Adjust ARI tests to new Pebble (#837)

* Adjust ARI tests to new Pebble.

* Fix key size for certificates to 2048 on all systems.

tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml

@@ -8,7 +8,17 @@
 # and should not be used as examples of how to write Ansible roles #
 ####################################################################
 
-- block:
+- vars:
+    # ARI and profiles have been added in https://github.com/ansible/ansible/pull/TODO
+    # See also https://github.com/ansible/acme-test-container/pull/25
+    supports_ari: "{{ ansible_version.full is version('2.19', '>=') }}"
+    supports_profile: "{{ ansible_version.full is version('2.19', '>=') }}"
+
+    acme_certificate_profile: "{{ 'default' if supports_profile else omit }}"
+
+  block:
+
+    - block:
       - name: Running tests with OpenSSL backend
         include_tasks: impl.yml
         vars:
@@ -19,17 +29,17 @@
       # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
       when: openssl_version.stdout is version('1.0.0', '>=')
 
-- name: Remove output directory
+    - name: Remove output directory
       file:
         path: "{{ remote_tmp_dir }}"
         state: absent
 
-- name: Re-create output directory
+    - name: Re-create output directory
       file:
         path: "{{ remote_tmp_dir }}"
         state: directory
 
-- block:
+    - block:
       - name: Running tests with cryptography backend
         include_tasks: impl.yml
         vars:

