diff --git a/shippable.yml b/shippable.yml index 55a47c67..33d8d2ea 100644 --- a/shippable.yml +++ b/shippable.yml @@ -14,6 +14,7 @@ matrix: - env: T=devel/units/1 - env: T=devel/osx/10.11/1 + - env: T=devel/macos/10.15/1 - env: T=devel/rhel/7.8/1 - env: T=devel/rhel/8.2/1 - env: T=devel/freebsd/11.1/1 diff --git a/tests/integration/targets/acme_account/tasks/impl.yml b/tests/integration/targets/acme_account/tasks/impl.yml index dfacd931..4a0ff616 100644 --- a/tests/integration/targets/acme_account/tasks/impl.yml +++ b/tests/integration/targets/acme_account/tasks/impl.yml @@ -1,5 +1,5 @@ - name: Generate account keys - command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/{{ item }}.pem + command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/{{ item }}.pem" loop: - accountkey - accountkey2 @@ -8,7 +8,7 @@ - accountkey5 - name: Parse account keys (to ease debugging some test failures) - command: openssl ec -in {{ output_dir }}/{{ item }}.pem -noout -text + command: "{{ openssl_binary }} ec -in {{ output_dir }}/{{ item }}.pem -noout -text" loop: - accountkey - accountkey2 diff --git a/tests/integration/targets/acme_account_info/tasks/impl.yml b/tests/integration/targets/acme_account_info/tasks/impl.yml index 3bce6bba..552fc0b2 100644 --- a/tests/integration/targets/acme_account_info/tasks/impl.yml +++ b/tests/integration/targets/acme_account_info/tasks/impl.yml @@ -1,12 +1,12 @@ --- - name: Generate account key - command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey.pem + command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey.pem" - name: Generate second account key - command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey2.pem + command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey2.pem" - name: Parse account key (to ease debugging some test failures) - command: openssl ec -in {{ output_dir }}/accountkey.pem -noout -text + command: "{{ openssl_binary }} ec -in {{ output_dir }}/accountkey.pem -noout -text" - name: Check that account does not exist acme_account_info: diff --git a/tests/integration/targets/acme_certificate/tasks/impl.yml b/tests/integration/targets/acme_certificate/tasks/impl.yml index 9b0cacb2..1e255ed9 100644 --- a/tests/integration/targets/acme_certificate/tasks/impl.yml +++ b/tests/integration/targets/acme_certificate/tasks/impl.yml @@ -1,11 +1,11 @@ --- ## SET UP ACCOUNT KEYS ######################################################################## - name: Create ECC256 account key - command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem + command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem" - name: Create ECC384 account key - command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem + command: "{{ openssl_binary }} ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem" - name: Create RSA-2048 account key - command: openssl genrsa -out {{ output_dir }}/account-rsa2048.pem 2048 + command: "{{ openssl_binary }} genrsa -out {{ output_dir }}/account-rsa2048.pem 2048" ## SET UP ACCOUNTS ############################################################################ - name: Make sure ECC256 account hasn't been created yet acme_account: @@ -325,61 +325,61 @@ ## DISSECT CERTIFICATES ####################################################################### # Make sure certificates are valid. Root certificate for Pebble equals the chain certificate. - name: Verifying cert 1 - command: openssl verify -CAfile "{{ output_dir }}/cert-1-root.pem" -untrusted "{{ output_dir }}/cert-1-chain.pem" "{{ output_dir }}/cert-1.pem" + command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-1-root.pem" -untrusted "{{ output_dir }}/cert-1-chain.pem" "{{ output_dir }}/cert-1.pem"' ignore_errors: yes register: cert_1_valid - name: Verifying cert 2 - command: openssl verify -CAfile "{{ output_dir }}/cert-2-root.pem" -untrusted "{{ output_dir }}/cert-2-chain.pem" "{{ output_dir }}/cert-2.pem" + command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-2-root.pem" -untrusted "{{ output_dir }}/cert-2-chain.pem" "{{ output_dir }}/cert-2.pem"' ignore_errors: yes register: cert_2_valid - name: Verifying cert 3 - command: openssl verify -CAfile "{{ output_dir }}/cert-3-root.pem" -untrusted "{{ output_dir }}/cert-3-chain.pem" "{{ output_dir }}/cert-3.pem" + command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-3-root.pem" -untrusted "{{ output_dir }}/cert-3-chain.pem" "{{ output_dir }}/cert-3.pem"' ignore_errors: yes register: cert_3_valid - name: Verifying cert 4 - command: openssl verify -CAfile "{{ output_dir }}/cert-4-root.pem" -untrusted "{{ output_dir }}/cert-4-chain.pem" "{{ output_dir }}/cert-4.pem" + command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-4-root.pem" -untrusted "{{ output_dir }}/cert-4-chain.pem" "{{ output_dir }}/cert-4.pem"' ignore_errors: yes register: cert_4_valid - name: Verifying cert 5 - command: openssl verify -CAfile "{{ output_dir }}/cert-5-root.pem" -untrusted "{{ output_dir }}/cert-5-chain.pem" "{{ output_dir }}/cert-5.pem" + command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-5-root.pem" -untrusted "{{ output_dir }}/cert-5-chain.pem" "{{ output_dir }}/cert-5.pem"' ignore_errors: yes register: cert_5_valid - name: Verifying cert 6 - command: openssl verify -CAfile "{{ output_dir }}/cert-6-root.pem" -untrusted "{{ output_dir }}/cert-6-chain.pem" "{{ output_dir }}/cert-6.pem" + command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-6-root.pem" -untrusted "{{ output_dir }}/cert-6-chain.pem" "{{ output_dir }}/cert-6.pem"' ignore_errors: yes register: cert_6_valid - name: Verifying cert 7 - command: openssl verify -CAfile "{{ output_dir }}/cert-7-root.pem" -untrusted "{{ output_dir }}/cert-7-chain.pem" "{{ output_dir }}/cert-7.pem" + command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-7-root.pem" -untrusted "{{ output_dir }}/cert-7-chain.pem" "{{ output_dir }}/cert-7.pem"' ignore_errors: yes register: cert_7_valid - name: Verifying cert 8 - command: openssl verify -CAfile "{{ output_dir }}/cert-8-root.pem" -untrusted "{{ output_dir }}/cert-8-chain.pem" "{{ output_dir }}/cert-8.pem" + command: '{{ openssl_binary }} verify -CAfile "{{ output_dir }}/cert-8-root.pem" -untrusted "{{ output_dir }}/cert-8-chain.pem" "{{ output_dir }}/cert-8.pem"' ignore_errors: yes register: cert_8_valid # Dump certificate info - name: Dumping cert 1 - command: openssl x509 -in "{{ output_dir }}/cert-1.pem" -noout -text + command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-1.pem" -noout -text' register: cert_1_text - name: Dumping cert 2 - command: openssl x509 -in "{{ output_dir }}/cert-2.pem" -noout -text + command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-2.pem" -noout -text' register: cert_2_text - name: Dumping cert 3 - command: openssl x509 -in "{{ output_dir }}/cert-3.pem" -noout -text + command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-3.pem" -noout -text' register: cert_3_text - name: Dumping cert 4 - command: openssl x509 -in "{{ output_dir }}/cert-4.pem" -noout -text + command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-4.pem" -noout -text' register: cert_4_text - name: Dumping cert 5 - command: openssl x509 -in "{{ output_dir }}/cert-5.pem" -noout -text + command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-5.pem" -noout -text' register: cert_5_text - name: Dumping cert 6 - command: openssl x509 -in "{{ output_dir }}/cert-6.pem" -noout -text + command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-6.pem" -noout -text' register: cert_6_text - name: Dumping cert 7 - command: openssl x509 -in "{{ output_dir }}/cert-7.pem" -noout -text + command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-7.pem" -noout -text' register: cert_7_text - name: Dumping cert 8 - command: openssl x509 -in "{{ output_dir }}/cert-8.pem" -noout -text + command: '{{ openssl_binary }} x509 -in "{{ output_dir }}/cert-8.pem" -noout -text' register: cert_8_text # Dump certificate info - name: Dumping cert 1 diff --git a/tests/integration/targets/acme_certificate_revoke/tasks/impl.yml b/tests/integration/targets/acme_certificate_revoke/tasks/impl.yml index 69545b69..a6572c36 100644 --- a/tests/integration/targets/acme_certificate_revoke/tasks/impl.yml +++ b/tests/integration/targets/acme_certificate_revoke/tasks/impl.yml @@ -1,11 +1,11 @@ --- ## SET UP ACCOUNT KEYS ######################################################################## - name: Create ECC256 account key - command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem + command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem" - name: Create ECC384 account key - command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem + command: "{{ openssl_binary }} ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem" - name: Create RSA-2048 account key - command: openssl genrsa -out {{ output_dir }}/account-rsa2048.pem 2048 + command: "{{ openssl_binary }} genrsa -out {{ output_dir }}/account-rsa2048.pem 2048" ## CREATE ACCOUNTS AND OBTAIN CERTIFICATES #################################################### - name: Obtain cert 1 include_tasks: obtain-cert.yml diff --git a/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml b/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml index 42d8e2cd..dc3b606f 100644 --- a/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml +++ b/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml @@ -6,7 +6,7 @@ - block: - name: Create ECC256 account key - command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem + command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem" - name: Obtain cert 1 include_tasks: obtain-cert.yml vars: diff --git a/tests/integration/targets/acme_inspect/tasks/impl.yml b/tests/integration/targets/acme_inspect/tasks/impl.yml index 6628548d..3f5c561f 100644 --- a/tests/integration/targets/acme_inspect/tasks/impl.yml +++ b/tests/integration/targets/acme_inspect/tasks/impl.yml @@ -1,9 +1,9 @@ --- - name: Generate account key - command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey.pem + command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey.pem" - name: Parse account key (to ease debugging some test failures) - command: openssl ec -in {{ output_dir }}/accountkey.pem -noout -text + command: "{{ openssl_binary }} ec -in {{ output_dir }}/accountkey.pem -noout -text" - name: Get directory acme_inspect: diff --git a/tests/integration/targets/ecs_certificate/tasks/main.yml b/tests/integration/targets/ecs_certificate/tasks/main.yml index 6c117faa..0b8fc662 100644 --- a/tests/integration/targets/ecs_certificate/tasks/main.yml +++ b/tests/integration/targets/ecs_certificate/tasks/main.yml @@ -206,7 +206,7 @@ # For bug 61738, verify that the full chain is valid - name: Verify that the full chain path can be successfully imported - command: openssl verify "{{ example4_full_chain_path }}" + command: '{{ openssl_binary }} verify "{{ example4_full_chain_path }}"' register: openssl_result - assert: diff --git a/tests/integration/targets/get_certificate/meta/main.yml b/tests/integration/targets/get_certificate/meta/main.yml index 54be4e6d..fe62e922 100644 --- a/tests/integration/targets/get_certificate/meta/main.yml +++ b/tests/integration/targets/get_certificate/meta/main.yml @@ -1,3 +1,4 @@ dependencies: - setup_openssl + - setup_pyopenssl - prepare_http_tests diff --git a/tests/integration/targets/luks_device/aliases b/tests/integration/targets/luks_device/aliases index edcc4120..f0df7981 100644 --- a/tests/integration/targets/luks_device/aliases +++ b/tests/integration/targets/luks_device/aliases @@ -1,5 +1,6 @@ shippable/posix/group1 skip/osx +skip/macos skip/freebsd skip/docker needs/root diff --git a/tests/integration/targets/openssl_csr/meta/main.yml b/tests/integration/targets/openssl_csr/meta/main.yml index 800aff64..d1a318db 100644 --- a/tests/integration/targets/openssl_csr/meta/main.yml +++ b/tests/integration/targets/openssl_csr/meta/main.yml @@ -1,2 +1,3 @@ dependencies: - setup_openssl + - setup_pyopenssl diff --git a/tests/integration/targets/openssl_csr/tests/validate.yml b/tests/integration/targets/openssl_csr/tests/validate.yml index 2683bb2a..a13454f4 100644 --- a/tests/integration/targets/openssl_csr/tests/validate.yml +++ b/tests/integration/targets/openssl_csr/tests/validate.yml @@ -1,14 +1,14 @@ --- - name: "({{ select_crypto_backend }}) Validate CSR (test - privatekey modulus)" - shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem' + shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey.pem' register: privatekey_modulus - name: "({{ select_crypto_backend }}) Validate CSR (test - Common Name)" - shell: "openssl req -noout -subject -in {{ output_dir }}/csr.csr -nameopt oneline,-space_eq" + shell: "{{ openssl_binary }} req -noout -subject -in {{ output_dir }}/csr.csr -nameopt oneline,-space_eq" register: csr_cn - name: "({{ select_crypto_backend }}) Validate CSR (test - csr modulus)" - shell: 'openssl req -noout -modulus -in {{ output_dir }}/csr.csr' + shell: '{{ openssl_binary }} req -noout -modulus -in {{ output_dir }}/csr.csr' register: csr_modulus - name: "({{ select_crypto_backend }}) Validate CSR (assert)" @@ -49,11 +49,11 @@ - csr_ku_xku_change_2 is changed - name: "({{ select_crypto_backend }}) Validate old_API CSR (test - Common Name)" - shell: "openssl req -noout -subject -in {{ output_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq" + shell: "{{ openssl_binary }} req -noout -subject -in {{ output_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq" register: csr_oldapi_cn - name: "({{ select_crypto_backend }}) Validate old_API CSR (test - csr modulus)" - shell: 'openssl req -noout -modulus -in {{ output_dir }}/csr_oldapi.csr' + shell: '{{ openssl_binary }} req -noout -modulus -in {{ output_dir }}/csr_oldapi.csr' register: csr_oldapi_modulus - name: "({{ select_crypto_backend }}) Validate old_API