mirror of https://github.com/ansible/ansible.git
openssl_dhparam: add cryptography backend (#62991)
* Separate OpenSSL-specific code from generic code. * Make sure absent works without OpenSSL. * Add cryptography backend. * Add tests. * Add changelog. * Duplicate disclaimer. * Add dependency on setup_openssl. * Forgot to adjust something. * Fix version tuple.pull/63146/head
parent
a59b9d4269
commit
24b80848dc
@ -0,0 +1,2 @@
|
||||
minor_changes:
|
||||
- "openssl_dhparam - now supports a ``cryptography``-based backend. Auto-detection can be overwritten with the ``select_crypto_backend`` option."
|
@ -0,0 +1,2 @@
|
||||
dependencies:
|
||||
- setup_openssl
|
@ -0,0 +1,97 @@
|
||||
---
|
||||
# The tests for this module generate unsafe parameters for testing purposes;
|
||||
# otherwise tests would be too slow. Use sizes of at least 2048 in production!
|
||||
- name: "[{{ select_crypto_backend }}] Generate parameter"
|
||||
openssl_dhparam:
|
||||
size: 768
|
||||
path: '{{ output_dir }}/dh768.pem'
|
||||
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||
|
||||
- name: "[{{ select_crypto_backend }}] Don't regenerate parameters with no change"
|
||||
openssl_dhparam:
|
||||
size: 768
|
||||
path: '{{ output_dir }}/dh768.pem'
|
||||
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||
register: dhparam_changed
|
||||
|
||||
- name: "[{{ select_crypto_backend }}] Generate parameters with size option"
|
||||
openssl_dhparam:
|
||||
path: '{{ output_dir }}/dh512.pem'
|
||||
size: 512
|
||||
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||
|
||||
- name: "[{{ select_crypto_backend }}] Don't regenerate parameters with size option and no change"
|
||||
openssl_dhparam:
|
||||
path: '{{ output_dir }}/dh512.pem'
|
||||
size: 512
|
||||
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||
register: dhparam_changed_512
|
||||
|
||||
- copy:
|
||||
src: '{{ output_dir }}/dh768.pem'
|
||||
remote_src: yes
|
||||
dest: '{{ output_dir }}/dh512.pem'
|
||||
|
||||
- name: "[{{ select_crypto_backend }}] Re-generate if size is different"
|
||||
openssl_dhparam:
|
||||
path: '{{ output_dir }}/dh512.pem'
|
||||
size: 512
|
||||
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||
register: dhparam_changed_to_512
|
||||
|
||||
- name: "[{{ select_crypto_backend }}] Force re-generate parameters with size option"
|
||||
openssl_dhparam:
|
||||
path: '{{ output_dir }}/dh512.pem'
|
||||
size: 512
|
||||
force: yes
|
||||
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||
register: dhparam_changed_force
|
||||
|
||||
- name: "[{{ select_crypto_backend }}] Create broken params"
|
||||
copy:
|
||||
dest: "{{ output_dir }}/dhbroken.pem"
|
||||
content: "broken"
|
||||
- name: "[{{ select_crypto_backend }}] Regenerate broken params"
|
||||
openssl_dhparam:
|
||||
path: '{{ output_dir }}/dhbroken.pem'
|
||||
size: 512
|
||||
force: yes
|
||||
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||
register: output_broken
|
||||
|
||||
- name: "[{{ select_crypto_backend }}] Generate params"
|
||||
openssl_dhparam:
|
||||
path: '{{ output_dir }}/dh_backup.pem'
|
||||
size: 512
|
||||
backup: yes
|
||||
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||
register: dhparam_backup_1
|
||||
- name: "[{{ select_crypto_backend }}] Generate params (idempotent)"
|
||||
openssl_dhparam:
|
||||
path: '{{ output_dir }}/dh_backup.pem'
|
||||
size: 512
|
||||
backup: yes
|
||||
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||
register: dhparam_backup_2
|
||||
- name: "[{{ select_crypto_backend }}] Generate params (change)"
|
||||
openssl_dhparam:
|
||||
path: '{{ output_dir }}/dh_backup.pem'
|
||||
size: 512
|
||||
force: yes
|
||||
backup: yes
|
||||
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||
register: dhparam_backup_3
|
||||
- name: "[{{ select_crypto_backend }}] Generate params (remove)"
|
||||
openssl_dhparam:
|
||||
path: '{{ output_dir }}/dh_backup.pem'
|
||||
state: absent
|
||||
backup: yes
|
||||
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||
register: dhparam_backup_4
|
||||
- name: "[{{ select_crypto_backend }}] Generate params (remove, idempotent)"
|
||||
openssl_dhparam:
|
||||
path: '{{ output_dir }}/dh_backup.pem'
|
||||
state: absent
|
||||
backup: yes
|
||||
select_crypto_backend: "{{ select_crypto_backend }}"
|
||||
register: dhparam_backup_5
|
@ -1,88 +1,38 @@
|
||||
---
|
||||
- block:
|
||||
# This module generates unsafe parameters for testing purposes
|
||||
# otherwise tests would be too slow
|
||||
- name: Generate parameter
|
||||
openssl_dhparam:
|
||||
size: 768
|
||||
path: '{{ output_dir }}/dh768.pem'
|
||||
|
||||
- name: Don't regenerate parameters with no change
|
||||
openssl_dhparam:
|
||||
size: 768
|
||||
path: '{{ output_dir }}/dh768.pem'
