community.crypto/tests/integration/targets/openssh_cert/tasks/main.yml

####################################################################
# WARNING: These are designed specifically for Ansible tests       #
# and should not be used as examples of how to write Ansible roles #
####################################################################

- name: openssh_cert integration tests
  when: not (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "6")
  block:
  - name: Generate keypair
    openssh_keypair:
      path: '{{ output_dir }}/id_key'
      type: rsa
      size: 2048
  - name: Generate always valid cert (check mode)
    openssh_cert:
      type: user
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert'
      valid_from: always
      valid_to: forever
    check_mode: yes
  - name: Generate always valid cert
    openssh_cert:
      type: user
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert'
      valid_from: always
      valid_to: forever
  - name: Generate always valid cert (idempotent)
    openssh_cert:
      type: user
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert'
      valid_from: always
      valid_to: forever
  - name: Generate always valid cert (idempotent, check mode)
    openssh_cert:
      type: user
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert'
      valid_from: always
      valid_to: forever
    check_mode: yes
  - name: Generate restricted validity cert with valid_at (check mode)
    openssh_cert:
      type: host
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert'
      valid_from: +0s
      valid_to: +32w
      valid_at: +2w
    check_mode: yes
  - name: Generate restricted validity cert with valid_at
    openssh_cert:
      type: host
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert'
      valid_from: +0s
      valid_to: +32w
      valid_at: +2w
  - name: Generate restricted validity cert with valid_at (idempotent)
    openssh_cert:
      type: host
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert'
      valid_from: +0s
      valid_to: +32w
      valid_at: +2w
  - name: Generate restricted validity cert with valid_at (idempotent, check mode)
    openssh_cert:
      type: host
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert'
      valid_from: +0s
      valid_to: +32w
      valid_at: +2w
    check_mode: yes
  - name: Generate always valid cert only for example.com and examplehost (check mode)
    openssh_cert:
      type: host
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert'
      valid_from: always
      valid_to: forever
      principals:
          - example.com
          - examplehost
    check_mode: yes
  - name: Generate always valid cert only for example.com and examplehost
    openssh_cert:
      type: host
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert'
      valid_from: always
      valid_to: forever
      principals:
          - example.com
          - examplehost
  - name: Generate always valid cert only for example.com and examplehost (idempotent)
    openssh_cert:
      type: host
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert'
      valid_from: always
      valid_to: forever
      principals:
          - example.com
          - examplehost
  - name: Generate always valid cert only for example.com and examplehost (idempotent, check mode)
    openssh_cert:
      type: host
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert'
      valid_from: always
      valid_to: forever
      principals:
          - example.com
          - examplehost
    check_mode: yes
  - name: Generate always valid cert only for example.com and examplehost (idempotent, switch)
    openssh_cert:
      type: host
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert'
      valid_from: always
      valid_to: forever
      principals:
          - examplehost
          - example.com
  - name: Generate OpenSSH host Certificate that is valid from 21.1.2001 to 21.1.2019 (check mode)
    openssh_cert:
      type: host
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert'
      valid_from: "2001-01-21"
      valid_to: "2019-01-21"
    check_mode: yes
  - name: Generate OpenSSH host Certificate that is valid from 21.1.2001 to 21.1.2019
    openssh_cert:
      type: host
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert'
      valid_from: "2001-01-21"
      valid_to: "2019-01-21"
  - name: Generate OpenSSH host Certificate that is valid from 21.1.2001 to 21.1.2019 (idempotent)
    openssh_cert:
      type: host
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert'
      valid_from: "2001-01-21"
      valid_to: "2019-01-21"
  - name: Generate OpenSSH host Certificate that is valid from 21.1.2001 to 21.1.2019 (idempotent, check mode)
    openssh_cert:
      type: host
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert'
      valid_from: "2001-01-21"
      valid_to: "2019-01-21"
    check_mode: yes
