ansible/test/integration/targets/ecs_certificate/tasks/main.yml

---
## Verify that integration_config was specified
- block:
  - assert:
      that:
        - entrust_api_user is defined
        - entrust_api_key is defined
        - entrust_api_ip_address is defined
        - entrust_cloud_ip_address is defined
        - entrust_api_client_cert_path is defined or entrust_api_client_cert_contents is defined
        - entrust_api_client_cert_key_path is defined or entrust_api_client_cert_key_contents
        - cacerts_bundle_path_local is defined

## SET UP TEST ENVIRONMENT ########################################################################
- name: copy the files needed for verifying test server certificate to the host
  copy:
    src: '{{ cacerts_bundle_path_local }}/'
    dest: '{{ cacerts_bundle_path }}'

- name: Update the CA certificates for our QA certs (collection may need updating if new QA environments used)
  command: c_rehash {{ cacerts_bundle_path }}

- name: Update hosts file
  lineinfile:
    path: /etc/hosts
    state: present
    regexp: 'api.entrust.net$'
    line: '{{ entrust_api_ip_address }} api.entrust.net'

- name: Update hosts file
  lineinfile:
    path: /etc/hosts
    state: present
    regexp: 'cloud.entrust.net$'
    line: '{{ entrust_cloud_ip_address }} cloud.entrust.net'

- name: Clear out the temporary directory for storing the API connection information
  file:
    path: '{{ tmpdir_path }}'
    state: absent

- name: Create a directory for storing the API connection Information
  file:
    path: '{{ tmpdir_path }}'
    state: directory

- name: Copy the files needed for the connection to entrust API to the host
  copy:
    src: '{{ entrust_api_client_cert_path }}'
    dest: '{{ entrust_api_cert }}'

- name: Copy the files needed for the connection to entrust API to the host
  copy:
    src: '{{ entrust_api_client_cert_key_path }}'
    dest: '{{ entrust_api_cert_key }}'

## SETUP CSR TO REQUEST
- name: Generate a 2048 bit RSA private key
  openssl_privatekey:
    path: '{{ privatekey_path }}'
    passphrase: '{{ privatekey_passphrase }}'
    cipher: auto
    type: RSA
    size: 2048

- name: Generate a certificate signing request using the generated key
  openssl_csr:
    path: '{{ csr_path }}'
    privatekey_path: '{{ privatekey_path }}'
    privatekey_passphrase: '{{ privatekey_passphrase }}'
    common_name: '{{ common_name }}'
    organization_name: '{{ organization_name | default(omit) }}'
    organizational_unit_name: '{{ organizational_unit_name | default(omit) }}'
    country_name: '{{ country_name | default(omit) }}'
    state_or_province_name: '{{ state_or_province_name | default(omit) }}'
    digest: sha256

- block:
  - name: Have ECS generate a signed certificate
    ecs_certificate:
      backup: True
      path: '{{ example1_cert_path }}'
      full_chain_path: '{{ example1_chain_path }}'
      csr: '{{ csr_path }}'
      cert_type: '{{ example1_cert_type }}'
      requester_name: '{{ entrust_requester_name }}'
      requester_email: '{{ entrust_requester_email }}'
      requester_phone: '{{ entrust_requester_phone }}'
      entrust_api_user: '{{ entrust_api_user }}'
      entrust_api_key: '{{ entrust_api_key }}'
      entrust_api_client_cert_path: '{{ entrust_api_cert }}'
      entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'
    register: example1_result

  - assert:
      that:
        - example1_result is not failed
        - example1_result.changed
        - example1_result.tracking_id > 0
        - example1_result.serial_number is string

  # Internal CA refuses to issue certificates with the same DN in a short time frame
  - name: Sleep for 5 seconds so we don't run into duplicate-request errors
    pause:
      seconds: 5