|
||||
register: dhparam_changed
|
||||
# The tests for this module generate unsafe parameters for testing purposes;
|
||||
# otherwise tests would be too slow. Use sizes of at least 2048 in production!
|
||||
|
||||
- name: Generate parameters with size option
|
||||
- name: Run module with backend autodetection
|
||||
openssl_dhparam:
|
||||
path: '{{ output_dir }}/dh512.pem'
|
||||
path: '{{ output_dir }}/dh_backend_selection.pem'
|
||||
size: 512
|
||||
|
||||
- name: Don't regenerate parameters with size option and no change
|
||||
openssl_dhparam:
|
||||
path: '{{ output_dir }}/dh512.pem'
|
||||
size: 512
|
||||
register: dhparam_changed_512
|
||||
- block:
|
||||
- name: Running tests with OpenSSL backend
|
||||
include_tasks: impl.yml
|
||||
|
||||
- copy:
|
||||
src: '{{ output_dir }}/dh768.pem'
|
||||
remote_src: yes
|
||||
dest: '{{ output_dir }}/dh512.pem'
|
||||
- include_tasks: ../tests/validate.yml
|
||||
|
||||
- name: Re-generate if size is different
|
||||
openssl_dhparam:
|
||||
path: '{{ output_dir }}/dh512.pem'
|
||||
size: 512
|
||||
register: dhparam_changed_to_512
|
||||
vars:
|
||||
select_crypto_backend: openssl
|
||||
# when: openssl_version.stdout is version('1.0.0', '>=')
|
||||
|
||||
- name: Force re-generate parameters with size option
|
||||
openssl_dhparam:
|
||||
path: '{{ output_dir }}/dh512.pem'
|
||||
size: 512
|
||||
force: yes
|
||||
register: dhparam_changed_force
|
||||
- name: Remove output directory
|
||||
file:
|
||||
path: "{{ output_dir }}"
|
||||
state: absent
|
||||
|
||||
- name: Create broken params
|
||||
copy:
|
||||
dest: "{{ output_dir }}/dhbroken.pem"
|
||||
content: "broken"
|
||||
- name: Regenerate broken params
|
||||
openssl_dhparam:
|
||||
path: '{{ output_dir }}/dhbroken.pem'
|
||||
size: 512
|
||||
force: yes
|
||||
register: output_broken
|
||||
- name: Re-create output directory
|
||||
file:
|
||||
path: "{{ output_dir }}"
|
||||
state: directory
|
||||
|
||||
- name: Generate params
|
||||
openssl_dhparam:
|
||||
path: '{{ output_dir }}/dh_backup.pem'
|
||||
size: 512
|
||||
backup: yes
|
||||
register: dhparam_backup_1
|
||||
- name: Generate params (idempotent)
|
||||
openssl_dhparam:
|
||||
path: '{{ output_dir }}/dh_backup.pem'
|
||||
size: 512
|
||||
backup: yes
|
||||
register: dhparam_backup_2
|
||||
- name: Generate params (change)
|
||||
openssl_dhparam:
|
||||
path: '{{ output_dir }}/dh_backup.pem'
|
||||
size: 512
|
||||
force: yes
|
||||
backup: yes
|
||||
register: dhparam_backup_3
|
||||
- name: Generate params (remove)
|
||||
openssl_dhparam:
|
||||
path: '{{ output_dir }}/dh_backup.pem'
|
||||
state: absent
|
||||
backup: yes
|
||||
register: dhparam_backup_4
|
||||
- name: Generate params (remove, idempotent)
|
||||
openssl_dhparam:
|
||||
path: '{{ output_dir }}/dh_backup.pem'
|
||||
state: absent
|
||||
backup: yes
|
||||
register: dhparam_backup_5
|
||||
- block:
|
||||
- name: Running tests with cryptography backend
|
||||
include_tasks: impl.yml
|
||||
|
||||
- include_tasks: ../tests/validate.yml
|
||||
|
||||
- import_tasks: ../tests/validate.yml
|
||||
vars:
|
||||
select_crypto_backend: cryptography
|
||||
when: cryptography_version.stdout is version('2.0', '>=')
|
||||
|
Loading…
Reference in New Issue