--- #################################################################### # WARNING: These are designed specifically for Ansible tests # # and should not be used as examples of how to write Ansible roles # #################################################################### # Bumps up cryptography and bcrypt versions to be compatible with OpenSSH >= 7.8 - import_tasks: ./setup_bcrypt.yml - name: Generate privatekey1 - standard (check mode) openssh_keypair: path: '{{ output_dir }}/privatekey1' size: 2048 register: privatekey1_result_check check_mode: true - name: Generate privatekey1 - standard openssh_keypair: path: '{{ output_dir }}/privatekey1' size: 2048 register: privatekey1_result - name: Generate privatekey1 - standard (check mode idempotent) openssh_keypair: path: '{{ output_dir }}/privatekey1' size: 2048 register: privatekey1_idem_result_check check_mode: true - name: Generate privatekey1 - standard (idempotent) openssh_keypair: path: '{{ output_dir }}/privatekey1' size: 2048 register: privatekey1_idem_result - name: Generate privatekey2 - default size openssh_keypair: path: '{{ output_dir }}/privatekey2' - name: Generate privatekey3 - type dsa openssh_keypair: path: '{{ output_dir }}/privatekey3' type: dsa - name: Generate privatekey4 - standard openssh_keypair: path: '{{ output_dir }}/privatekey4' size: 2048 - name: Delete privatekey4 - standard openssh_keypair: state: absent path: '{{ output_dir }}/privatekey4' - name: Generate privatekey5 - standard openssh_keypair: path: '{{ output_dir }}/privatekey5' size: 2048 register: publickey_gen - name: Generate privatekey6 openssh_keypair: path: '{{ output_dir }}/privatekey6' type: rsa size: 2048 - name: Regenerate privatekey6 via force openssh_keypair: path: '{{ output_dir }}/privatekey6' type: rsa size: 2048 force: yes register: output_regenerated_via_force - name: Create broken key copy: dest: '{{ item }}' content: '' mode: '0700' loop: - '{{ output_dir }}/privatekeybroken' - '{{ output_dir }}/privatekeybroken.pub' - name: Regenerate broken key - should fail openssh_keypair: path: '{{ output_dir }}/privatekeybroken' type: rsa size: 2048 register: output_broken ignore_errors: yes - name: Regenerate broken key with force openssh_keypair: path: '{{ output_dir }}/privatekeybroken' type: rsa force: yes size: 2048 register: output_broken_force - name: Generate read-only private key openssh_keypair: path: '{{ output_dir }}/privatekeyreadonly' type: rsa mode: '0200' size: 2048 - name: Regenerate read-only private key via force openssh_keypair: path: '{{ output_dir }}/privatekeyreadonly' type: rsa force: yes size: 2048 register: output_read_only - name: Generate privatekey7 - standard with comment openssh_keypair: path: '{{ output_dir }}/privatekey7' comment: 'test@privatekey7' size: 2048 register: privatekey7_result - name: Modify privatekey7 comment openssh_keypair: path: '{{ output_dir }}/privatekey7' comment: 'test_modified@privatekey7' size: 2048 register: privatekey7_modified_result - name: Generate password protected key command: 'ssh-keygen -f {{ output_dir }}/privatekey8 -N {{ passphrase }}' - name: Try to modify the password protected key - should fail openssh_keypair: path: '{{ output_dir }}/privatekey8' size: 2048 register: privatekey8_result ignore_errors: yes - name: Try to modify the password protected key with force=yes openssh_keypair: path: '{{ output_dir }}/privatekey8' force: yes size: 2048 register: privatekey8_result_force - name: Generate another password protected key command: 'ssh-keygen -f {{ output_dir }}/privatekey9 -N {{ passphrase }}' - name: Try to modify the password protected key with passphrase openssh_keypair: path: '{{ output_dir }}/privatekey9' size: 1024 passphrase: "{{ passphrase }}" register: privatekey9_modified_result when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=') - name: Generate another unprotected key openssh_keypair: path: '{{ output_dir }}/privatekey10' size: 2048 - name: Try to Modify unprotected key with passphrase openssh_keypair: path: '{{ output_dir }}/privatekey10' size: 2048 passphrase: "{{ passphrase }}" ignore_errors: true register: privatekey10_result when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=') - name: Try to force modify the password protected key with force=true openssh_keypair: path: '{{ output_dir }}/privatekey10' size: 2048 passphrase: "{{ passphrase }}" force: true register: privatekey10_result_force when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=') - name: Ensure that ssh-keygen can read keys generated with passphrase command: 'ssh-keygen -yf {{ output_dir }}/privatekey10 -P {{ passphrase }}' register: privatekey10_result_sshkeygen when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=') - name: Generate PEM encoded key with passphrase command: 'ssh-keygen -f {{ output_dir }}/privatekey11 -N {{ passphrase }} -m PEM' when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=') - name: Try to verify a PEM encoded key openssh_keypair: path: '{{ output_dir }}/privatekey11' size: 2048 passphrase: "{{ passphrase }}" register: privatekey11_result when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=') - import_tasks: ../tests/validate.yml # Test regenerate option - name: Regenerate - setup simple keys openssh_keypair: path: '{{ output_dir }}/regenerate-a-{{ item }}' type: rsa size: 1024 loop: "{{ regenerate_values }}" - name: Regenerate - setup password protected keys command: 'ssh-keygen -f {{ output_dir }}/regenerate-b-{{ item }} -N {{ passphrase }}' loop: "{{ regenerate_values }}" - name: Regenerate - setup broken keys copy: dest: '{{ output_dir }}/regenerate-c-{{ item.0 }}{{ item.1 }}' content: 'broken key' mode: '0700' with_nested: - "{{ regenerate_values }}" - [ '', '.pub' ] - - name: Regenerate - setup password protected keys for passphrse test command: 'ssh-keygen -f {{ output_dir }}/regenerate-d-{{ item }} -N {{ passphrase }}' loop: "{{ regenerate_values }}" - name: Regenerate - modify broken keys (check mode) openssh_keypair: path: '{{ output_dir }}/regenerate-c-{{ item }}' type: rsa size: 1024 regenerate: '{{ item }}' check_mode: yes loop: "{{ regenerate_values }}" ignore_errors: yes register: result - assert: that: - result.results[0] is failed - "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[0].msg" - result.results[1] is failed - "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[1].msg" - result.results[2] is failed - "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[2].msg" - result.results[3] is changed - result.results[4] is changed - name: Regenerate - modify broken keys openssh_keypair: path: '{{ output_dir }}/regenerate-c-{{ item }}' type: rsa size: 1024 regenerate: '{{ item }}' loop: "{{ regenerate_values }}" ignore_errors: yes register: result - assert: that: - result.results[0] is failed - "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[0].msg" - result.results[1] is failed - "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[1].msg" - result.results[2] is failed - "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[2].msg" - result.results[3] is changed - result.results[4] is changed - name: Regenerate - modify password protected keys (check mode) openssh_keypair: path: '{{ output_dir }}/regenerate-b-{{ item }}' type: rsa size: 1024 regenerate: '{{ item }}' check_mode: yes loop: "{{ regenerate_values }}" ignore_errors: yes register: result - assert: that: - result.results[0] is failed - "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[0].msg" - result.results[1] is failed - "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[1].msg" - result.results[2] is failed - "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[2].msg" - result.results[3] is changed - result.results[4] is changed - name: Regenerate - modify password protected keys with passphrase (check mode) openssh_keypair: path: '{{ output_dir }}/regenerate-b-{{ item }}' type: rsa size: 1024 passphrase: "{{ passphrase }}" regenerate: '{{ item }}' check_mode: yes loop: "{{ regenerate_values }}" ignore_errors: yes register: result when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=') - assert: that: - result.results[0] is success - result.results[1] is failed - "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg" - result.results[2] is changed - result.results[3] is changed - result.results[4] is changed when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=') - name: Regenerate - modify password protected keys openssh_keypair: path: '{{ output_dir }}/regenerate-b-{{ item }}' type: rsa size: 1024 regenerate: '{{ item }}' loop: "{{ regenerate_values }}" ignore_errors: yes register: result - assert: that: - result.results[0] is failed - "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[0].msg" - result.results[1] is failed - "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[1].msg" - result.results[2] is failed - "'Unable to read the key. The key is protected with a passphrase or broken. Will not proceed.' in result.results[2].msg" - result.results[3] is changed - result.results[4] is changed - name: Regenerate - modify password protected keys with passphrase openssh_keypair: path: '{{ output_dir }}/regenerate-d-{{ item }}' type: rsa size: 1024 passphrase: "{{ passphrase }}" regenerate: '{{ item }}' loop: "{{ regenerate_values }}" ignore_errors: yes register: result when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=') - assert: that: - result.results[0] is success - result.results[1] is failed - "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg" - result.results[2] is changed - result.results[3] is changed - result.results[4] is changed when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=') - name: Regenerate - not modify regular keys (check mode) openssh_keypair: path: '{{ output_dir }}/regenerate-a-{{ item }}' type: rsa size: 1024 regenerate: '{{ item }}' check_mode: yes loop: "{{ regenerate_values }}" register: result - assert: that: - result.results[0] is not changed - result.results[1] is not changed - result.results[2] is not changed - result.results[3] is not changed - result.results[4] is changed - name: Regenerate - not modify regular keys openssh_keypair: path: '{{ output_dir }}/regenerate-a-{{ item }}' type: rsa size: 1024 regenerate: '{{ item }}' loop: "{{ regenerate_values }}" register: result - assert: that: - result.results[0] is not changed - result.results[1] is not changed - result.results[2] is not changed - result.results[3] is not changed - result.results[4] is changed - name: Regenerate - adjust key size (check mode) openssh_keypair: path: '{{ output_dir }}/regenerate-a-{{ item }}' type: rsa size: 1048 regenerate: '{{ item }}' check_mode: yes loop: "{{ regenerate_values }}" ignore_errors: yes register: result - assert: that: - result.results[0] is success and result.results[0] is not changed - result.results[1] is failed - "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg" - result.results[2] is changed - result.results[3] is changed - result.results[4] is changed - name: Regenerate - adjust key size openssh_keypair: path: '{{ output_dir }}/regenerate-a-{{ item }}' type: rsa size: 1048 regenerate: '{{ item }}' loop: "{{ regenerate_values }}" ignore_errors: yes register: result - assert: that: - result.results[0] is success and result.results[0] is not changed - result.results[1] is failed - "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg" - result.results[2] is changed - result.results[3] is changed - result.results[4] is changed - name: Regenerate - redistribute keys copy: src: '{{ output_dir }}/regenerate-a-always{{ item.1 }}' dest: '{{ output_dir }}/regenerate-a-{{ item.0 }}{{ item.1 }}' remote_src: true with_nested: - "{{ regenerate_values }}" - [ '', '.pub' ] when: "item.0 != 'always'" - name: Regenerate - adjust key type (check mode) openssh_keypair: path: '{{ output_dir }}/regenerate-a-{{ item }}' type: dsa size: 1024 regenerate: '{{ item }}' check_mode: yes loop: "{{ regenerate_values }}" ignore_errors: yes register: result - assert: that: - result.results[0] is success and result.results[0] is not changed - result.results[1] is failed - "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg" - result.results[2] is changed - result.results[3] is changed - result.results[4] is changed - name: Regenerate - adjust key type openssh_keypair: path: '{{ output_dir }}/regenerate-a-{{ item }}' type: dsa size: 1024 regenerate: '{{ item }}' loop: "{{ regenerate_values }}" ignore_errors: yes register: result - assert: that: - result.results[0] is success and result.results[0] is not changed - result.results[1] is failed - "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg" - result.results[2] is changed - result.results[3] is changed - result.results[4] is changed - name: Regenerate - redistribute keys copy: src: '{{ output_dir }}/regenerate-a-always{{ item.1 }}' dest: '{{ output_dir }}/regenerate-a-{{ item.0 }}{{ item.1 }}' remote_src: true with_nested: - "{{ regenerate_values }}" - [ '', '.pub' ] when: "item.0 != 'always'" - name: Regenerate - adjust comment (check mode) openssh_keypair: path: '{{ output_dir }}/regenerate-a-{{ item }}' type: dsa size: 1024 comment: test comment regenerate: '{{ item }}' check_mode: yes loop: "{{ regenerate_values }}" ignore_errors: yes register: result - assert: that: - result is changed - name: Regenerate - adjust comment openssh_keypair: path: '{{ output_dir }}/regenerate-a-{{ item }}' type: dsa size: 1024 comment: test comment regenerate: '{{ item }}' loop: "{{ regenerate_values }}" register: result - assert: that: - result is changed # for all values but 'always', the key should have not been regenerated. # verify this by comparing fingerprints: - result.results[0].fingerprint == result.results[1].fingerprint - result.results[0].fingerprint == result.results[2].fingerprint - result.results[0].fingerprint == result.results[3].fingerprint - result.results[0].fingerprint != result.results[4].fingerprint