  - name: Attempt to have ECS generate a signed certificate, but existing one is valid
    ecs_certificate:
      backup: True
      path: '{{ example1_cert_path }}'
      full_chain_path: '{{ example1_chain_path }}'
      csr: '{{ csr_path }}'
      cert_type: '{{ example1_cert_type }}'
      requester_name: '{{ entrust_requester_name }}'
      requester_email: '{{ entrust_requester_email }}'
      requester_phone: '{{ entrust_requester_phone }}'
      entrust_api_user: '{{ entrust_api_user }}'
      entrust_api_key: '{{ entrust_api_key }}'
      entrust_api_client_cert_path: '{{ entrust_api_cert }}'
      entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'
    register: example2_result

  - assert:
      that:
        - example2_result is not failed
        - not example2_result.changed
        - example2_result.backup_file is undefined
        - example2_result.backup_full_chain_file is undefined
        - example2_result.serial_number == example1_result.serial_number
        - example2_result.tracking_id == example1_result.tracking_id

  # Internal CA refuses to issue certificates with the same DN in a short time frame
  - name: Sleep for 5 seconds so we don't run into duplicate-request errors
    pause:
      seconds: 5

  - name: Force a reissue with no CSR, verify that contents changed
    ecs_certificate:
      backup: True
      force: True
      path: '{{ example1_cert_path }}'
      full_chain_path: '{{ example1_chain_path }}'
      cert_type: '{{ example1_cert_type }}'
      request_type: reissue
      requester_name: '{{ entrust_requester_name }}'
      requester_email: '{{ entrust_requester_email }}'
      requester_phone: '{{ entrust_requester_phone }}'
      entrust_api_user: '{{ entrust_api_user }}'
      entrust_api_key: '{{ entrust_api_key }}'
      entrust_api_client_cert_path: '{{ entrust_api_cert }}'
      entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'
    register: example3_result

  - assert:
      that:
        - example3_result is not failed
        - example3_result.changed
        - example3_result.backup_file is string
        - example3_result.backup_full_chain_file is string
        - example3_result.tracking_id > 0
        - example3_result.tracking_id != example1_result.tracking_id
        - example3_result.serial_number != example1_result.serial_number

  # Internal CA refuses to issue certificates with the same DN in a short time frame
  - name: Sleep for 5 seconds so we don't run into duplicate-request errors
    pause:
      seconds: 5

  - name: Test a request with all of the various optional possible fields populated
    ecs_certificate:
      path: '{{ example4_cert_path }}'
      full_chain_path: '{{ example4_full_chain_path }}'
      csr: '{{ csr_path }}'
      subject_alt_name: '{{ example4_subject_alt_name }}'
      eku: '{{ example4_eku }}'
      ct_log: True
      cert_type: '{{ example4_cert_type }}'
      org: '{{ example4_org }}'
      ou: '{{ example4_ou }}'
      tracking_info: '{{ example4_tracking_info }}'
      additional_emails: '{{ example4_additional_emails }}'
      custom_fields: '{{ example4_custom_fields }}'
      cert_expiry: '{{ example4_cert_expiry }}'
      requester_name: '{{ entrust_requester_name }}'
      requester_email: '{{ entrust_requester_email }}'
      requester_phone: '{{ entrust_requester_phone }}'
      entrust_api_user: '{{ entrust_api_user }}'
      entrust_api_key: '{{ entrust_api_key }}'
      entrust_api_client_cert_path: '{{ entrust_api_cert }}'
      entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'
    register: example4_result

  - assert:
      that:
        - example4_result is not failed
        - example4_result.changed
        - example4_result.backup_file is undefined
        - example4_result.backup_full_chain_file is undefined
        - example4_result.tracking_id > 0
        - example4_result.serial_number is string

  # For bug 61738, verify that the full chain is valid
  - name: Verify that the full chain path can be successfully imported
    command: openssl verify "{{ example4_full_chain_path }}"
    register: openssl_result