  - name: Generate an OpenSSH user Certificate with clear and force-command option (check mode)
    openssh_cert:
      type: user
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert'
      options:
          - "clear"
          - "force-command=/tmp/bla/foo"
      valid_from: "2001-01-21"
      valid_to: "2019-01-21"
    check_mode: yes
  - name: Generate an OpenSSH user Certificate with clear and force-command option
    openssh_cert:
      type: user
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert'
      options:
          - "clear"
          - "force-command=/tmp/bla/foo"
      valid_from: "2001-01-21"
      valid_to: "2019-01-21"
  - name: Generate an OpenSSH user Certificate with clear and force-command option (idempotent)
    openssh_cert:
      type: user
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert'
      options:
          - "clear"
          - "force-command=/tmp/bla/foo"
      valid_from: "2001-01-21"
      valid_to: "2019-01-21"
  - name: Generate an OpenSSH user Certificate with clear and force-command option (idempotent, check mode)
    openssh_cert:
      type: user
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert'
      options:
          - "clear"
          - "force-command=/tmp/bla/foo"
      valid_from: "2001-01-21"
      valid_to: "2019-01-21"
    check_mode: yes
  - name: Generate an OpenSSH user Certificate with clear and force-command option (idempotent, switch)
    openssh_cert:
      type: user
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert'
      options:
          - "force-command=/tmp/bla/foo"
          - "clear"
      valid_from: "2001-01-21"
      valid_to: "2019-01-21"
  - name: Generate cert without serial
    openssh_cert:
      type: user
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert_no_serial'
      valid_from: always
      valid_to: forever
    register: rc_no_serial_number
  - name: check default serial
    assert:
      that:
        - "'Serial: 0' in rc_no_serial_number.info"
      msg: OpenSSH user certificate contains the default serial number.
  - name: Generate cert without serial (idempotent)
    openssh_cert:
      type: user
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert_no_serial'
      valid_from: always
      valid_to: forever
    register: rc_no_serial_number_idempotent
  - name: check idempotent
    assert:
      that:
        - rc_no_serial_number_idempotent is not changed
      msg: OpenSSH certificate generation without serial number is idempotent.
  - name: Generate cert with serial 42
    openssh_cert:
      type: user
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert_serial_42'
      valid_from: always
      valid_to: forever
      serial_number: 42
    register: rc_serial_number
  - name: check serial 42
    assert:
      that:
        - "'Serial: 42' in rc_serial_number.info"
      msg: OpenSSH user certificate contains the serial number from the params.
  - name: Generate cert with serial 42 (idempotent)
    openssh_cert:
      type: user
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert_serial_42'
      valid_from: always
      valid_to: forever
      serial_number: 42
    register: rc_serial_number_idempotent
  - name: check idempotent
    assert:
      that:
        - rc_serial_number_idempotent is not changed
      msg: OpenSSH certificate generation with serial number is idempotent.
  - name: Generate cert with changed serial number
    openssh_cert:
      type: user
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert_serial_42'
      valid_from: always
      valid_to: forever
      serial_number: 1337
    register: rc_serial_number_changed
  - name: check changed
    assert:
      that:
        - rc_serial_number_changed is changed
      msg: OpenSSH certificate regenerated upon serial number change.
  - name: Generate cert with removed serial number
    openssh_cert:
      type: user
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert_serial_42'
      valid_from: always
      valid_to: forever
      serial_number: 0
    register: rc_serial_number_removed
  - name: check changed
    assert:
      that:
        - rc_serial_number_removed is changed
      msg: OpenSSH certificate regenerated upon serial number removal.
  - name: Generate a new cert with serial number
    openssh_cert:
      type: user
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert_serial_ignore'
      valid_from: always
      valid_to: forever
      serial_number: 42
  - name: Generate cert again, omitting the parameter serial_number (idempotent)
    openssh_cert:
      type: user
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert_serial_ignore'
      valid_from: always
      valid_to: forever
    register: rc_serial_number_ignored
  - name: check idempotent
    assert:
      that:
        - rc_serial_number_ignored is not changed
      msg: OpenSSH certificate generation with omitted serial number is idempotent.
