---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later

- debug:
    msg: "Executing tests with backend {{ select_crypto_backend }}"

- name: "({{ select_crypto_backend }}) Get CSR info"
  openssl_csr_info:
    path: '{{ remote_tmp_dir }}/csr_1.csr'
    select_crypto_backend: '{{ select_crypto_backend }}'
  register: result

- name: "({{ select_crypto_backend }}) Get CSR info (IDNA encoding)"
  openssl_csr_info:
    path: '{{ remote_tmp_dir }}/csr_1.csr'
    name_encoding: idna
    select_crypto_backend: '{{ select_crypto_backend }}'
  register: result_idna

- name: "({{ select_crypto_backend }}) Get CSR info (Unicode encoding)"
  openssl_csr_info:
    path: '{{ remote_tmp_dir }}/csr_1.csr'
    name_encoding: unicode
    select_crypto_backend: '{{ select_crypto_backend }}'
  register: result_unicode

- name: "({{ select_crypto_backend }}) Check whether subject and extensions behaves as expected"
  assert:
    that:
      - result.subject.organizationalUnitName == 'ACME Department'
      - "['organizationalUnitName', 'Crypto Department'] in result.subject_ordered"
      - "['organizationalUnitName', 'ACME Department'] in result.subject_ordered"
      - result.public_key_type == 'RSA'
      - result.public_key_data.size == default_rsa_key_size
      # TLS Feature
      - result.extensions_by_oid['1.3.6.1.5.5.7.1.24'].critical == false
      - result.extensions_by_oid['1.3.6.1.5.5.7.1.24'].value == 'MAMCAQU='
      # Key Usage
      - result.extensions_by_oid['2.5.29.15'].critical == true
      - result.extensions_by_oid['2.5.29.15'].value in ['AwMA/4A=', 'AwMH/4A=']
      # Subject Alternative Names
      - result.subject_alt_name[1] == ("DNS:âņsïbłè.com" if cryptography_version.stdout is version('2.1', '<') else "DNS:xn--sb-oia0a7a53bya.com")
      - result_unicode.subject_alt_name[1] == "DNS:âņsïbłè.com"
      - result_idna.subject_alt_name[1] == "DNS:xn--sb-oia0a7a53bya.com"
      - result.extensions_by_oid['2.5.29.17'].critical == false
      - result.extensions_by_oid['2.5.29.17'].value == 'MHmCD3d3dy5hbnNpYmxlLmNvbYIXeG4tLXNiLW9pYTBhN2E1M2J5YS5jb22HBAECAwSHEAAAAAAAAAAAAAAAAAAAAAGBEHRlc3RAZXhhbXBsZS5vcmeGI2h0dHBzOi8vZXhhbXBsZS5vcmcvdGVzdC9pbmRleC5odG1s'
      # Basic Constraints
      - result.extensions_by_oid['2.5.29.19'].critical == true
      - result.extensions_by_oid['2.5.29.19'].value == 'MAYBAf8CARc='
      # Extended Key Usage
      - result.extensions_by_oid['2.5.29.37'].critical == false
      - result.extensions_by_oid['2.5.29.37'].value == 'MHQGCCsGAQUFBwMBBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJBgRVHSUABggrBgEFBQcBAwYIKwYBBQUHAwoGCCsGAQUFBwMHBggrBgEFBQcBAg=='

- name: "({{ select_crypto_backend }}) Check SubjectKeyIdentifier and AuthorityKeyIdentifier"
  assert:
    that:
      - result.subject_key_identifier == "00:11:22:33"
      - result.authority_key_identifier == "44:55:66:77"
      - result.authority_cert_issuer == expected_authority_cert_issuer
      - result.authority_cert_serial_number == 12345
      # Subject Key Identifier
      - result.extensions_by_oid['2.5.29.14'].critical == false
      # Authority Key Identifier
      - result.extensions_by_oid['2.5.29.35'].critical == false
  vars:
    expected_authority_cert_issuer:
      - "DNS:ca.example.org"
      - "IP:1.2.3.4"
  when: cryptography_version.stdout is version('1.3', '>=')

- name: "({{ select_crypto_backend }}) Read CSR"
  slurp:
    src: '{{ remote_tmp_dir }}/csr_1.csr'
  register: slurp

- name: "({{ select_crypto_backend }}) Get CSR info directly"
  openssl_csr_info:
    content: '{{ slurp.content | b64decode }}'
    select_crypto_backend: '{{ select_crypto_backend }}'
  register: result_direct

- name: "({{ select_crypto_backend }}) Compare output of direct and loaded info"
  assert:
    that:
      - result == result_direct

- name: "({{ select_crypto_backend }}) Get CSR info"
  openssl_csr_info:
    path: '{{ remote_tmp_dir }}/csr_2.csr'
    select_crypto_backend: '{{ select_crypto_backend }}'
  register: result

- name: "({{ select_crypto_backend }}) Get CSR info"
  openssl_csr_info:
    path: '{{ remote_tmp_dir }}/csr_3.csr'
    select_crypto_backend: '{{ select_crypto_backend }}'
  register: result

- name: "({{ select_crypto_backend }}) Check AuthorityKeyIdentifier"
  assert:
    that:
      - result.authority_key_identifier is none
      - result.authority_cert_issuer == expected_authority_cert_issuer
      - result.authority_cert_serial_number == 12345
  vars:
    expected_authority_cert_issuer:
      - "DNS:ca.example.org"
      - "IP:1.2.3.4"
  when: cryptography_version.stdout is version('1.3', '>=')

- name: "({{ select_crypto_backend }}) Get CSR info"
  openssl_csr_info:
    path: '{{ remote_tmp_dir }}/csr_4.csr'
    select_crypto_backend: '{{ select_crypto_backend }}'
  register: result

- name: "({{ select_crypto_backend }}) Check AuthorityKeyIdentifier"
  assert:
    that:
      - result.authority_key_identifier == "44:55:66:77"
      - result.authority_cert_issuer is none
      - result.authority_cert_serial_number is none
  when: cryptography_version.stdout is version('1.3', '>=')