  - assert:
      that:
         - "' OK' in openssl_result.stdout_lines[0]"

  always:
    - name: clean-up temporary folder
      file:
        path: '{{ tmpdir_path }}'
        state: absent
Addition of ECS_Certificate Module (#60883) * Addition of ecs_certificate module. * Documentation and code fixes * Updates per code review * Doc fixes, rename of chain_path to full_chain_path, add regex for cert_Expiry check * Fixes to pep8 check to make regexp string 'raw'. * Mistakes with find/replace of caseing. * Added integration tests and some doc cleanup * Some additional assertions and test typo cleanup * Update lib/ansible/modules/crypto/entrust/ecs_certificate.py Co-Authored-By: Felix Fontein <felix@fontein.de> * Responses to code review comments * Remove fake passwords from aliases file. 5 years ago			`---`
			`## Verify that integration_config was specified`
			`- block:`
			`- assert:`
			`that:`
			`- entrust_api_user is defined`
			`- entrust_api_key is defined`
			`- entrust_api_ip_address is defined`
			`- entrust_cloud_ip_address is defined`
			`- entrust_api_client_cert_path is defined or entrust_api_client_cert_contents is defined`
			`- entrust_api_client_cert_key_path is defined or entrust_api_client_cert_key_contents`
			`- cacerts_bundle_path_local is defined`

			`## SET UP TEST ENVIRONMENT ########################################################################`
			`- name: copy the files needed for verifying test server certificate to the host`
			`copy:`
			`src: '{{ cacerts_bundle_path_local }}/'`
			`dest: '{{ cacerts_bundle_path }}'`

			`- name: Update the CA certificates for our QA certs (collection may need updating if new QA environments used)`
			`command: c_rehash {{ cacerts_bundle_path }}`

			`- name: Update hosts file`
			`lineinfile:`
			`path: /etc/hosts`
			`state: present`
			`regexp: 'api.entrust.net$'`
			`line: '{{ entrust_api_ip_address }} api.entrust.net'`

			`- name: Update hosts file`
			`lineinfile:`
			`path: /etc/hosts`
			`state: present`
			`regexp: 'cloud.entrust.net$'`
			`line: '{{ entrust_cloud_ip_address }} cloud.entrust.net'`

			`- name: Clear out the temporary directory for storing the API connection information`
			`file:`
			`path: '{{ tmpdir_path }}'`
			`state: absent`

			`- name: Create a directory for storing the API connection Information`
			`file:`
			`path: '{{ tmpdir_path }}'`
			`state: directory`

			`- name: Copy the files needed for the connection to entrust API to the host`
			`copy:`
			`src: '{{ entrust_api_client_cert_path }}'`
			`dest: '{{ entrust_api_cert }}'`

			`- name: Copy the files needed for the connection to entrust API to the host`
			`copy:`
			`src: '{{ entrust_api_client_cert_key_path }}'`
			`dest: '{{ entrust_api_cert_key }}'`

			`## SETUP CSR TO REQUEST`
			`- name: Generate a 2048 bit RSA private key`
			`openssl_privatekey:`
			`path: '{{ privatekey_path }}'`
			`passphrase: '{{ privatekey_passphrase }}'`
			`cipher: auto`
			`type: RSA`
			`size: 2048`

			`- name: Generate a certificate signing request using the generated key`
			`openssl_csr:`
			`path: '{{ csr_path }}'`
			`privatekey_path: '{{ privatekey_path }}'`
			`privatekey_passphrase: '{{ privatekey_passphrase }}'`
			`common_name: '{{ common_name }}'`
			`organization_name: '{{ organization_name \| default(omit) }}'`
			`organizational_unit_name: '{{ organizational_unit_name \| default(omit) }}'`
			`country_name: '{{ country_name \| default(omit) }}'`
			`state_or_province_name: '{{ state_or_province_name \| default(omit) }}'`
			`digest: sha256`

