diff options
author | Yanis Guenane <yguenane@gmail.com> | 2017-09-14 18:03:00 +0200 |
---|---|---|
committer | Sam Doran <sdoran@ansible.com> | 2017-09-14 12:03:00 -0400 |
commit | 0648e339a708cdd2e34a820b57cffaa528c52295 (patch) | |
tree | ee23b04cac48cd8a771b32b699008510d87b9fff /test/integration | |
parent | 1950bcc14e66ca6c99c15dc5b13b37a66d87c2c6 (diff) | |
download | ansible-0648e339a708cdd2e34a820b57cffaa528c52295.tar.gz |
openssl: remove static dict for keyUsage (#30339)
keyUsage and extendedKeyUsage are currently statically limited via a
static dict defined in modules_utils/crypto.py. If one specify a value
that isn't in there, idempotency won't work.
Instead of having static dict, we uses keyUsage and extendedKyeUsage
values OpenSSL NID and compare those rather than comparing strings.
Fixes: https://github.com/ansible/ansible/issues/30316
Diffstat (limited to 'test/integration')
3 files changed, 48 insertions, 0 deletions
diff --git a/test/integration/targets/openssl_certificate/tasks/main.yml b/test/integration/targets/openssl_certificate/tasks/main.yml index 81c2b0f262..f35c90654d 100644 --- a/test/integration/targets/openssl_certificate/tasks/main.yml +++ b/test/integration/targets/openssl_certificate/tasks/main.yml @@ -51,6 +51,11 @@ path: '{{ output_dir }}/csr2.csr' privatekey_path: '{{ output_dir }}/privatekey2.pem' CN: 'www.example.com' + keyUsage: + - digitalSignature + extendedKeyUsage: + - ipsecUser + - biometricInfo - name: Generate selfsigned certificate2 openssl_certificate: @@ -77,6 +82,11 @@ L: Los Angeles O: ACME Inc. OU: Roadrunner pest control + keyUsage: + - digitalSignature + extendedKeyUsage: + - ipsecUser + - biometricInfo - import_tasks: ../tests/validate.yml diff --git a/test/integration/targets/openssl_csr/tasks/main.yml b/test/integration/targets/openssl_csr/tasks/main.yml index e06eadf393..4405d2b2de 100644 --- a/test/integration/targets/openssl_csr/tasks/main.yml +++ b/test/integration/targets/openssl_csr/tasks/main.yml @@ -9,6 +9,39 @@ privatekey_path: '{{ output_dir }}/privatekey.pem' commonName: 'www.ansible.com' + # keyUsage longname and shortname should be able to be used + # interchangeably. Hence the long name is specified here + # but the short name is used to test idempotency for ipsecuser + # and vice-versa for biometricInfo + - name: Generate CSR with KU and XKU + openssl_csr: + path: '{{ output_dir }}/csr_ku_xku.csr' + privatekey_path: '{{ output_dir }}/privatekey.pem' + commonName: 'www.ansible.com' + keyUsage: + - digitalSignature + - keyAgreement + extendedKeyUsage: + - qcStatements + - DVCS + - IPSec User + - biometricInfo + + - name: Generate CSR with KU and XKU (test idempotency) + openssl_csr: + path: '{{ output_dir }}/csr_ku_xku.csr' + privatekey_path: '{{ output_dir }}/privatekey.pem' + commonName: 'www.ansible.com' + keyUsage: + - digitalSignature + - keyAgreement + extendedKeyUsage: + - ipsecUser + - qcStatements + - DVCS + - Biometric Info + register: csr_ku_xku + - import_tasks: ../tests/validate.yml when: pyopenssl_version.stdout|version_compare('0.15', '>=') diff --git a/test/integration/targets/openssl_csr/tests/validate.yml b/test/integration/targets/openssl_csr/tests/validate.yml index b24f61a2bb..0e41b6c7e8 100644 --- a/test/integration/targets/openssl_csr/tests/validate.yml +++ b/test/integration/targets/openssl_csr/tests/validate.yml @@ -15,3 +15,8 @@ that: - csr_cn.stdout.split('=')[-1] == 'www.ansible.com' - csr_modulus.stdout == privatekey_modulus.stdout + +- name: Validate CSR_KU_XKU (assert idempotency) + assert: + that: + - csr_ku_xku.changed == False |