Improve CI (all commits from ansible-collections#281).

felixfontein · Sep 17, 2021 · 33fe5a3 · 33fe5a3
1 parent 63f4598
commit 33fe5a3
Show file tree

Hide file tree

Showing 25 changed files with 534 additions and 177 deletions.
diff --git a/tests/integration/targets/acme_account/tasks/impl.yml b/tests/integration/targets/acme_account/tasks/impl.yml
@@ -2,8 +2,8 @@
   - name: Generate account keys
     openssl_privatekey:
       path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
-      passphrase: "{{ item.pass | default(omit, true) }}"
-      cipher: "{{ 'auto' if item.pass | default() else omit }}"
+      passphrase: "{{ item.pass | default(omit) | default(omit, true) }}"
+      cipher: "{{ 'auto' if (item.pass | default(false)) else omit }}"
       type: ECC
       curve: secp256r1
       force: true
@@ -12,7 +12,7 @@
   - name: Parse account keys (to ease debugging some test failures)
     openssl_privatekey_info:
       path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
-      passphrase: "{{ item.pass | default(omit, true) }}"
+      passphrase: "{{ item.pass | default(omit) | default(omit, true) }}"
       return_private_key_data: true
     loop: "{{ account_keys }}"
 

diff --git a/tests/integration/targets/acme_certificate/meta/main.yml b/tests/integration/targets/acme_certificate/meta/main.yml
@@ -1,3 +1,4 @@
 dependencies:
   - setup_acme
   - setup_remote_tmp_dir
+  - prepare_jinja2_compat
diff --git a/tests/integration/targets/acme_certificate/tasks/impl.yml b/tests/integration/targets/acme_certificate/tasks/impl.yml
@@ -264,92 +264,98 @@
   set_fact:
     cert_5_recreate_3: "{{ challenge_data is changed }}"
     cert_5d_obtain_results: "{{ certificate_obtain_result }}"
-- name: Obtain cert 6
-  include_tasks: obtain-cert.yml
-  vars:
-    certgen_title: Certificate 6
-    certificate_name: cert-6
-    key_type: rsa
-    rsa_bits: "{{ default_rsa_key_size }}"
-    subject_alt_name: "DNS:example.org"
-    subject_alt_name_critical: no
-    account_key: account-ec256
-    challenge: tls-alpn-01
-    modify_account: yes
-    deactivate_authzs: no
-    force: no
-    remaining_days: 10
-    terms_agreed: yes
-    account_email: "example@example.org"
-    acme_expected_root_number: 0
-    select_chain:
-      # All intermediates have the same subject key identifier, so always
-      # the first chain will be found, and we need a second condition to
-      # make sure that the first condition actually works. (The second
-      # condition has been tested above.)
-      - test_certificates: first
-        subject_key_identifier: "{{ acme_intermediates[0].subject_key_identifier }}"
-      - test_certificates: last
-        issuer: "{{ acme_roots[1].subject }}"
-    use_csr_content: true
-- name: Store obtain results for cert 6
-  set_fact:
-    cert_6_obtain_results: "{{ certificate_obtain_result }}"
-    cert_6_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
-- name: Obtain cert 7
-  include_tasks: obtain-cert.yml
-  vars:
-    certgen_title: Certificate 7
-    certificate_name: cert-7
-    key_type: rsa
-    rsa_bits: "{{ default_rsa_key_size }}"
-    subject_alt_name:
-    - "IP:127.0.0.1"
-    # - "IP:::1"
-    subject_alt_name_critical: no
-    account_key: account-ec256
-    challenge: http-01
-    modify_account: yes
-    deactivate_authzs: no
-    force: no
-    remaining_days: 10
-    terms_agreed: yes
-    account_email: "example@example.org"
-    acme_expected_root_number: 2
-    select_chain:
-      - test_certificates: last
-        authority_key_identifier: "{{ acme_roots[2].subject_key_identifier }}"
-    use_csr_content: false
-- name: Store obtain results for cert 7
-  set_fact:
-    cert_7_obtain_results: "{{ certificate_obtain_result }}"
-    cert_7_alternate: "{{ 2 if select_crypto_backend == 'cryptography' else 0 }}"
-- name: Obtain cert 8
-  include_tasks: obtain-cert.yml
-  vars:
-    certgen_title: Certificate 8
-    certificate_name: cert-8
-    key_type: rsa
-    rsa_bits: "{{ default_rsa_key_size }}"
-    subject_alt_name:
-    - "IP:127.0.0.1"
-    # IPv4 only since our test validation server doesn't work
-    # with IPv6 (thanks to Python's socketserver).
-    subject_alt_name_critical: no
-    account_key: account-ec256
-    challenge: tls-alpn-01
-    challenge_alpn_tls: acme_challenge_cert_helper
-    modify_account: yes
-    deactivate_authzs: no
-    force: no
-    remaining_days: 10
-    terms_agreed: yes
-    account_email: "example@example.org"
-    use_csr_content: true
-- name: Store obtain results for cert 8
-  set_fact:
-    cert_8_obtain_results: "{{ certificate_obtain_result }}"
-    cert_8_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
+- block:
+  - name: Obtain cert 6
+    include_tasks: obtain-cert.yml
+    vars:
+      certgen_title: Certificate 6
+      certificate_name: cert-6
+      key_type: rsa
+      rsa_bits: "{{ default_rsa_key_size }}"
+      subject_alt_name: "DNS:example.org"
+      subject_alt_name_critical: no
+      account_key: account-ec256
+      challenge: tls-alpn-01
+      modify_account: yes
+      deactivate_authzs: no
+      force: no
+      remaining_days: 10
+      terms_agreed: yes
+      account_email: "example@example.org"
+      acme_expected_root_number: 0
+      select_chain:
+        # All intermediates have the same subject key identifier, so always