CSR (assert)" @@ -78,7 +78,7 @@ when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.0', '<') - name: "({{ select_crypto_backend }}) Validate OCSP Must Staple CSR (test - everything)" - shell: "openssl req -noout -in {{ output_dir }}/csr_ocsp.csr -text" + shell: "{{ openssl_binary }} req -noout -in {{ output_dir }}/csr_ocsp.csr -text" register: csr_ocsp - name: "({{ select_crypto_backend }}) Validate OCSP Must Staple CSR (assert)" @@ -93,15 +93,15 @@ - csr_ocsp_idempotency is not changed - name: "({{ select_crypto_backend }}) Validate ECC CSR (test - privatekey's public key)" - shell: 'openssl ec -pubout -in {{ output_dir }}/privatekey2.pem' + shell: '{{ openssl_binary }} ec -pubout -in {{ output_dir }}/privatekey2.pem' register: privatekey_ecc_key - name: "({{ select_crypto_backend }}) Validate ECC CSR (test - Common Name)" - shell: "openssl req -noout -subject -in {{ output_dir }}/csr2.csr -nameopt oneline,-space_eq" + shell: "{{ openssl_binary }} req -noout -subject -in {{ output_dir }}/csr2.csr -nameopt oneline,-space_eq" register: csr_ecc_cn - name: "({{ select_crypto_backend }}) Validate ECC CSR (test - CSR pubkey)" - shell: 'openssl req -noout -pubkey -in {{ output_dir }}/csr2.csr' + shell: '{{ openssl_binary }} req -noout -pubkey -in {{ output_dir }}/csr2.csr' register: csr_ecc_pubkey - name: "({{ select_crypto_backend }}) Validate ECC CSR (assert)" @@ -111,7 +111,7 @@ - csr_ecc_pubkey.stdout == privatekey_ecc_key.stdout - name: "({{ select_crypto_backend }}) Validate CSR (text common name - Common Name)" - shell: "openssl req -noout -subject -in {{ output_dir }}/csr3.csr -nameopt oneline,-space_eq" + shell: "{{ openssl_binary }} req -noout -subject -in {{ output_dir }}/csr3.csr -nameopt oneline,-space_eq" register: csr3_cn - name: "({{ select_crypto_backend }}) Validate CSR (assert)" diff --git a/tests/integration/targets/openssl_csr_info/meta/main.yml b/tests/integration/targets/openssl_csr_info/meta/main.yml index 800aff64..d1a318db 100644 --- a/tests/integration/targets/openssl_csr_info/meta/main.yml +++ b/tests/integration/targets/openssl_csr_info/meta/main.yml @@ -1,2 +1,3 @@ dependencies: - setup_openssl + - setup_pyopenssl diff --git a/tests/integration/targets/openssl_csr_pipe/meta/main.yml b/tests/integration/targets/openssl_csr_pipe/meta/main.yml index 800aff64..d1a318db 100644 --- a/tests/integration/targets/openssl_csr_pipe/meta/main.yml +++ b/tests/integration/targets/openssl_csr_pipe/meta/main.yml @@ -1,2 +1,3 @@ dependencies: - setup_openssl + - setup_pyopenssl diff --git a/tests/integration/targets/openssl_csr_pipe/tasks/impl.yml b/tests/integration/targets/openssl_csr_pipe/tasks/impl.yml index 89cd9b6c..aba2dea6 100644 --- a/tests/integration/targets/openssl_csr_pipe/tasks/impl.yml +++ b/tests/integration/targets/openssl_csr_pipe/tasks/impl.yml @@ -59,17 +59,17 @@ register: generate_csr_changed_check - name: "({{ select_crypto_backend }}) Validate CSR (test - privatekey modulus)" - shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem' + shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey.pem' register: privatekey_modulus - name: "({{ select_crypto_backend }}) Validate CSR (test - Common Name)" - shell: "openssl req -noout -subject -in /dev/stdin -nameopt oneline,-space_eq" + shell: "{{ openssl_binary }} req -noout -subject -in /dev/stdin -nameopt oneline,-space_eq" args: stdin: "{{ generate_csr.csr }}" register: csr_cn - name: "({{ select_crypto_backend }}) Validate CSR (test - csr modulus)" - shell: 'openssl req -noout -modulus -in /dev/stdin' + shell: '{{ openssl_binary }} req -noout -modulus -in /dev/stdin' args: stdin: "{{ generate_csr.csr }}" register: csr_modulus diff --git a/tests/integration/targets/openssl_dhparam/tests/validate.yml b/tests/integration/targets/openssl_dhparam/tests/validate.yml index e7d3951a..a9ed03ef 100644 --- a/tests/integration/targets/openssl_dhparam/tests/validate.yml +++ b/tests/integration/targets/openssl_dhparam/tests/validate.yml @@ -1,12 +1,12 @@ --- - name: "[{{ select_crypto_backend }}] Validate generated params" - shell: 'openssl dhparam -in {{ output_dir }}/{{ item }}.pem -noout -check' + shell: '{{ openssl_binary }} dhparam -in {{ output_dir }}/{{ item }}.pem -noout -check' with_items: - dh768 - dh512 - name: "[{{ select_crypto_backend }}] Get bit size of 768" - shell: 'openssl dhparam -noout -in {{ output_dir }}/dh768.pem -text | head -n1 | sed -ne "s@.*(\\([[:digit:]]\{1,\}\\) bit).*@\\1@p"' + shell: '{{ openssl_binary }} dhparam -noout -in {{ output_dir }}/dh768.pem -text | head -n1 | sed -ne "s@.*(\\([[:digit:]]\{1,\}\\) bit).*@\\1@p"' register: bit_size_dhparam - name: "[{{ select_crypto_backend }}] Check bit size of default" @@ -15,7 +15,7 @@ - bit_size_dhparam.stdout == "768" - name: "[{{ select_crypto_backend }}] Get bit size of 512" - shell: 'openssl dhparam -noout -in {{ output_dir }}/dh512.pem -text | head -n1 | sed -ne "s@.*(\\([[:digit:]]\{1,\}\\) bit).*@\\1@p"' + shell: '{{ openssl_binary }} dhparam -noout -in {{ output_dir }}/dh512.pem -text | head -n1 | sed -ne "s@.*(\\([[:digit:]]\{1,\}\\) bit).*@\\1@p"' register: bit_size_dhparam_512 - name: "[{{ select_crypto_backend }}] Check bit size of default" diff --git a/tests/integration/targets/openssl_pkcs12/meta/main.yml b/tests/integration/targets/openssl_pkcs12/meta/main.yml index 800aff64..d1a318db 100644 --- a/tests/integration/targets/openssl_pkcs12/meta/main.yml +++ b/tests/integration/targets/openssl_pkcs12/meta/main.yml @@ -1,2 +1,3 @@ dependencies: - setup_openssl + - setup_pyopenssl diff --git a/tests/integration/targets/openssl_pkcs12/tests/validate.yml b/tests/integration/targets/openssl_pkcs12/tests/validate.yml index 1f380b3a..1a80df80 100644 --- a/tests/integration/targets/openssl_pkcs12/tests/validate.yml +++ b/tests/integration/targets/openssl_pkcs12/tests/validate.yml @@ -1,14 +1,14 @@ --- - name: 'Validate PKCS#12' - command: "openssl pkcs12 -info -in {{ output_dir }}/ansible.p12 -nodes -passin pass:''" + command: "{{ openssl_binary }} pkcs12 -info -in {{ output_dir }}/ansible.p12 -nodes -passin pass:''" register: p12 - name: 'Validate PKCS#12 with no private key' - command: "openssl pkcs12 -info -in {{ output_dir }}/ansible_no_pkey.p12 -nodes -passin pass:''" + command: "{{ openssl_binary }} pkcs12 -info -in {{ output_dir }}/ansible_no_pkey.p12 -nodes -passin pass:''" register: p12_validate_no_pkey - name: 'Validate PKCS#12 with multiple certs' - shell: "openssl pkcs12 -info -in {{ output_dir }}/ansible_multi_certs.p12 -nodes -passin pass:'' | grep subject" + shell: "{{ openssl_binary }} pkcs12 -info -in {{ output_dir }}/ansible_multi_certs.p12 -nodes -passin pass:'' | grep subject" register: p12_validate_multi_certs - name: 'Validate PKCS#12 (assert)' diff --git a/tests/integration/targets/openssl_privatekey/meta/main.yml b/tests/integration/targets/openssl_privatekey/meta/main.yml index 800aff64..d1a318db 100644 --- a/tests/integration/targets/openssl_privatekey/meta/main.yml +++ b/tests/integration/targets/openssl_privatekey/meta/main.yml @@ -1,2 +1,3 @@ dependencies: - setup_openssl + - setup_pyopenssl diff --git a/tests/integration/targets/openssl_privatekey/tasks/main.yml b/tests/integration/targets/openssl_privatekey/tasks/main.yml index 438d2034..439d03c3 100644 --- a/tests/integration/targets/openssl_privatekey/tasks/main.yml +++ b/tests/integration/targets/openssl_privatekey/tasks/main.yml @@ -5,7 +5,7 @@ #################################################################### - name: Find out which elliptic curves are supported by installed OpenSSL - command: openssl ecparam -list_curves + command: "{{ openssl_binary }} ecparam -list_curves" register: openssl_ecc - name: Compile list of elliptic curves supported by OpenSSL diff --git a/tests/integration/targets/openssl_privatekey/tests/validate.yml b/tests/integration/targets/openssl_privatekey/tests/validate.yml index 3c2e0af2..11a985af 100644 --- a/tests/integration/targets/openssl_privatekey/tests/validate.yml +++ b/tests/integration/targets/openssl_privatekey/tests/validate.yml @@ -11,7 +11,7 @@ - name: "({{ select_crypto_backend }}) Validate privatekey1 (test - RSA key with size 4096 bits)" - shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey1.pem | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'" + shell: "{{ openssl_binary }} rsa -noout -text -in {{ output_dir }}/privatekey1.pem | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'" register: privatekey1 - name: "({{ select_crypto_backend }}) Validate privatekey1 (assert - RSA key with size 4096 bits)" @@ -21,7 +21,7 @@ - name: "({{ select_crypto_backend }}) Validate privatekey2 (test - RSA key with size 2048 bits)" - shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey2.pem | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'" + shell: "{{ openssl_binary }} rsa -noout -text -in {{ output_dir }}/privatekey2.pem | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'" register: privatekey2 - name: "({{ select_crypto_backend }}) Validate privatekey2 (assert - RSA key with size 2048 bits)" @@ -31,7 +31,7 @@ - name: "({{ select_crypto_backend }}) Validate privatekey3 (test - DSA key with size 3072 bits)" - shell: "openssl dsa -noout -text -in {{ output_dir }}/privatekey3.pem | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'" + shell: "{{ openssl_binary }} dsa -noout -text -in {{ output_dir }}/privatekey3.pem | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'" register: privatekey3 - name: Validate privatekey3 (assert - DSA key with size 3072 bits) @@ -59,7 +59,7 @@ - name: "({{ select_crypto_backend }}) Validate privatekey5 (test - Passphrase protected key + idempotence)" - shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey5.pem -passin pass:ansible | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'" + shell: "{{ openssl_binary }} rsa -noout -text -in {{ output_dir }}/privatekey5.pem -passin pass:ansible | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'" register: privatekey5 # Current version of OS/X that runs in the CI (10.11) does not have an up to date version of the OpenSSL library # leading to this test to fail when run in the CI. However, this test has been run for 10.12 and has returned succesfully. @@ -78,7 +78,7 @@ - name: "({{ select_crypto_backend }}) Validate privatekey6 (test - Passphrase protected key with non ascii character)" - shell: "openssl rsa -noout -text -in {{ output_dir }}/privatekey6.pem -passin pass:ànsïblé | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'" + shell: "{{ openssl_binary }} rsa -noout -text -in {{ output_dir }}/privatekey6.pem -passin pass:ànsïblé | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'" register: privatekey6 when: openssl_version.stdout is version('0.9.8zh', '>=') @@ -89,7 +89,7 @@ when: openssl_version.stdout is version('0.9.8zh', '>=') - name: "({{ select_crypto_backend }}) Validate ECC generation (dump with OpenSSL)" - shell: "openssl ec -in {{ output_dir }}/privatekey-{{ item.item.curve }}.pem -noout -text | grep 'ASN1 OID: ' | sed 's/ASN1 OID: \\([^ ]*\\)/\\1/'" + shell: "{{ openssl_binary }} ec -in {{ output_dir }}/privatekey-{{ item.item.curve }}.pem -noout -text | grep 'ASN1 OID: ' | sed 's/ASN1 OID: \\([^ ]*\\)/\\1/'" loop: "{{ privatekey_ecc_generate.results }}" register: privatekey_ecc_dump when: openssl_version.stdout is version('0.9.8zh', '>=') and 'skip_reason' not in item diff --git a/tests/integration/targets/openssl_privatekey_info/meta/main.yml b/tests/integration/targets/openssl_privatekey_info/meta/main.yml index 800aff64..d1a318db 100644 --- a/tests/integration/targets/openssl_privatekey_info/meta/main.yml +++ b/tests/integration/targets/openssl_privatekey_info/meta/main.yml @@ -1,2 +1,3 @@ dependencies: - setup_openssl + - setup_pyopenssl diff --git a/tests/integration/targets/openssl_privatekey_pipe/meta/main.yml b/tests/integration/targets/openssl_privatekey_pipe/meta/main.yml index 800aff64..d1a318db 100644 --- a/tests/integration/targets/openssl_privatekey_pipe/meta/main.yml +++ b/tests/integration/targets/openssl_privatekey_pipe/meta/main.yml @@ -1,2 +1,3 @@ dependencies: - setup_openssl + - setup_pyopenssl diff --git a/tests/integration/targets/openssl_publickey/meta/main.yml b/tests/integration/targets/openssl_publickey/meta/main.yml index 800aff64..d1a318db 100644 --- a/tests/integration/targets/openssl_publickey/meta/main.yml +++ b/tests/integration/targets/openssl_publickey/meta/main.yml @@ -1,2 +1,3 @@ dependencies: - setup_openssl + - setup_pyopenssl diff --git a/tests/integration/targets/openssl_publickey/tests/validate.yml b/tests/integration/targets/openssl_publickey/tests/validate.yml index 4558be09..34e67b54 100644 --- a/tests/integration/targets/openssl_publickey/tests/validate.yml +++ b/tests/integration/targets/openssl_publickey/tests/validate.yml @@ -8,11 +8,11 @@ - publickey.publickey == publickey_idempotence.publickey - name: "({{ select_crypto_backend }}) Validate public key (test - privatekey modulus)" - shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem' + shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey.pem' register: privatekey_modulus - name: "({{ select_crypto_backend }}) Validate public key (test - publickey modulus)" - shell: 'openssl rsa -pubin -noout -modulus < {{ output_dir }}/publickey.pub' + shell: '{{ openssl_binary }} rsa -pubin -noout -modulus < {{ output_dir }}/publickey.pub' register: publickey_modulus - name: "({{ select_crypto_backend }}) Validate public key (assert)" @@ -62,12 +62,12 @@ - name: "({{ select_crypto_backend }}) Validate publickey3 (test - privatekey modulus)" - shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey3.pem -passin pass:ansible' + shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey3.pem -passin pass:ansible' register: privatekey3_modulus when: openssl_version.stdout is version('0.9.8zh', '>=') - name: "({{ select_crypto_backend }}) Validate publickey3 (test - publickey modulus)" - shell: 'openssl rsa -pubin -noout -modulus < {{ output_dir }}/publickey3.pub' + shell: '{{ openssl_binary }} rsa -pubin -noout -modulus < {{ output_dir }}/publickey3.pub' register: publickey3_modulus when: openssl_version.stdout is version('0.9.8zh', '>=') @@ -83,12 +83,12 @@ - publickey3_idempotence is not changed - name: "({{ select_crypto_backend }}) Validate publickey4 (test - privatekey modulus)" - shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem' + shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey.pem' register: privatekey4_modulus when: openssl_version.stdout is version('0.9.8zh', '>=') - name: "({{ select_crypto_backend }}) Validate publickey4 (test - publickey modulus)" - shell: 'openssl rsa -pubin -noout -modulus < {{ output_dir }}/publickey4.pub' + shell: '{{ openssl_binary }} rsa -pubin -noout -modulus < {{ output_dir }}/publickey4.pub' register: publickey4_modulus when: openssl_version.stdout is version('0.9.8zh', '>=') @@ -109,12 +109,12 @@ - privatekey5_3.backup_file is string - name: "({{ select_crypto_backend }}) Validate public key 5 (test - privatekey's pubkey)" - command: 'openssl ec -in {{ output_dir }}/privatekey5.pem -pubout' + command: '{{ openssl_binary }} ec -in {{ output_dir }}/privatekey5.pem -pubout' register: privatekey5_pubkey - name: "({{ select_crypto_backend }}) Validate public key 5 (test - publickey pubkey)" # Fancy way of writing "cat {{ output_dir }}/publickey5.pub" - command: 'openssl ec -pubin -in {{ output_dir }}/publickey5.pub -pubout' + command: '{{ openssl_binary }} ec -pubin -in {{ output_dir }}/publickey5.pub -pubout' register: publickey5_pubkey - name: "({{ select_crypto_backend }}) Validate public key 5 (assert)" diff --git a/tests/integration/targets/openssl_signature/meta/main.yml b/tests/integration/targets/openssl_signature/meta/main.yml index 800aff64..d1a318db 100644 --- a/tests/integration/targets/openssl_signature/meta/main.yml +++ b/tests/integration/targets/openssl_signature/meta/main.yml @@ -1,2 +1,3 @@ dependencies: - setup_openssl + - setup_pyopenssl diff --git a/tests/integration/targets/prepare_http_tests/tasks/default.yml b/tests/integration/targets/prepare_http_tests/tasks/default.yml index 5f098e72..bff90350 100644 --- a/tests/integration/targets/prepare_http_tests/tasks/default.yml +++ b/tests/integration/targets/prepare_http_tests/tasks/default.yml @@ -49,11 +49,16 @@ when: ansible_os_family == 'FreeBSD' - name: MacOS - Retrieve test cacert - get_url: - url: "http://ansible.http.tests/cacert.pem" - dest: "/usr/local/etc/openssl/certs/ansible.pem" when: ansible_os_family == 'Darwin' + block: + - uri: + url: "http://ansible.http.tests/cacert.pem" + return_content: true + register: cacert_pem -- name: MacOS - Update ca certificates - command: /usr/local/opt/openssl/bin/c_rehash - when: ansible_os_family == 'Darwin' + - raw: '{{ ansible_python_interpreter }} -c "import ssl; print(ssl.get_default_verify_paths().cafile)"' + register: macos_cafile + + - blockinfile: + path: "{{ macos_cafile.stdout_lines|first }}" + block: "{{ cacert_pem.content }}" diff --git a/tests/integration/targets/setup_acme/meta/main.yml b/tests/integration/targets/setup_acme/meta/main.yml new file mode 100644 index 00000000..96d5b2b8 --- /dev/null +++ b/tests/integration/targets/setup_acme/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: [] +# - setup_openssl diff --git a/tests/integration/targets/setup_acme/tasks/main.yml b/tests/integration/targets/setup_acme/tasks/main.yml index 13635ee9..b18e5872 100644 --- a/tests/integration/targets/setup_acme/tasks/main.yml +++ b/tests/integration/targets/setup_acme/tasks/main.yml @@ -4,12 +4,19 @@ # and should not be used as examples of how to write Ansible roles # #################################################################### -- name: register openssl version - shell: "openssl version | cut -d' ' -f2" +# BEGIN HACK: remove whenever we know how to properly detect 'default' docker container !!!!!!!!!!!!!!!!!!!!! +- name: Default value for OpenSSL binary path + set_fact: + openssl_binary: openssl + +- name: Register openssl version + shell: "{{ openssl_binary }} version | cut -d' ' -f2" register: openssl_version -- name: register cryptography version +- name: Register cryptography version command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'" register: cryptography_version +# END HACK !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -- debug: msg="ACME test container IP is {{ acme_host }}; OpenSSL version is {{ openssl_version.stdout }}; cryptography version is {{ cryptography_version.stdout }}" +- debug: + msg: "ACME test container IP is {{ acme_host }}; OpenSSL version is {{ openssl_version.stdout }}; cryptography version is {{ cryptography_version.stdout }}" diff --git a/tests/integration/targets/setup_acme/tasks/obtain-cert.yml b/tests/integration/targets/setup_acme/tasks/obtain-cert.yml index 45c15350..698db57a 100644 --- a/tests/integration/targets/setup_acme/tasks/obtain-cert.yml +++ b/tests/integration/targets/setup_acme/tasks/obtain-cert.yml @@ -1,16 +1,16 @@ --- ## PRIVATE KEY ################################################################################ - name: ({{ certgen_title }}) Create cert private key (RSA) - command: "openssl genrsa -out {{ output_dir }}/{{ certificate_name }}.key {{ rsa_bits if key_type == 'rsa' else 2048 }}" + command: "{{ openssl_binary }} genrsa -out {{ output_dir }}/{{ certificate_name }}.key {{ rsa_bits if key_type == 'rsa' else 2048 }}" when: "key_type == 'rsa'" - name: ({{ certgen_title }}) Create cert private key (ECC 256) - command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key + command: "{{ openssl_binary }} ecparam -name prime256v1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key" when: "key_type == 'ec256'" - name: ({{ certgen_title }}) Create cert private key (ECC 384) - command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key + command: "{{ openssl_binary }} ecparam -name secp384r1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key" when: "key_type == 'ec384'" - name: ({{ certgen_title }}) Create cert private key (ECC 512) - command: openssl ecparam -name secp521r1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key + command: "{{ openssl_binary }} ecparam -name secp521r1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key" when: "key_type == 'ec521'" ## CSR ######################################################################################## - name: ({{ certgen_title }}) Create cert CSR diff --git a/tests/integration/targets/setup_openssl/tasks/main.yml b/tests/integration/targets/setup_openssl/tasks/main.yml index 62df7dd5..fbd8521b 100644 --- a/tests/integration/targets/setup_openssl/tasks/main.yml +++ b/tests/integration/targets/setup_openssl/tasks/main.yml @@ -4,43 +4,95 @@ # and should not be used as examples of how to write Ansible