ansible/test/integration/targets/luks_device/tasks/tests/key-management.yml

---
- name: Create with keyfile1
  luks_device:
    device: "{{ cryptfile_device }}"
    state: closed
    keyfile: "{{ role_path }}/files/keyfile1"
  become: yes

# Access: keyfile1

- name: Try to open with keyfile1
  luks_device:
    device: "{{ cryptfile_device }}"
    state: opened
    keyfile: "{{ role_path }}/files/keyfile1"
  become: yes
  ignore_errors: yes
  register: open_try
- assert:
    that:
    - open_try is not failed
- name: Close
  luks_device:
    device: "{{ cryptfile_device }}"
    state: closed

- name: Try to open with keyfile2
  luks_device:
    device: "{{ cryptfile_device }}"
    state: opened
    keyfile: "{{ role_path }}/files/keyfile2"
  become: yes
  ignore_errors: yes
  register: open_try
- assert:
    that:
    - open_try is failed

- name: Give access to keyfile2
  luks_device:
    device: "{{ cryptfile_device }}"
    state: closed
    keyfile: "{{ role_path }}/files/keyfile1"
    new_keyfile: "{{ role_path }}/files/keyfile2"
  become: yes

# Access: keyfile1 and keyfile2

- name: Try to open with keyfile2
  luks_device:
    device: "{{ cryptfile_device }}"
    state: opened
    keyfile: "{{ role_path }}/files/keyfile2"
  become: yes
  ignore_errors: yes
  register: open_try
- assert:
    that:
    - open_try is not failed
- name: Close
  luks_device:
    device: "{{ cryptfile_device }}"
    state: closed

- name: Dump LUKS header
  command: "cryptsetup luksDump {{ cryptfile_device }}"

- name: Remove access from keyfile1
  luks_device:
    device: "{{ cryptfile_device }}"
    state: closed
    keyfile: "{{ role_path }}/files/keyfile1"
    remove_keyfile: "{{ role_path }}/files/keyfile1"
  become: yes

# Access: keyfile2

- name: Try to open with keyfile1
  luks_device:
    device: "{{ cryptfile_device }}"
    state: opened
    keyfile: "{{ role_path }}/files/keyfile1"
  become: yes
  ignore_errors: yes
  register: open_try
- assert:
    that:
    - open_try is failed

- name: Try to open with keyfile2
  luks_device:
    device: "{{ cryptfile_device }}"
    state: opened
    keyfile: "{{ role_path }}/files/keyfile2"
  become: yes
  ignore_errors: yes
  register: open_try
- assert:
    that:
    - open_try is not failed
- name: Close
  luks_device:
    device: "{{ cryptfile_device }}"
    state: closed

- name: Dump LUKS header
  command: "cryptsetup luksDump {{ cryptfile_device }}"

- name: Remove access from keyfile2
  luks_device:
    device: "{{ cryptfile_device }}"
    state: closed
    keyfile: "{{ role_path }}/files/keyfile2"
    remove_keyfile: "{{ role_path }}/files/keyfile2"
  become: yes
  ignore_errors: yes
  register: remove_last_key
- assert:
    that:
    - remove_last_key is failed
    - "'force_remove_last_key' in remove_last_key.msg"

# Access: keyfile2

- name: Try to open with keyfile2
  luks_device:
    device: "{{ cryptfile_device }}"
    state: opened
    keyfile: "{{ role_path }}/files/keyfile2"
  become: yes
  ignore_errors: yes
  register: open_try
- assert:
    that:
    - open_try is not failed
- name: Close
  luks_device:
    device: "{{ cryptfile_device }}"
    state: closed

- name: Remove access from keyfile2
  luks_device:
    device: "{{ cryptfile_device }}"
    state: closed
    keyfile: "{{ role_path }}/files/keyfile2"
    remove_keyfile: "{{ role_path }}/files/keyfile2"
    force_remove_last_key: yes
  become: yes

# Access: none

- name: Try to open with keyfile2
  luks_device:
    device: "{{ cryptfile_device }}"
    state: opened
    keyfile: "{{ role_path }}/files/keyfile2"
  become: yes
  ignore_errors: yes
  register: open_try
- assert:
    that:
    - open_try is failed
luks_device: add integration tests (#52359) * Add first version of luks_device tests. * Do ~ expansion manually. * Try to enable RHEL8. * Adjust to older losetup version. * Make sure cryptsetup is installed. 6 years ago			`---`
			`- name: Create with keyfile1`
			`luks_device:`
			`device: "{{ cryptfile_device }}"`
			`state: closed`
			`keyfile: "{{ role_path }}/files/keyfile1"`
			`become: yes`

			`# Access: keyfile1`

			`- name: Try to open with keyfile1`
			`luks_device:`
			`device: "{{ cryptfile_device }}"`
			`state: opened`
			`keyfile: "{{ role_path }}/files/keyfile1"`
			`become: yes`
			`ignore_errors: yes`
			`register: open_try`
			`- assert:`
			`that:`
			`- open_try is not failed`
			`- name: Close`
			`luks_device:`
			`device: "{{ cryptfile_device }}"`
			`state: closed`

			`- name: Try to open with keyfile2`
			`luks_device:`
			`device: "{{ cryptfile_device }}"`
			`state: opened`
			`keyfile: "{{ role_path }}/files/keyfile2"`
			`become: yes`
			`ignore_errors: yes`
			`register: open_try`
			`- assert:`
			`that:`
			`- open_try is failed`

