == false + - cert_1_renewal_11.cert_id is not defined + - cert_1_renewal_11.exists == true + - cert_1_renewal_11.parsable == false + when: not supports_ari + + - name: Validate results without ARI + assert: + that: + - cert_1_renewal_1.supports_ari == false + - cert_1_renewal_2.supports_ari == false + - cert_1_renewal_3.should_renew == false + - cert_1_renewal_3.msg == 'The certificate is still valid and no condition was reached' + - cert_1_renewal_3.supports_ari == false + - cert_1_renewal_4.should_renew == true + - cert_1_renewal_4.msg == 'The certificate expires in 25 days' + - cert_1_renewal_4.supports_ari == false + - cert_1_renewal_5.should_renew == true + - cert_1_renewal_5.msg == 'The certificate expires in 25 days' + - cert_1_renewal_5.supports_ari == false + - cert_1_renewal_6.should_renew == true + - cert_1_renewal_6.msg.startswith("The remaining percentage 3.0% of the certificate's lifespan was reached on ") + - cert_1_renewal_6.supports_ari == false + - cert_1_renewal_7.supports_ari == false + when: not supports_ari + + - name: Validate results with ARI + assert: + that: + - cert_1_renewal_1.supports_ari == supports_ari + - cert_1_renewal_2.supports_ari == supports_ari + - cert_1_renewal_3.should_renew == true + - cert_1_renewal_3.msg == 'The suggested renewal interval provided by ARI is in the past' + - cert_1_renewal_3.supports_ari == supports_ari + - cert_1_renewal_4.should_renew == true + - cert_1_renewal_4.msg == 'The suggested renewal interval provided by ARI is in the past' + - cert_1_renewal_4.supports_ari == supports_ari + - cert_1_renewal_5.should_renew == true + - cert_1_renewal_5.msg == 'The suggested renewal interval provided by ARI is in the past' + - cert_1_renewal_5.supports_ari == supports_ari + - cert_1_renewal_6.should_renew == true + - cert_1_renewal_6.msg == 'The suggested renewal interval provided by ARI is in the past' + - cert_1_renewal_6.supports_ari == supports_ari + - cert_1_renewal_7.supports_ari == false + when: supports_ari diff --git a/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml b/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml index c4b13857..12f3f23d 100644 --- a/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml +++ b/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml @@ -22,7 +22,7 @@ certgen_title: Certificate 1 certificate_name: cert-1 key_type: rsa - rsa_bits: "{{ default_rsa_key_size }}" + rsa_bits: "{{ default_rsa_key_size_certificates }}" subject_alt_name: "DNS:example.com" subject_alt_name_critical: false account_key: account-ec256 diff --git a/tests/integration/targets/setup_acme/tasks/obtain-cert.yml b/tests/integration/targets/setup_acme/tasks/obtain-cert.yml index 4b8a1ced..9990b0db 100644 --- a/tests/integration/targets/setup_acme/tasks/obtain-cert.yml +++ b/tests/integration/targets/setup_acme/tasks/obtain-cert.yml @@ -49,6 +49,7 @@ remaining_days: "{{ remaining_days }}" terms_agreed: "{{ terms_agreed }}" account_email: "{{ account_email }}" + profile: "{{ acme_certificate_profile | default(omit) }}" register: challenge_data - name: ({{ certgen_title }}) Print challenge data debug: diff --git a/tests/integration/targets/setup_openssl/vars/main.yml b/tests/integration/targets/setup_openssl/vars/main.yml index 36c64169..68a7dc1b 100644 --- a/tests/integration/targets/setup_openssl/vars/main.yml +++ b/tests/integration/targets/setup_openssl/vars/main.yml @@ -4,10 +4,4 @@ # SPDX-License-Identifier: GPL-3.0-or-later default_rsa_key_size: 1024 -default_rsa_key_size_certificates: >- - {{ - 2048 if - (ansible_os_family == "RedHat" and ansible_facts.distribution_major_version | int >= 8) or - (ansible_distribution == "Ubuntu" and ansible_facts.distribution_major_version | int >= 20) - else 1024 - }} +default_rsa_key_size_certificates: 2048