tests/integration/targets/acme_certificate_renewal_info/tests/validate.yml

@@ -3,48 +3,38 @@
 # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-- name: Validate results
+- vars:
+    can_have_cert_id: cert_1_info.authority_key_identifier is string
+
+  block:
+
+    - name: Validate results (generic)
       assert:
         that:
           - cert_1_renewal_1.should_renew == false
           - cert_1_renewal_1.msg == 'The certificate is still valid and no condition was reached'
-      - cert_1_renewal_1.supports_ari == supports_ari
           - cert_1_renewal_1.cert_id is string or not can_have_cert_id
           - cert_1_renewal_1.exists == true
           - cert_1_renewal_1.parsable == true
           - cert_1_renewal_2.should_renew == false
           - cert_1_renewal_2.msg == 'The certificate is still valid and no condition was reached'
-      - cert_1_renewal_2.supports_ari == supports_ari
           - cert_1_renewal_2.cert_id is string or not can_have_cert_id
           - cert_1_renewal_2.exists == true
           - cert_1_renewal_2.parsable == true
-      - cert_1_renewal_3.should_renew == false
-      - cert_1_renewal_3.msg == 'The certificate is still valid and no condition was reached'
-      - cert_1_renewal_3.supports_ari == supports_ari
           - cert_1_renewal_3.cert_id is string or not can_have_cert_id
           - cert_1_renewal_3.exists == true
           - cert_1_renewal_3.parsable == true
-      - cert_1_renewal_4.should_renew == true
-      - cert_1_renewal_4.msg == 'The certificate expires in 25 days'
-      - cert_1_renewal_4.supports_ari == supports_ari
           - cert_1_renewal_4.cert_id is string or not can_have_cert_id
           - cert_1_renewal_4.exists == true
           - cert_1_renewal_4.parsable == true
-      - cert_1_renewal_5.should_renew == true
-      - cert_1_renewal_5.msg == 'The certificate expires in 25 days'
-      - cert_1_renewal_5.supports_ari == supports_ari
           - cert_1_renewal_5.cert_id is string or not can_have_cert_id
           - cert_1_renewal_5.exists == true
           - cert_1_renewal_5.parsable == true
-      - cert_1_renewal_6.should_renew == true
-      - cert_1_renewal_6.msg.startswith("The remaining percentage 3.0% of the certificate's lifespan was reached on ")
-      - cert_1_renewal_6.supports_ari == supports_ari
           - cert_1_renewal_6.cert_id is string or not can_have_cert_id
           - cert_1_renewal_6.exists == true
           - cert_1_renewal_6.parsable == true
           - cert_1_renewal_7.should_renew == true
           - cert_1_renewal_7.msg == 'The certificate has already expired'
-      - cert_1_renewal_7.supports_ari == false
           - cert_1_renewal_7.cert_id is string or not can_have_cert_id
           - cert_1_renewal_7.exists == true
           - cert_1_renewal_7.parsable == true
@@ -71,6 +61,44 @@
           - cert_1_renewal_11.cert_id is not defined
           - cert_1_renewal_11.exists == true
           - cert_1_renewal_11.parsable == false
-  vars:
-    can_have_cert_id: cert_1_info.authority_key_identifier is string
-    supports_ari: false
+      when: not supports_ari
+
+    - name: Validate results without ARI
+      assert:
+        that:
+          - cert_1_renewal_1.supports_ari == false
+          - cert_1_renewal_2.supports_ari == false
+          - cert_1_renewal_3.should_renew == false
+          - cert_1_renewal_3.msg == 'The certificate is still valid and no condition was reached'
+          - cert_1_renewal_3.supports_ari == false
+          - cert_1_renewal_4.should_renew == true
+          - cert_1_renewal_4.msg == 'The certificate expires in 25 days'
+          - cert_1_renewal_4.supports_ari == false
+          - cert_1_renewal_5.should_renew == true
+          - cert_1_renewal_5.msg == 'The certificate expires in 25 days'
+          - cert_1_renewal_5.supports_ari == false
+          - cert_1_renewal_6.should_renew == true
+          - cert_1_renewal_6.msg.startswith("The remaining percentage 3.0% of the certificate's lifespan was reached on ")
+          - cert_1_renewal_6.supports_ari == false
+          - cert_1_renewal_7.supports_ari == false
+      when: not supports_ari
+
+    - name: Validate results with ARI
+      assert:
+        that:
+          - cert_1_renewal_1.supports_ari == supports_ari
+          - cert_1_renewal_2.supports_ari == supports_ari
+          - cert_1_renewal_3.should_renew == true
+          - cert_1_renewal_3.msg == 'The suggested renewal interval provided by ARI is in the past'
+          - cert_1_renewal_3.supports_ari == supports_ari
+          - cert_1_renewal_4.should_renew == true
+          - cert_1_renewal_4.msg == 'The suggested renewal interval provided by ARI is in the past'
+          - cert_1_renewal_4.supports_ari == supports_ari
+          - cert_1_renewal_5.should_renew == true
+          - cert_1_renewal_5.msg == 'The suggested renewal interval provided by ARI is in the past'
+          - cert_1_renewal_5.supports_ari == supports_ari
+          - cert_1_renewal_6.should_renew == true
+          - cert_1_renewal_6.msg == 'The suggested renewal interval provided by ARI is in the past'
+          - cert_1_renewal_6.supports_ari == supports_ari
+          - cert_1_renewal_7.supports_ari == false
+      when: supports_ari

tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml

@@ -22,7 +22,7 @@
       certgen_title: Certificate 1
       certificate_name: cert-1
       key_type: rsa
-      rsa_bits: "{{ default_rsa_key_size }}"
+      rsa_bits: "{{ default_rsa_key_size_certificates }}"
       subject_alt_name: "DNS:example.com"
       subject_alt_name_critical: false
       account_key: account-ec256

tests/integration/targets/setup_acme/tasks/obtain-cert.yml

@@ -49,6 +49,7 @@
     remaining_days: "{{ remaining_days }}"
     terms_agreed: "{{ terms_agreed }}"
     account_email: "{{ account_email }}"
+    profile: "{{ acme_certificate_profile | default(omit) }}"
   register: challenge_data
 - name: ({{ certgen_title }}) Print challenge data
   debug:

tests/integration/targets/setup_openssl/vars/main.yml

@@ -4,10 +4,4 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 default_rsa_key_size: 1024
-default_rsa_key_size_certificates: >-
-  {{
-      2048 if
-        (ansible_os_family == "RedHat" and ansible_facts.distribution_major_version | int >= 8) or
-        (ansible_distribution == "Ubuntu" and ansible_facts.distribution_major_version | int >= 20)
-      else 1024
-  }}
+default_rsa_key_size_certificates: 2048