roles # #################################################################### +- name: Register system environment + command: "{{ ansible_python.executable }} -c 'import os; print(dict(os.environ))'" + register: sys_environment + +- debug: var=sys_environment + +- name: Default value for OpenSSL binary path + set_fact: + openssl_binary: openssl + - name: Include OS-specific variables include_vars: '{{ ansible_os_family }}.yml' when: not ansible_os_family == "Darwin" - name: Install OpenSSL - become: True + become: true package: name: '{{ openssl_package_name }}' when: not ansible_os_family == 'Darwin' -- name: Install pyOpenSSL (Python 3) - become: True - package: - name: '{{ pyopenssl_package_name_python3 }}' - when: not ansible_os_family == 'Darwin' and ansible_python_version is version('3.0', '>=') +- name: Register openssl version (full) + shell: "{{ openssl_binary }} version" + register: openssl_version_full -- name: Install pyOpenSSL (Python 2) - become: True - package: - name: '{{ pyopenssl_package_name }}' - when: not ansible_os_family == 'Darwin' and ansible_python_version is version('3.0', '<') +- name: Show openssl version (full) + debug: + var: openssl_version_full.stdout_lines -- name: Install pyOpenSSL (Darwin) - become: True - pip: - name: pyOpenSSL - extra_args: "-c {{ remote_constraints }}" - when: ansible_os_family == 'Darwin' +- when: ansible_os_family == "Darwin" and "LibreSSL" in openssl_version_full.stdout + # In case LibreSSL is installed on macOS, we need to install a more modern OpenSSL + block: + - name: MACOS | Find brew binary + command: which brew + register: brew_which -- name: register pyOpenSSL version - command: "{{ ansible_python.executable }} -c 'import OpenSSL; print(OpenSSL.__version__)'" - register: pyopenssl_version + - name: MACOS | Get owner of brew binary + stat: + path: "{{ brew_which.stdout }}" + register: brew_stat -- name: register openssl version - shell: "openssl version | cut -d' ' -f2" + - name: MACOS | Install openssl + homebrew: + name: openssl + state: present + become: yes + become_user: "{{ brew_stat.stat.pw_name }}" + + - name: MACOS | Locale openssl binary + command: brew --prefix openssl + register: brew_openssl_prefix + + - name: MACOS | Point to OpenSSL binary + set_fact: + openssl_binary: "{{ brew_openssl_prefix.stdout }}/bin/openssl" + + - name: MACOS | Register openssl version (full) + shell: "{{ openssl_binary }} version" + register: openssl_version_full_again + # We must use a different variable to prevent the 'when' condition of the surrounding block to fail + + - name: MACOS | Show openssl version (full) + debug: + var: openssl_version_full_again.stdout_lines + +- name: Register openssl version + shell: "{{ openssl_binary }} version | cut -d' ' -f2" register: openssl_version -- name: register cryptography version +- when: ansible_facts.distribution ~ ansible_facts.distribution_major_version not in ['CentOS6', 'RedHat6'] + block: + - name: Install cryptography (Python 3) + become: true + package: + name: '{{ cryptography_package_name_python3 }}' + when: not ansible_os_family == 'Darwin' and ansible_python_version is version('3.0', '>=') + + - name: Install cryptography (Python 2) + become: true + package: + name: '{{ cryptography_package_name }}' + when: not ansible_os_family == 'Darwin' and ansible_python_version is version('3.0', '<') + + - name: Install cryptography (Darwin) + become: true + pip: + name: cryptography + extra_args: "-c {{ remote_constraints }}" + when: ansible_os_family == 'Darwin' + +- name: Register cryptography version command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'" register: cryptography_version diff --git a/tests/integration/targets/setup_openssl/vars/Debian.yml b/tests/integration/targets/setup_openssl/vars/Debian.yml index 755c7a08..810d314c 100644 --- a/tests/integration/targets/setup_openssl/vars/Debian.yml +++ b/tests/integration/targets/setup_openssl/vars/Debian.yml @@ -1,3 +1,4 @@ -pyopenssl_package_name: python-openssl -pyopenssl_package_name_python3: python3-openssl +--- openssl_package_name: openssl +cryptography_package_name: python-cryptography +cryptography_package_name_python3: python3-cryptography diff --git a/tests/integration/targets/setup_openssl/vars/FreeBSD.yml b/tests/integration/targets/setup_openssl/vars/FreeBSD.yml index 60868915..ee876235 100644 --- a/tests/integration/targets/setup_openssl/vars/FreeBSD.yml +++ b/tests/integration/targets/setup_openssl/vars/FreeBSD.yml @@ -1,3 +1,4 @@ -pyopenssl_package_name: py27-openssl -pyopenssl_package_name_python3: py36-openssl +--- openssl_package_name: openssl +cryptography_package_name: py27-cryptography +cryptography_package_name_python3: py36-cryptography diff --git a/tests/integration/targets/setup_openssl/vars/RedHat.yml b/tests/integration/targets/setup_openssl/vars/RedHat.yml index 2959932c..810d314c 100644 --- a/tests/integration/targets/setup_openssl/vars/RedHat.yml +++ b/tests/integration/targets/setup_openssl/vars/RedHat.yml @@ -1,3 +1,4 @@ -pyopenssl_package_name: pyOpenSSL -pyopenssl_package_name_python3: python3-pyOpenSSL +--- openssl_package_name: openssl +cryptography_package_name: python-cryptography +cryptography_package_name_python3: python3-cryptography diff --git a/tests/integration/targets/setup_openssl/vars/Suse.yml b/tests/integration/targets/setup_openssl/vars/Suse.yml index 2d5200f3..810d314c 100644 --- a/tests/integration/targets/setup_openssl/vars/Suse.yml +++ b/tests/integration/targets/setup_openssl/vars/Suse.yml @@ -1,3 +1,4 @@ -pyopenssl_package_name: python-pyOpenSSL -pyopenssl_package_name_python3: python3-pyOpenSSL +--- openssl_package_name: openssl +cryptography_package_name: python-cryptography +cryptography_package_name_python3: python3-cryptography diff --git a/tests/integration/targets/setup_pyopenssl/meta/main.yml b/tests/integration/targets/setup_pyopenssl/meta/main.yml new file mode 100644 index 00000000..2be15776 --- /dev/null +++ b/tests/integration/targets/setup_pyopenssl/meta/main.yml @@ -0,0 +1,3 @@ +dependencies: + - setup_remote_constraints + - setup_pkg_mgr diff --git a/tests/integration/targets/setup_pyopenssl/tasks/main.yml b/tests/integration/targets/setup_pyopenssl/tasks/main.yml new file mode 100644 index 00000000..8d94cf7b --- /dev/null +++ b/tests/integration/targets/setup_pyopenssl/tasks/main.yml @@ -0,0 +1,37 @@ +--- +#################################################################### +# WARNING: These are designed specifically for Ansible tests # +# and should not be used as examples of how to write Ansible roles # +#################################################################### + +- name: Include OS-specific variables + include_vars: '{{ ansible_os_family }}.yml' + when: not ansible_os_family == "Darwin" + +- name: Install pyOpenSSL (Python 3) + become: true + package: + name: '{{ pyopenssl_package_name_python3 }}' + when: not ansible_os_family == 'Darwin' and ansible_python_version is version('3.0', '>=') + +- name: Install pyOpenSSL (Python 2) + become: true + package: + name: '{{ pyopenssl_package_name }}' + when: not ansible_os_family == 'Darwin' and ansible_python_version is version('3.0', '<') + +- name: Install pyOpenSSL (Darwin) + become: true + pip: + name: pyOpenSSL + extra_args: "-c {{ remote_constraints }}" + when: ansible_os_family == 'Darwin' + +- name: Register pyOpenSSL version + command: "{{ ansible_python.executable }} -c 'import OpenSSL; print(OpenSSL.