mirror of https://github.com/ansible/ansible.git
openssl_dhparam: add cryptography backend (#62991)
* Separate OpenSSL-specific code from generic code. * Make sure absent works without OpenSSL. * Add cryptography backend. * Add tests. * Add changelog. * Duplicate disclaimer. * Add dependency on setup_openssl. * Forgot to adjust something. * Fix version tuple.pull/63146/head
parent
a59b9d4269
commit
24b80848dc
@ -0,0 +1,2 @@
|
|||||||
|
minor_changes:
|
||||||
|
- "openssl_dhparam - now supports a ``cryptography``-based backend. Auto-detection can be overwritten with the ``select_crypto_backend`` option."
|
@ -0,0 +1,2 @@
|
|||||||
|
dependencies:
|
||||||
|
- setup_openssl
|
@ -0,0 +1,97 @@
|
|||||||
|
---
|
||||||
|
# The tests for this module generate unsafe parameters for testing purposes;
|
||||||
|
# otherwise tests would be too slow. Use sizes of at least 2048 in production!
|
||||||
|
- name: "[{{ select_crypto_backend }}] Generate parameter"
|
||||||
|
openssl_dhparam:
|
||||||
|
size: 768
|
||||||
|
path: '{{ output_dir }}/dh768.pem'
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
|
||||||
|
- name: "[{{ select_crypto_backend }}] Don't regenerate parameters with no change"
|
||||||
|
openssl_dhparam:
|
||||||
|
size: 768
|
||||||
|
path: '{{ output_dir }}/dh768.pem'
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
register: dhparam_changed
|
||||||
|
|
||||||
|
- name: "[{{ select_crypto_backend }}] Generate parameters with size option"
|
||||||
|
openssl_dhparam:
|
||||||
|
path: '{{ output_dir }}/dh512.pem'
|
||||||
|
size: 512
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
|
||||||
|
- name: "[{{ select_crypto_backend }}] Don't regenerate parameters with size option and no change"
|
||||||
|
openssl_dhparam:
|
||||||
|
path: '{{ output_dir }}/dh512.pem'
|
||||||
|
size: 512
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
register: dhparam_changed_512
|
||||||
|
|
||||||
|
- copy:
|
||||||
|
src: '{{ output_dir }}/dh768.pem'
|
||||||
|
remote_src: yes
|
||||||
|
dest: '{{ output_dir }}/dh512.pem'
|
||||||
|
|
||||||
|
- name: "[{{ select_crypto_backend }}] Re-generate if size is different"
|
||||||
|
openssl_dhparam:
|
||||||
|
path: '{{ output_dir }}/dh512.pem'
|
||||||
|
size: 512
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
register: dhparam_changed_to_512
|
||||||
|
|
||||||
|
- name: "[{{ select_crypto_backend }}] Force re-generate parameters with size option"
|
||||||
|
openssl_dhparam:
|
||||||
|
path: '{{ output_dir }}/dh512.pem'
|
||||||
|
size: 512
|
||||||
|
force: yes
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
register: dhparam_changed_force
|
||||||
|
|
||||||
|
- name: "[{{ select_crypto_backend }}] Create broken params"
|
||||||
|
copy:
|
||||||
|
dest: "{{ output_dir }}/dhbroken.pem"
|
||||||
|
content: "broken"
|
||||||
|
- name: "[{{ select_crypto_backend }}] Regenerate broken params"
|
||||||
|
openssl_dhparam:
|
||||||
|
path: '{{ output_dir }}/dhbroken.pem'
|
||||||
|
size: 512
|
||||||
|
force: yes
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
register: output_broken
|
||||||
|
|
||||||
|
- name: "[{{ select_crypto_backend }}] Generate params"
|
||||||
|
openssl_dhparam:
|
||||||
|
path: '{{ output_dir }}/dh_backup.pem'
|
||||||
|
size: 512
|
||||||
|
backup: yes
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
register: dhparam_backup_1
|
||||||
|
- name: "[{{ select_crypto_backend }}] Generate params (idempotent)"
|
||||||
|
openssl_dhparam:
|
||||||
|
path: '{{ output_dir }}/dh_backup.pem'
|
||||||
|
size: 512
|
||||||
|
backup: yes
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
register: dhparam_backup_2
|
||||||
|
- name: "[{{ select_crypto_backend }}] Generate params (change)"
|
||||||
|
openssl_dhparam:
|
||||||
|
path: '{{ output_dir }}/dh_backup.pem'
|
||||||
|
size: 512
|
||||||
|
force: yes
|
||||||
|
backup: yes
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
register: dhparam_backup_3
|
||||||
|
- name: "[{{ select_crypto_backend }}] Generate params (remove)"
|
||||||
|
openssl_dhparam:
|
||||||
|
path: '{{ output_dir }}/dh_backup.pem'
|
||||||
|
state: absent
|
||||||
|
backup: yes
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
register: dhparam_backup_4
|
||||||
|
- name: "[{{ select_crypto_backend }}] Generate params (remove, idempotent)"
|
||||||
|
openssl_dhparam:
|
||||||
|
path: '{{ output_dir }}/dh_backup.pem'
|
||||||
|
state: absent
|
||||||
|
backup: yes
|
||||||
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||||
|
register: dhparam_backup_5
|
@ -1,88 +1,38 @@
|
|||||||
---
|
---
|
||||||
- block:
|
# The tests for this module generate unsafe parameters for testing purposes;
|
||||||
# This module generates unsafe parameters for testing purposes
|
# otherwise tests would be too slow. Use sizes of at least 2048 in production!
|
||||||
# otherwise tests would be too slow
|
|
||||||
- name: Generate parameter
|
|
||||||
openssl_dhparam:
|
|
||||||
size: 768
|
|
||||||
path: '{{ output_dir }}/dh768.pem'
|
|
||||||
|
|
||||||
- name: Don't regenerate parameters with no change
|
- name: Run module with backend autodetection
|
||||||
openssl_dhparam:
|
openssl_dhparam:
|
||||||
size: 768
|
path: '{{ output_dir }}/dh_backend_selection.pem'
|
||||||
path: '{{ output_dir }}/dh768.pem'
|
size: 512
|
||||||
register: dhparam_changed
|
|
||||||
|
|
||||||
- name: Generate parameters with size option
|
- block:
|
||||||
openssl_dhparam:
|
- name: Running tests with OpenSSL backend
|
||||||
path: '{{ output_dir }}/dh512.pem'
|
include_tasks: impl.yml
|
||||||
size: 512
|
|
||||||
|
|
||||||
- name: Don't regenerate parameters with size option and no change
|
- include_tasks: ../tests/validate.yml
|
||||||
openssl_dhparam:
|
|
||||||
path: '{{ output_dir }}/dh512.pem'
|
|
||||||
size: 512
|
|
||||||
register: dhparam_changed_512
|
|
||||||
|
|
||||||
- copy:
|
vars:
|
||||||
src: '{{ output_dir }}/dh768.pem'
|
select_crypto_backend: openssl
|
||||||
remote_src: yes
|
# when: openssl_version.stdout is version('1.0.0', '>=')
|
||||||
dest: '{{ output_dir }}/dh512.pem'
|
|
||||||
|
|
||||||
- name: Re-generate if size is different
|
- name: Remove output directory
|
||||||
openssl_dhparam:
|
file:
|
||||||
path: '{{ output_dir }}/dh512.pem'
|
path: "{{ output_dir }}"
|
||||||
size: 512
|
state: absent
|
||||||
register: dhparam_changed_to_512
|
|
||||||
|
|
||||||
- name: Force re-generate parameters with size option
|
- name: Re-create output directory
|
||||||
openssl_dhparam:
|
file:
|
||||||
path: '{{ output_dir }}/dh512.pem'
|
path: "{{ output_dir }}"
|
||||||
size: 512
|
state: directory
|
||||||
force: yes
|
|
||||||
register: dhparam_changed_force
|
|
||||||
|
|
||||||
- name: Create broken params
|
- block:
|
||||||
copy:
|
- name: Running tests with cryptography backend
|
||||||
dest: "{{ output_dir }}/dhbroken.pem"
|
include_tasks: impl.yml
|
||||||
content: "broken"
|
|
||||||
- name: Regenerate broken params
|
|
||||||
openssl_dhparam:
|
|
||||||
path: '{{ output_dir }}/dhbroken.pem'
|
|
||||||
size: 512
|
|
||||||
force: yes
|
|
||||||
register: output_broken
|
|
||||||
|
|
||||||
- name: Generate params
|
- include_tasks: ../tests/validate.yml
|
||||||
openssl_dhparam:
|
|
||||||
path: '{{ output_dir }}/dh_backup.pem'
|
|
||||||
size: 512
|
|
||||||
backup: yes
|
|
||||||
register: dhparam_backup_1
|
|
||||||
- name: Generate params (idempotent)
|
|
||||||
openssl_dhparam:
|
|
||||||
path: '{{ output_dir }}/dh_backup.pem'
|
|
||||||
size: 512
|
|
||||||
backup: yes
|
|
||||||
register: dhparam_backup_2
|
|
||||||
- name: Generate params (change)
|
|
||||||
openssl_dhparam:
|
|
||||||
path: '{{ output_dir }}/dh_backup.pem'
|
|
||||||
size: 512
|
|
||||||
force: yes
|
|
||||||
backup: yes
|
|
||||||
register: dhparam_backup_3
|
|
||||||
- name: Generate params (remove)
|
|
||||||
openssl_dhparam:
|
|
||||||
path: '{{ output_dir }}/dh_backup.pem'
|
|
||||||
state: absent
|
|
||||||
backup: yes
|
|
||||||
register: dhparam_backup_4
|
|
||||||
- name: Generate params (remove, idempotent)
|
|
||||||
openssl_dhparam:
|
|
||||||
path: '{{ output_dir }}/dh_backup.pem'
|
|
||||||
state: absent
|
|
||||||
backup: yes
|
|
||||||
register: dhparam_backup_5
|
|
||||||
|
|
||||||
- import_tasks: ../tests/validate.yml
|
vars:
|
||||||
|
select_crypto_backend: cryptography
|
||||||
|
when: cryptography_version.stdout is version('2.0', '>=')
|
||||||
|
Loading…
Reference in New Issue