+        # the first chain will be found, and we need a second condition to
+        # make sure that the first condition actually works. (The second
+        # condition has been tested above.)
+        - test_certificates: first
+          subject_key_identifier: "{{ acme_intermediates[0].subject_key_identifier }}"
+        - test_certificates: last
+          issuer: "{{ acme_roots[1].subject }}"
+      use_csr_content: true
+  - name: Store obtain results for cert 6
+    set_fact:
+      cert_6_obtain_results: "{{ certificate_obtain_result }}"
+      cert_6_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
+  when: acme_intermediates[0].subject_key_identifier is defined
+- block:
+  - name: Obtain cert 7
+    include_tasks: obtain-cert.yml
+    vars:
+      certgen_title: Certificate 7
+      certificate_name: cert-7
+      key_type: rsa
+      rsa_bits: "{{ default_rsa_key_size }}"
+      subject_alt_name:
+      - "IP:127.0.0.1"
+      # - "IP:::1"
+      subject_alt_name_critical: no
+      account_key: account-ec256
+      challenge: http-01
+      modify_account: yes
+      deactivate_authzs: no
+      force: no
+      remaining_days: 10
+      terms_agreed: yes
+      account_email: "example@example.org"
+      acme_expected_root_number: 2
+      select_chain:
+        - test_certificates: last
+          authority_key_identifier: "{{ acme_roots[2].subject_key_identifier }}"
+      use_csr_content: false
+  - name: Store obtain results for cert 7
+    set_fact:
+      cert_7_obtain_results: "{{ certificate_obtain_result }}"
+      cert_7_alternate: "{{ 2 if select_crypto_backend == 'cryptography' else 0 }}"
+  when: acme_roots[2].subject_key_identifier is defined
+- block:
+  - name: Obtain cert 8
+    include_tasks: obtain-cert.yml
+    vars:
+      certgen_title: Certificate 8
+      certificate_name: cert-8
+      key_type: rsa
+      rsa_bits: "{{ default_rsa_key_size }}"
+      subject_alt_name:
+      - "IP:127.0.0.1"
+      # IPv4 only since our test validation server doesn't work
+      # with IPv6 (thanks to Python's socketserver).
+      subject_alt_name_critical: no
+      account_key: account-ec256
+      challenge: tls-alpn-01
+      challenge_alpn_tls: acme_challenge_cert_helper
+      modify_account: yes
+      deactivate_authzs: no
+      force: no
+      remaining_days: 10
+      terms_agreed: yes
+      account_email: "example@example.org"
+      use_csr_content: true
+  - name: Store obtain results for cert 8
+    set_fact:
+      cert_8_obtain_results: "{{ certificate_obtain_result }}"
+      cert_8_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
+  when: cryptography_version.stdout is version('1.3', '>=')
 ## DISSECT CERTIFICATES #######################################################################
 # Make sure certificates are valid. Root certificate for Pebble equals the chain certificate.
 - name: Verifying cert 1
@@ -376,14 +382,17 @@
   command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-6-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-6-chain.pem" "{{ remote_tmp_dir }}/cert-6.pem"'
   ignore_errors: yes
   register: cert_6_valid
+  when: acme_intermediates[0].subject_key_identifier is defined
 - name: Verifying cert 7
   command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-7-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-7-chain.pem" "{{ remote_tmp_dir }}/cert-7.pem"'
   ignore_errors: yes
   register: cert_7_valid
+  when: acme_roots[2].subject_key_identifier is defined
 - name: Verifying cert 8
   command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-8-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-8-chain.pem" "{{ remote_tmp_dir }}/cert-8.pem"'
   ignore_errors: yes
   register: cert_8_valid
+  when: cryptography_version.stdout is version('1.3', '>=')
 # Dump certificate info
 - name: Dumping cert 1
   command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-1.pem" -noout -text'
@@ -403,12 +412,15 @@
 - name: Dumping cert 6
   command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-6.pem" -noout -text'
   register: cert_6_text
+  when: acme_intermediates[0].subject_key_identifier is defined
 - name: Dumping cert 7
   command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-7.pem" -noout -text'
   register: cert_7_text
+  when: acme_roots[2].subject_key_identifier is defined
 - name: Dumping cert 8
   command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-8.pem" -noout -text'
   register: cert_8_text
+  when: cryptography_version.stdout is version('1.3', '>=')
 # Dump certificate info
 - name: Dumping cert 1
   x509_certificate_info:
@@ -434,14 +446,17 @@
   x509_certificate_info:
     path: "{{ remote_tmp_dir }}/cert-6.pem"
   register: cert_6_info
+  when: acme_intermediates[0].subject_key_identifier is defined
 - name: Dumping cert 7
   x509_certificate_info:
     path: "{{ remote_tmp_dir }}/cert-7.pem"
   register: cert_7_info
+  when: acme_roots[2].subject_key_identifier is defined
 - name: Dumping cert 8
   x509_certificate_info:
     path: "{{ remote_tmp_dir }}/cert-8.pem"
   register: cert_8_info
+  when: cryptography_version.stdout is version('1.3', '>=')
 ## GET ACCOUNT ORDERS #########################################################################
 - name: Don't retrieve orders
   acme_account_info:

diff --git a/tests/integration/targets/acme_certificate/tests/validate.yml b/tests/integration/targets/acme_certificate/tests/validate.yml
@@ -124,14 +124,38 @@
     that:
       - cert_5_recreate_3 == True
 
-- name: Check that certificate 6 is valid
-  assert:
-    that:
-      - cert_6_valid is not failed
-- name: Check that certificate 6 contains correct SANs
-  assert:
-    that:
-      - "'DNS:example.org' in cert_6_text.stdout"
+- block:
+  - name: Check that certificate 6 is valid
+    assert:
+      that:
+        - cert_6_valid is not failed
+  - name: Check that certificate 6 contains correct SANs
+    assert:
+      that:
+        - "'DNS:example.org' in cert_6_text.stdout"
+  when: acme_intermediates[0].subject_key_identifier is defined
+
+- block:
+  - name: Check that certificate 7 is valid
+    assert:
+      that:
+        - cert_7_valid is not failed
+  - name: Check that certificate 7 contains correct SANs
+    assert:
+      that:
+        - "'IP Address:127.0.0.1' in cert_8_text.stdout or 'IP:127.0.0.1' in cert_8_text.stdout"
+  when: acme_roots[2].subject_key_identifier is defined
+
+- block:
+  - name: Check that certificate 8 is valid
+    assert:
+      that:
+        - cert_8_valid is not failed
+  - name: Check that certificate 8 contains correct SANs
+    assert:
+      that:
+        - "'IP Address:127.0.0.1' in cert_8_text.stdout or 'IP:127.0.0.1' in cert_8_text.stdout"
+  when: cryptography_version.stdout is version('1.3', '>=')
 