			`- name: Give access to keyfile2`
			`luks_device:`
			`device: "{{ cryptfile_device }}"`
			`state: closed`
			`keyfile: "{{ role_path }}/files/keyfile1"`
			`new_keyfile: "{{ role_path }}/files/keyfile2"`
			`become: yes`

			`# Access: keyfile1 and keyfile2`

			`- name: Try to open with keyfile2`
			`luks_device:`
			`device: "{{ cryptfile_device }}"`
			`state: opened`
			`keyfile: "{{ role_path }}/files/keyfile2"`
			`become: yes`
			`ignore_errors: yes`
			`register: open_try`
			`- assert:`
			`that:`
			`- open_try is not failed`
			`- name: Close`
			`luks_device:`
			`device: "{{ cryptfile_device }}"`
			`state: closed`

luks_device: add allow_to_remove_last_key option (#52371) * Add allow_to_remove_last_key option. * Dump headers. * Add support for old versions of cryptsetup luksDump. * Update lib/ansible/modules/crypto/luks_device.py Co-Authored-By: felixfontein <felix@fontein.de> * Rename allow_to_remove_last_key -> force_remove_last_key. 6 years ago			`- name: Dump LUKS header`
			`command: "cryptsetup luksDump {{ cryptfile_device }}"`

luks_device: add integration tests (#52359) * Add first version of luks_device tests. * Do ~ expansion manually. * Try to enable RHEL8. * Adjust to older losetup version. * Make sure cryptsetup is installed. 6 years ago			`- name: Remove access from keyfile1`
			`luks_device:`
			`device: "{{ cryptfile_device }}"`
			`state: closed`
			`keyfile: "{{ role_path }}/files/keyfile1"`
			`remove_keyfile: "{{ role_path }}/files/keyfile1"`
			`become: yes`

			`# Access: keyfile2`

			`- name: Try to open with keyfile1`
			`luks_device:`
			`device: "{{ cryptfile_device }}"`
			`state: opened`
			`keyfile: "{{ role_path }}/files/keyfile1"`
			`become: yes`
			`ignore_errors: yes`
			`register: open_try`
			`- assert:`
			`that:`
			`- open_try is failed`

luks_device: add allow_to_remove_last_key option (#52371) * Add allow_to_remove_last_key option. * Dump headers. * Add support for old versions of cryptsetup luksDump. * Update lib/ansible/modules/crypto/luks_device.py Co-Authored-By: felixfontein <felix@fontein.de> * Rename allow_to_remove_last_key -> force_remove_last_key. 6 years ago			`- name: Try to open with keyfile2`
			`luks_device:`
			`device: "{{ cryptfile_device }}"`
			`state: opened`
			`keyfile: "{{ role_path }}/files/keyfile2"`
			`become: yes`
			`ignore_errors: yes`
			`register: open_try`
			`- assert:`
			`that:`
			`- open_try is not failed`
			`- name: Close`
			`luks_device:`
			`device: "{{ cryptfile_device }}"`
			`state: closed`

			`- name: Dump LUKS header`
			`command: "cryptsetup luksDump {{ cryptfile_device }}"`

			`- name: Remove access from keyfile2`
			`luks_device:`
			`device: "{{ cryptfile_device }}"`
			`state: closed`
			`keyfile: "{{ role_path }}/files/keyfile2"`
			`remove_keyfile: "{{ role_path }}/files/keyfile2"`
			`become: yes`
			`ignore_errors: yes`
			`register: remove_last_key`
			`- assert:`
			`that:`
			`- remove_last_key is failed`
			`- "'force_remove_last_key' in remove_last_key.msg"`

			`# Access: keyfile2`

luks_device: add integration tests (#52359) * Add first version of luks_device tests. * Do ~ expansion manually. * Try to enable RHEL8. * Adjust to older losetup version. * Make sure cryptsetup is installed. 6 years ago			`- name: Try to open with keyfile2`
			`luks_device:`
			`device: "{{ cryptfile_device }}"`
			`state: opened`
			`keyfile: "{{ role_path }}/files/keyfile2"`
			`become: yes`
			`ignore_errors: yes`
			`register: open_try`
			`- assert:`
			`that:`
			`- open_try is not failed`
			`- name: Close`
			`luks_device:`
			`device: "{{ cryptfile_device }}"`
			`state: closed`

			`- name: Remove access from keyfile2`
			`luks_device:`
			`device: "{{ cryptfile_device }}"`
			`state: closed`
			`keyfile: "{{ role_path }}/files/keyfile2"`
			`remove_keyfile: "{{ role_path }}/files/keyfile2"`
luks_device: add allow_to_remove_last_key option (#52371) * Add allow_to_remove_last_key option. * Dump headers. * Add support for old versions of cryptsetup luksDump. * Update lib/ansible/modules/crypto/luks_device.py Co-Authored-By: felixfontein <felix@fontein.de> * Rename allow_to_remove_last_key -> force_remove_last_key. 6 years ago			`force_remove_last_key: yes`
luks_device: add integration tests (#52359) * Add first version of luks_device tests. * Do ~ expansion manually. * Try to enable RHEL8. * Adjust to older losetup version. * Make sure cryptsetup is installed. 6 years ago			`become: yes`

			`# Access: none`

			`- name: Try to open with keyfile2`
			`luks_device:`
			`device: "{{ cryptfile_device }}"`
			`state: opened`
			`keyfile: "{{ role_path }}/files/keyfile2"`
			`become: yes`
			`ignore_errors: yes`
			`register: open_try`
			`- assert:`
			`that:`
			`- open_try is failed`