			`- block:`
			`- name: Have ECS generate a signed certificate`
			`ecs_certificate:`
			`backup: True`
			`path: '{{ example1_cert_path }}'`
			`full_chain_path: '{{ example1_chain_path }}'`
			`csr: '{{ csr_path }}'`
			`cert_type: '{{ example1_cert_type }}'`
			`requester_name: '{{ entrust_requester_name }}'`
			`requester_email: '{{ entrust_requester_email }}'`
			`requester_phone: '{{ entrust_requester_phone }}'`
			`entrust_api_user: '{{ entrust_api_user }}'`
			`entrust_api_key: '{{ entrust_api_key }}'`
			`entrust_api_client_cert_path: '{{ entrust_api_cert }}'`
			`entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'`
			`register: example1_result`

			`- assert:`
			`that:`
			`- example1_result is not failed`
			`- example1_result.changed`
			`- example1_result.tracking_id > 0`
			`- example1_result.serial_number is string`

			`# Internal CA refuses to issue certificates with the same DN in a short time frame`
			`- name: Sleep for 5 seconds so we don't run into duplicate-request errors`
			`pause:`
			`seconds: 5`

			`- name: Attempt to have ECS generate a signed certificate, but existing one is valid`
			`ecs_certificate:`
			`backup: True`
			`path: '{{ example1_cert_path }}'`
			`full_chain_path: '{{ example1_chain_path }}'`
			`csr: '{{ csr_path }}'`
			`cert_type: '{{ example1_cert_type }}'`
			`requester_name: '{{ entrust_requester_name }}'`
			`requester_email: '{{ entrust_requester_email }}'`
			`requester_phone: '{{ entrust_requester_phone }}'`
			`entrust_api_user: '{{ entrust_api_user }}'`
			`entrust_api_key: '{{ entrust_api_key }}'`
			`entrust_api_client_cert_path: '{{ entrust_api_cert }}'`
			`entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'`
			`register: example2_result`

			`- assert:`
			`that:`
			`- example2_result is not failed`
			`- not example2_result.changed`
			`- example2_result.backup_file is undefined`
			`- example2_result.backup_full_chain_file is undefined`
			`- example2_result.serial_number == example1_result.serial_number`
			`- example2_result.tracking_id == example1_result.tracking_id`

			`# Internal CA refuses to issue certificates with the same DN in a short time frame`
			`- name: Sleep for 5 seconds so we don't run into duplicate-request errors`
			`pause:`
			`seconds: 5`

			`- name: Force a reissue with no CSR, verify that contents changed`
			`ecs_certificate:`
			`backup: True`
			`force: True`
			`path: '{{ example1_cert_path }}'`
			`full_chain_path: '{{ example1_chain_path }}'`
			`cert_type: '{{ example1_cert_type }}'`
			`request_type: reissue`
			`requester_name: '{{ entrust_requester_name }}'`
			`requester_email: '{{ entrust_requester_email }}'`
			`requester_phone: '{{ entrust_requester_phone }}'`
			`entrust_api_user: '{{ entrust_api_user }}'`
			`entrust_api_key: '{{ entrust_api_key }}'`
			`entrust_api_client_cert_path: '{{ entrust_api_cert }}'`
			`entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'`
			`register: example3_result`

			`- assert:`
			`that:`
			`- example3_result is not failed`
			`- example3_result.changed`
			`- example3_result.backup_file is string`
			`- example3_result.backup_full_chain_file is string`
			`- example3_result.tracking_id > 0`
			`- example3_result.tracking_id != example1_result.tracking_id`
			`- example3_result.serial_number != example1_result.serial_number`

			`# Internal CA refuses to issue certificates with the same DN in a short time frame`
			`- name: Sleep for 5 seconds so we don't run into duplicate-request errors`
			`pause:`
			`seconds: 5`

