145 lines
5.2 KiB
YAML
145 lines
5.2 KiB
YAML
---
|
|
# Copyright (c) Ansible Project
|
|
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
####################################################################
|
|
# WARNING: These are designed specifically for Ansible tests #
|
|
# and should not be used as examples of how to write Ansible roles #
|
|
####################################################################
|
|
|
|
- block:
|
|
- name: Obtain root and intermediate certificates
|
|
get_url:
|
|
url: "http://{{ acme_host }}:5000/{{ item.0 }}-certificate-for-ca/{{ item.1 }}"
|
|
dest: "{{ remote_tmp_dir }}/acme-{{ item.0 }}-{{ item.1 }}.pem"
|
|
loop: "{{ query('nested', types, root_numbers) }}"
|
|
|
|
- name: Analyze root certificates
|
|
x509_certificate_info:
|
|
path: "{{ remote_tmp_dir }}/acme-root-{{ item }}.pem"
|
|
loop: "{{ root_numbers }}"
|
|
register: acme_roots
|
|
|
|
- name: Analyze intermediate certificates
|
|
x509_certificate_info:
|
|
path: "{{ remote_tmp_dir }}/acme-intermediate-{{ item }}.pem"
|
|
loop: "{{ root_numbers }}"
|
|
register: acme_intermediates
|
|
|
|
- name: Read root certificates
|
|
slurp:
|
|
src: "{{ remote_tmp_dir ~ '/acme-root-' ~ item ~ '.pem' }}"
|
|
loop: "{{ root_numbers }}"
|
|
register: slurp_roots
|
|
|
|
- set_fact:
|
|
x__: "{{ item | dict2items | selectattr('key', 'in', interesting_keys) | list | items2dict }}"
|
|
loop: "{{ acme_roots.results }}"
|
|
register: acme_roots_tmp
|
|
|
|
- name: Read intermediate certificates
|
|
slurp:
|
|
src: "{{ remote_tmp_dir ~ '/acme-intermediate-' ~ item ~ '.pem' }}"
|
|
loop: "{{ root_numbers }}"
|
|
register: slurp_intermediates
|
|
|
|
- set_fact:
|
|
x__: "{{ item | dict2items | selectattr('key', 'in', interesting_keys) | list | items2dict }}"
|
|
loop: "{{ acme_intermediates.results }}"
|
|
register: acme_intermediates_tmp
|
|
|
|
- set_fact:
|
|
acme_roots: "{{ acme_roots_tmp.results | map(attribute='ansible_facts.x__') | list }}"
|
|
acme_root_certs: "{{ slurp_roots.results | map(attribute='content') | map('b64decode') | list }}"
|
|
acme_intermediates: "{{ acme_intermediates_tmp.results | map(attribute='ansible_facts.x__') | list }}"
|
|
acme_intermediate_certs: "{{ slurp_intermediates.results | map(attribute='content') | map('b64decode') | list }}"
|
|
|
|
vars:
|
|
types:
|
|
- root
|
|
- intermediate
|
|
root_numbers:
|
|
- 0
|
|
interesting_keys:
|
|
- authority_key_identifier
|
|
- subject_key_identifier
|
|
- issuer
|
|
- subject
|
|
|
|
- name: Get hold of acme-tiny executable
|
|
get_url:
|
|
url: https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py
|
|
dest: "{{ remote_tmp_dir }}/acme-tiny"
|
|
when: ansible_python_version is version('2.7', '>=')
|
|
|
|
- name: Get hold of acme-tiny executable (Python 2.6)
|
|
command:
|
|
cmd: >-
|
|
curl https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py --output "{{ remote_tmp_dir }}/acme-tiny"
|
|
when: ansible_python_version is version('2.7', '<')
|
|
|
|
- name: Make sure acme-tiny is executable
|
|
file:
|
|
path: "{{ remote_tmp_dir }}/acme-tiny"
|
|
mode: "0755"
|
|
|
|
- name: "Monkey-patch acme-tiny: Disable certificate validation"
|
|
blockinfile:
|
|
path: "{{ remote_tmp_dir }}/acme-tiny"
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK: DISABLE CERTIFICATE VALIDATION FOR HTTPS REQUESTS"
|
|
insertafter: '^#!.*'
|
|
block: |
|
|
import ssl
|
|
try:
|
|
ssl._create_default_https_context = ssl._create_unverified_context
|
|
except Exception:
|
|
# Python before 2.7.9 has no verification at all. So nothing to disable.
|
|
pass
|
|
# For later:
|
|
try:
|
|
from urllib.request import Request # Python 3
|
|
except ImportError:
|
|
from urllib2 import Request # Python 2
|
|
|
|
- name: "Monkey-patch acme-tiny: adjust shebang"
|
|
replace:
|
|
path: "{{ remote_tmp_dir }}/acme-tiny"
|
|
regexp: '^\#\!/usr/bin/env .*$'
|
|
replace: '#!{{ ansible_python_interpreter }}'
|
|
|
|
- name: "Monkey-patch acme-tiny: Disable check that challenge file is reachable via HTTP"
|
|
replace:
|
|
path: "{{ remote_tmp_dir }}/acme-tiny"
|
|
regexp: 'parser\.add_argument\("--disable-check", default=False,'
|
|
replace: 'parser.add_argument("--disable-check", default=True,'
|
|
|
|
- name: "Monkey-patch acme-tiny: Instead of writing challenge files to disk, post them to challenge server"
|
|
replace:
|
|
path: "{{ remote_tmp_dir }}/acme-tiny"
|
|
regexp: 'with open\(wellknown_path, "w"\) as [^:]+:\n\s+[^. ]+\.write\(([^)]+)\)'
|
|
replace: 'r = Request(url="http://{{ acme_host }}:5000/http/" + domain + "/" + token, data=\1.encode("utf8"), headers={"content-type": "application/octet-stream"}) ; r.get_method = lambda: "PUT" ; urlopen(r).close()'
|
|
|
|
- name: "Monkey-patch acme-tiny: Remove file cleanup"
|
|
replace:
|
|
path: "{{ remote_tmp_dir }}/acme-tiny"
|
|
regexp: 'os\.remove\(wellknown_path\)'
|
|
replace: 'pass'
|
|
|
|
- name: "Monkey-patch acme-tiny: Allow to run with Python 2"
|
|
replace:
|
|
path: "{{ remote_tmp_dir }}/acme-tiny"
|
|
regexp: '#!/usr/bin/env python3'
|
|
replace: '#!/usr/bin/env python'
|
|
when: ansible_facts.python.version.major == 2
|
|
|
|
- name: Create challenges directory
|
|
file:
|
|
path: '{{ remote_tmp_dir }}/challenges'
|
|
state: directory
|
|
|
|
- name: Running tests
|
|
include_tasks: impl.yml
|
|
# Make x509_certificate module happy
|
|
when: cryptography_version.stdout is version('1.6', '>=')
|