__version__)'" + register: pyopenssl_version + +- name: Register pyOpenSSL debug details + command: "{{ ansible_python.executable }} -m OpenSSL.debug" + register: pyopenssl_debug_version + ignore_errors: yes diff --git a/tests/integration/targets/setup_pyopenssl/vars/Debian.yml b/tests/integration/targets/setup_pyopenssl/vars/Debian.yml new file mode 100644 index 00000000..45c183e9 --- /dev/null +++ b/tests/integration/targets/setup_pyopenssl/vars/Debian.yml @@ -0,0 +1,3 @@ +--- +pyopenssl_package_name: python-openssl +pyopenssl_package_name_python3: python3-openssl diff --git a/tests/integration/targets/setup_pyopenssl/vars/FreeBSD.yml b/tests/integration/targets/setup_pyopenssl/vars/FreeBSD.yml new file mode 100644 index 00000000..4df752c1 --- /dev/null +++ b/tests/integration/targets/setup_pyopenssl/vars/FreeBSD.yml @@ -0,0 +1,3 @@ +--- +pyopenssl_package_name: py27-openssl +pyopenssl_package_name_python3: py36-openssl diff --git a/tests/integration/targets/setup_pyopenssl/vars/RedHat.yml b/tests/integration/targets/setup_pyopenssl/vars/RedHat.yml new file mode 100644 index 00000000..ffe6cd9b --- /dev/null +++ b/tests/integration/targets/setup_pyopenssl/vars/RedHat.yml @@ -0,0 +1,3 @@ +--- +pyopenssl_package_name: pyOpenSSL +pyopenssl_package_name_python3: python3-pyOpenSSL diff --git a/tests/integration/targets/setup_pyopenssl/vars/Suse.yml b/tests/integration/targets/setup_pyopenssl/vars/Suse.yml new file mode 100644 index 00000000..a0f085c7 --- /dev/null +++ b/tests/integration/targets/setup_pyopenssl/vars/Suse.yml @@ -0,0 +1,3 @@ +--- +pyopenssl_package_name: python-pyOpenSSL +pyopenssl_package_name_python3: python3-pyOpenSSL diff --git a/tests/integration/targets/x509_certificate/meta/main.yml b/tests/integration/targets/x509_certificate/meta/main.yml index 800aff64..d1a318db 100644 --- a/tests/integration/targets/x509_certificate/meta/main.yml +++ b/tests/integration/targets/x509_certificate/meta/main.yml @@ -1,2 +1,3 @@ dependencies: - setup_openssl + - setup_pyopenssl diff --git a/tests/integration/targets/x509_certificate/tasks/expired.yml b/tests/integration/targets/x509_certificate/tasks/expired.yml index 5a5d21b3..b3035de8 100644 --- a/tests/integration/targets/x509_certificate/tasks/expired.yml +++ b/tests/integration/targets/x509_certificate/tasks/expired.yml @@ -23,7 +23,7 @@ when: select_crypto_backend == 'pyopenssl' # cryptography won't allow creating expired certificates - name: (Expired, {{select_crypto_backend}}) Generate expired selfsigned certificate - command: "openssl x509 -req -days -1 -in {{ output_dir }}/has_expired_csr.csr -signkey {{ output_dir }}/has_expired_privatekey.pem -out {{ output_dir }}/has_expired_cert.pem" + command: "{{ openssl_binary }} x509 -req -days -1 -in {{ output_dir }}/has_expired_csr.csr -signkey {{ output_dir }}/has_expired_privatekey.pem -out {{ output_dir }}/has_expired_cert.pem" when: select_crypto_backend == 'cryptography' # So we create it with 'command' - name: "(Expired) Check task fails because cert is expired (has_expired: false)" diff --git a/tests/integration/targets/x509_certificate/tests/validate_ownca.yml b/tests/integration/targets/x509_certificate/tests/validate_ownca.yml index 19ab6198..e8d23f46 100644 --- a/tests/integration/targets/x509_certificate/tests/validate_ownca.yml +++ b/tests/integration/targets/x509_certificate/tests/validate_ownca.yml @@ -1,18 +1,18 @@ --- - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - verify CA) - shell: 'openssl verify -CAfile {{ output_dir }}/ca_cert.pem {{ output_dir }}/ownca_cert.pem | sed "s/.*: \(.*\)/\1/g"' + shell: '{{ openssl_binary }} verify -CAfile {{ output_dir }}/ca_cert.pem {{ output_dir }}/ownca_cert.pem | sed "s/.*: \(.*\)/\1/g"' register: ownca_verify_ca - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - ownca certificate modulus) - shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/ownca_cert.pem' + shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ output_dir }}/ownca_cert.pem' register: ownca_cert_modulus - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - ownca issuer value) - shell: 'openssl x509 -noout -in {{ output_dir}}/ownca_cert.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g"' + shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir}}/ownca_cert.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g"' register: ownca_cert_issuer - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - ownca certficate version == default == 3) - shell: 'openssl x509 -noout -in {{ output_dir}}/ownca_cert.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"' + shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir}}/ownca_cert.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"' register: ownca_cert_version - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (assert) @@ -39,7 +39,7 @@ - block: - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate v2 (test - ownca certificate version == 2) - shell: 'openssl x509 -noout -in {{ output_dir}}/ownca_cert_v2.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"' + shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir}}/ownca_cert_v2.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"' register: ownca_cert_v2_version - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate version 2 (assert) @@ -57,7 +57,7 @@ - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate2 (test - ownca certificate modulus) - shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/ownca_cert2.pem' + shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ output_dir }}/ownca_cert2.pem' register: ownca_cert2_modulus - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate2 (assert) @@ -66,11 +66,11 @@ - ownca_cert2_modulus.stdout == privatekey2_modulus.stdout - name: (OwnCA validation, {{select_crypto_backend}}) Validate owncal certificate3 (test - notBefore) - shell: 'openssl x509 -noout -in {{ output_dir }}/ownca_cert3.pem -text | grep "Not Before" | sed "s/.*: \(.*\) .*/\1/g"' + shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir }}/ownca_cert3.pem -text | grep "Not Before" | sed "s/.*: \(.*\) .*/\1/g"' register: ownca_cert3_notBefore - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate3 (test - notAfter) - shell: 'openssl x509 -noout -in {{ output_dir }}/ownca_cert3.pem -text | grep "Not After" | sed "s/.*: \(.*\) .*/\1/g"' + shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir }}/ownca_cert3.pem -text | grep "Not After" | sed "s/.