			`- name: Test a request with all of the various optional possible fields populated`
			`ecs_certificate:`
			`path: '{{ example4_cert_path }}'`
Fixes to ecs_certificate cert chain for #61738 (#61858) * Fixes to ecs_certificate cert chain for #61738 * Added changelog fragment * Fixes to ecs_certificate for cleaner join, and better integration test * Fix integration test formatting * End cert chain with a \n * Update changelogs/fragments/61738-ecs-certificate-invalid-chain.yaml Co-Authored-By: Felix Fontein <felix@fontein.de> * Update main.yml 5 years ago			`full_chain_path: '{{ example4_full_chain_path }}'`
Addition of ECS_Certificate Module (#60883) * Addition of ecs_certificate module. * Documentation and code fixes * Updates per code review * Doc fixes, rename of chain_path to full_chain_path, add regex for cert_Expiry check * Fixes to pep8 check to make regexp string 'raw'. * Mistakes with find/replace of caseing. * Added integration tests and some doc cleanup * Some additional assertions and test typo cleanup * Update lib/ansible/modules/crypto/entrust/ecs_certificate.py Co-Authored-By: Felix Fontein <felix@fontein.de> * Responses to code review comments * Remove fake passwords from aliases file. 5 years ago			`csr: '{{ csr_path }}'`
			`subject_alt_name: '{{ example4_subject_alt_name }}'`
			`eku: '{{ example4_eku }}'`
			`ct_log: True`
			`cert_type: '{{ example4_cert_type }}'`
			`org: '{{ example4_org }}'`
			`ou: '{{ example4_ou }}'`
			`tracking_info: '{{ example4_tracking_info }}'`
			`additional_emails: '{{ example4_additional_emails }}'`
			`custom_fields: '{{ example4_custom_fields }}'`
			`cert_expiry: '{{ example4_cert_expiry }}'`
			`requester_name: '{{ entrust_requester_name }}'`
			`requester_email: '{{ entrust_requester_email }}'`
			`requester_phone: '{{ entrust_requester_phone }}'`
			`entrust_api_user: '{{ entrust_api_user }}'`
			`entrust_api_key: '{{ entrust_api_key }}'`
			`entrust_api_client_cert_path: '{{ entrust_api_cert }}'`
			`entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'`
			`register: example4_result`

			`- assert:`
			`that:`
			`- example4_result is not failed`
			`- example4_result.changed`
			`- example4_result.backup_file is undefined`
			`- example4_result.backup_full_chain_file is undefined`
			`- example4_result.tracking_id > 0`
			`- example4_result.serial_number is string`

Fixes to ecs_certificate cert chain for #61738 (#61858) * Fixes to ecs_certificate cert chain for #61738 * Added changelog fragment * Fixes to ecs_certificate for cleaner join, and better integration test * Fix integration test formatting * End cert chain with a \n * Update changelogs/fragments/61738-ecs-certificate-invalid-chain.yaml Co-Authored-By: Felix Fontein <felix@fontein.de> * Update main.yml 5 years ago			`# For bug 61738, verify that the full chain is valid`
			`- name: Verify that the full chain path can be successfully imported`
			`command: openssl verify "{{ example4_full_chain_path }}"`
			`register: openssl_result`

			`- assert:`
			`that:`
			`- "' OK' in openssl_result.stdout_lines[0]"`

Addition of ECS_Certificate Module (#60883) * Addition of ecs_certificate module. * Documentation and code fixes * Updates per code review * Doc fixes, rename of chain_path to full_chain_path, add regex for cert_Expiry check * Fixes to pep8 check to make regexp string 'raw'. * Mistakes with find/replace of caseing. * Added integration tests and some doc cleanup * Some additional assertions and test typo cleanup * Update lib/ansible/modules/crypto/entrust/ecs_certificate.py Co-Authored-By: Felix Fontein <felix@fontein.de> * Responses to code review comments * Remove fake passwords from aliases file. 5 years ago			`always:`
			`- name: clean-up temporary folder`
			`file:`
			`path: '{{ tmpdir_path }}'`
			`state: absent`