 - name: Validate that orders were not retrieved
   assert:

diff --git a/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml b/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml
@@ -31,4 +31,4 @@
       terms_agreed: yes
       account_email: "example@example.org"
 
-  when: openssl_version.stdout is version('1.0.0', '>=') or cryptography_version.stdout is version('1.5', '>=')
+  when: cryptography_version.stdout is version('1.5', '>=')
diff --git a/tests/integration/targets/acme_inspect/meta/main.yml b/tests/integration/targets/acme_inspect/meta/main.yml
@@ -1,3 +1,4 @@
 dependencies:
   - setup_acme
   - setup_remote_tmp_dir
+  - prepare_jinja2_compat
diff --git a/tests/integration/targets/get_certificate/tasks/main.yml b/tests/integration/targets/get_certificate/tasks/main.yml
@@ -4,24 +4,43 @@
 # and should not be used as examples of how to write Ansible roles #
 ####################################################################
 
+- set_fact:
+    skip_tests: false
+
 - block:
 
   - name: Get servers certificate with backend auto-detection
     get_certificate:
       host: "{{ httpbin_host }}"
       port: 443
+    ignore_errors: true
+    register: result
+
+  - set_fact:
+      skip_tests: |
+        {{
+          result is failed and (
+            'error: [Errno 1] _ssl.c:492: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure' in result.msg
+            or
+            'error: _ssl.c:314: Invalid SSL protocol variant specified.' in result.msg
+          )
+        }}
+
+  - assert:
+      that:
+        - result is success or skip_tests
 
   when: |
     pyopenssl_version.stdout is version('0.15', '>=') or
-    (cryptography_version.stdout is version('1.6', '>=') and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6))
+    cryptography_version.stdout is version('1.6', '>=')
 
 - block:
 
   - include_tasks: ../tests/validate.yml
     vars:
       select_crypto_backend: pyopenssl
 
-  when: pyopenssl_version.stdout is version('0.15', '>=')
+  when: pyopenssl_version.stdout is version('0.15', '>=') and not skip_tests
 
 - block:
 
@@ -32,6 +51,4 @@
   # The module doesn't work with CentOS 6. Since the pyOpenSSL installed there is too old,
   # we never noticed before. This becomes a problem with the new cryptography backend,
   # since there is a new enough cryptography version...
-  when: |
-    cryptography_version.stdout is version('1.6', '>=') and
-    (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
+  when: cryptography_version.stdout is version('1.6', '>=') and not skip_tests
diff --git a/tests/integration/targets/openssl_csr_info/meta/main.yml b/tests/integration/targets/openssl_csr_info/meta/main.yml
@@ -2,3 +2,4 @@ dependencies:
   - setup_openssl
   - setup_pyopenssl
   - setup_remote_tmp_dir
+  - prepare_jinja2_compat
diff --git a/tests/integration/targets/openssl_privatekey_info/meta/main.yml b/tests/integration/targets/openssl_privatekey_info/meta/main.yml
@@ -2,3 +2,4 @@ dependencies:
   - setup_openssl
   - setup_pyopenssl
   - setup_remote_tmp_dir
+  - prepare_jinja2_compat
diff --git a/tests/integration/targets/openssl_publickey_info/meta/main.yml b/tests/integration/targets/openssl_publickey_info/meta/main.yml
@@ -2,3 +2,4 @@ dependencies:
   - setup_openssl
   - setup_pyopenssl
   - setup_remote_tmp_dir
+  - prepare_jinja2_compat