*: \(.*\) .*/\1/g"' register: ownca_cert3_notAfter - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate3 (assert - notBefore) @@ -84,11 +84,11 @@ - ownca_cert3_notAfter.stdout == 'Oct 23 13:37:42 2019' - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca ECC certificate (test - ownca certificate pubkey) - shell: 'openssl x509 -noout -pubkey -in {{ output_dir }}/ownca_cert_ecc.pem' + shell: '{{ openssl_binary }} x509 -noout -pubkey -in {{ output_dir }}/ownca_cert_ecc.pem' register: ownca_cert_ecc_pubkey - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca ECC certificate (test - ownca issuer value) - shell: 'openssl x509 -noout -in {{ output_dir}}/ownca_cert_ecc.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g"' + shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir}}/ownca_cert_ecc.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g"' register: ownca_cert_ecc_issuer - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca ECC certificate (assert) diff --git a/tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml b/tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml index 9561cae4..03da84e6 100644 --- a/tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml +++ b/tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml @@ -1,6 +1,6 @@ --- - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - privatekey modulus) - shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem' + shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey.pem' register: privatekey_modulus - name: (Selfsigned validation, {{select_crypto_backend}}) Validate behavior for no CSR @@ -11,11 +11,11 @@ - selfsigned_certificate_no_csr_idempotence_check is not changed - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate with no CSR (test - certificate modulus) - shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/cert_no_csr.pem' + shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ output_dir }}/cert_no_csr.pem' register: cert_modulus - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate with no CSR (test - certficate version == default == 3) - shell: 'openssl x509 -noout -in {{ output_dir}}/cert_no_csr.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"' + shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir}}/cert_no_csr.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"' register: cert_version - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate with no CSR (assert) @@ -38,16 +38,16 @@ - selfsigned_certificate_no_csr.certificate == selfsigned_certificate_no_csr_idempotence.certificate - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - certificate modulus) - shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/cert.pem' + shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ output_dir }}/cert.pem' register: cert_modulus - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - issuer value) - shell: 'openssl x509 -noout -in {{ output_dir}}/cert.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g; s/ //g;"' + shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir}}/cert.pem -text | grep "Issuer" | sed "s/.*: \(.*\)/\1/g; s/ //g;"' register: cert_issuer - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - certficate version == default == 3) - shell: 'openssl x509 -noout -in {{ output_dir}}/cert.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"' + shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir}}/cert.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"' register: cert_version - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (assert) @@ -77,7 +77,7 @@ - block: - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate v2 (test - certificate version == 2) - shell: 'openssl x509 -noout -in {{ output_dir}}/cert_v2.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"' + shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir}}/cert_v2.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"' register: cert_v2_version - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate version 2 (assert) @@ -95,11 +95,11 @@ when: select_crypto_backend == 'cryptography' - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate2 (test - privatekey modulus) - shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey2.pem' + shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ output_dir }}/privatekey2.pem' register: privatekey2_modulus - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate2 (test - certificate modulus) - shell: 'openssl x509 -noout -modulus -in {{ output_dir }}/cert2.pem' + shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ output_dir }}/cert2.pem' register: cert2_modulus - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate2 (assert) @@ -108,11 +108,11 @@ - cert2_modulus.stdout == privatekey2_modulus.stdout - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate3 (test - notBefore) - shell: 'openssl x509 -noout -in {{ output_dir }}/cert3.pem -text | grep "Not Before" | sed "s/.*: \(.*\) .*/\1/g"' + shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir }}/cert3.pem -text | grep "Not Before" | sed "s/.*: \(.*\) .*/\1/g"' register: cert3_notBefore - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate3 (test - notAfter) - shell: 'openssl x509 -noout -in {{ output_dir }}/cert3.pem -text | grep "Not After" | sed "s/.*: \(.*\) .*/\1/g"' + shell: '{{ openssl_binary }} x509 -noout -in {{ output_dir }}/cert3.pem -text | grep "Not After" | sed "s/.*: \(.*\) .*/\1/g"' register: cert3_notAfter - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate3 (assert - notBefore) @@ -126,11 +126,11 @@ - cert3_notAfter.stdout == 'Oct 23 13:37:42 2019' - name: (Selfsigned validation, {{select_crypto_backend}}) Validate ECC certificate (test - privatekey's pubkey) - shell: 'openssl ec -pubout -in {{ output_dir }}/privatekey_ecc.pem' + shell: '{{ openssl_binary }} ec -pubout -in {{ output_dir }}/privatekey_ecc.pem' register: privatekey_ecc_pubkey - name: (Selfsigned validation, {{select_crypto_backend}}) Validate ECC certificate (test - certificate pubkey) - shell: 'openssl x509 -noout -pubkey -in {{ output_dir }}/cert_ecc.pem' + shell: '{{ openssl_binary }} x509 -noout -pubkey -in {{ output_dir }}/cert_ecc.pem' register: cert_ecc_pubkey - name: (Selfsigned validation, {{select_crypto_backend}}) Validate ECC certificate (assert) diff --git a/tests/integration/targets/x509_certificate_info/meta/main.yml b/tests/integration/targets/x509_certificate_info/meta/main.yml index 800aff64..d1a318db 100644 --- a/tests/integration/targets/x509_certificate_info/meta/main.yml +++ b/tests/integration/targets/x509_certificate_info/meta/main.yml @@ -1,2 +1,3 @@ dependencies: - setup_openssl + - setup_pyopenssl diff --git a/tests/utils/shippable/macos.sh b/tests/utils/shippable/macos.sh new file mode 120000 index 00000000..6ddb7768 --- /dev/null +++ b/tests/utils/shippable/macos.sh @@ -0,0 +1 @@ +remote.sh \ No newline at end of file