  - name: Remove certificate (check mode)
    openssh_cert:
      state: absent
      path: '{{ output_dir }}/id_cert'
      #type: user
      #signing_key: '{{ output_dir }}/id_key'
      #public_key: '{{ output_dir }}/id_key.pub'
      #valid_from: "2001-01-21"
      #valid_to: "2019-01-21"
    check_mode: yes
  - name: Remove certificate
    openssh_cert:
      state: absent
      path: '{{ output_dir }}/id_cert'
      #type: user
      #signing_key: '{{ output_dir }}/id_key'
      #public_key: '{{ output_dir }}/id_key.pub'
      #valid_from: "2001-01-21"
      #valid_to: "2019-01-21"
  - name: Remove certificate (idempotent)
    openssh_cert:
      state: absent
      path: '{{ output_dir }}/id_cert'
      #type: user
      #signing_key: '{{ output_dir }}/id_key'
      #public_key: '{{ output_dir }}/id_key.pub'
      #valid_from: "2001-01-21"
      #valid_to: "2019-01-21"
  - name: Remove certificate (idempotent, check mode)
    openssh_cert:
      state: absent
      path: '{{ output_dir }}/id_cert'
      #type: user
      #signing_key: '{{ output_dir }}/id_key'
      #public_key: '{{ output_dir }}/id_key.pub'
      #valid_from: "2001-01-21"
      #valid_to: "2019-01-21"
    check_mode: yes
  - name: Remove keypair
    openssh_keypair:
      path: '{{ output_dir }}/id_key'
      state: absent

- name: openssh_cert integration tests that require ssh-agent
  when: openssh_version is version("7.6",">=")
  environment:
    SSH_AUTH_SOCK: "{{ openssh_agent_sock }}"
  block:
  - name: Generate keypair for agent tests
    openssh_keypair:
      path: '{{ output_dir }}/id_key'
      type: rsa
      size: 2048
  - name: Generate always valid cert using agent without key in agent (should fail)
    openssh_cert:
      type: user
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert_with_agent'
      use_agent: yes
      valid_from: always
      valid_to: forever
    register: rc_no_key_in_agent
    ignore_errors: yes
  - name: Make sure cert creation with agent fails if key not in agent
    assert:
      that:
        - rc_no_key_in_agent is failed
        - "'agent contains no identities' in rc_no_key_in_agent.msg or 'not found in agent' in rc_no_key_in_agent.msg"
  - name: Add key to agent
    command: 'ssh-add {{ output_dir }}/id_key'
  - name: Generate always valid cert with agent (check mode)
    openssh_cert:
      type: user
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert_with_agent'
      use_agent: yes
      valid_from: always
      valid_to: forever
    check_mode: yes
  - name: Generate always valid cert with agent
    openssh_cert:
      type: user
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert_with_agent'
      use_agent: yes
      valid_from: always
      valid_to: forever
  - name: Generate always valid cert with agent (idempotent)
    openssh_cert:
      type: user
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert_with_agent'
      use_agent: yes
      valid_from: always
      valid_to: forever
    register: rc_cert_with_agent_idempotent
  - name: Check agent idempotency
    assert:
      that:
        - rc_cert_with_agent_idempotent is not changed
      msg: OpenSSH certificate generation without serial number is idempotent.
  - name: Generate always valid cert with agent (idempotent, check mode)
    openssh_cert:
      type: user
      signing_key: '{{ output_dir }}/id_key'
      public_key: '{{ output_dir }}/id_key.pub'
      path: '{{ output_dir }}/id_cert_with_agent'
      use_agent: yes
      valid_from: always
      valid_to: forever
    check_mode: yes
  - name: Remove keypair for agent tests
    openssh_keypair:
      path: '{{ output_dir }}/id_key'
      state: absent
  - name: Remove certificate
    openssh_cert:
      state: absent
      path: '{{ output_dir }}/id_cert_with_agent'