luks_device: add basic check mode (#54477)

* Add basic check mode. * One more early exit. * Fix naming. * Check that device is actually an existing device.
6 years ago · bb52390b04
parent 1ed8ed766c
commit bb52390b04
3 changed files with 195 additions and 125 deletions
--- a/lib/ansible/modules/crypto/luks_device.py
+++ b/lib/ansible/modules/crypto/luks_device.py
@ -101,13 +101,6 @@ requirements:
    - "wipefs"
    - "lsblk"
 notes:
    - "This module does not support check mode. The reason being that
      while it is possible to chain several operations together
      (e.g. 'create' and 'open'), the latter usually depends on changes
      to the system done by the previous one. (LUKS cannot be opened,
      when it does not exist.)"
 author:
    "Jan Pokorny (@japokorn)"
 '''
@ -172,7 +165,9 @@ name:
    sample: "luks-c1da9a58-2fde-4256-9d9f-6ab008b4dd1b"
 '''
 import os
 import re
 import stat
 from ansible.module_utils.basic import AnsibleModule
@ -249,7 +244,7 @@ class CryptHandler(Handler):
        return device
    def is_luks(self, device):
-        ''' check if the LUKS device does exist
+        ''' check if the LUKS container does exist
        '''
        result = self._run_command([self._cryptsetup_bin, 'isLuks', device])
        return result[RETURN_CODE] == 0
@ -464,7 +459,16 @@ def run_module():
    )
    module = AnsibleModule(argument_spec=module_args,
-                           supports_check_mode=False)
+                           supports_check_mode=True)
    if module.params['device'] is not None:
        try:
            statinfo = os.stat(module.params['device'])
            mode = statinfo.st_mode
            if not stat.S_ISBLK(mode) and not stat.S_ISCHR(mode):
                raise Exception('{0} is not a device'.format(module.params['device']))
        except Exception as e:
            module.fail_json(msg=str(e))
    crypt = CryptHandler(module)
    conditions = ConditionsHandler(module, crypt)
@ -474,12 +478,15 @@ def run_module():
    # luks create
    if conditions.luks_create():
-        try:
+        if not module.check_mode:
-            crypt.run_luks_create(module.params['device'],
+            try:
-                                  module.params['keyfile'])
+                crypt.run_luks_create(module.params['device'],
-        except ValueError as e:
+                                      module.params['keyfile'])
-            module.fail_json(msg="luks_device error: %s" % e)
+            except ValueError as e:
                module.fail_json(msg="luks_device error: %s" % e)
        result['changed'] = True
        if module.check_mode:
            module.exit_json(**result)
    # luks open
@ -494,14 +501,17 @@ def run_module():
                name = crypt.generate_luks_name(module.params['device'])
            except ValueError as e:
                module.fail_json(msg="luks_device error: %s" % e)
-        try:
+        if not module.check_mode:
-            crypt.run_luks_open(module.params['device'],
+            try:
-                                module.params['keyfile'],
+                crypt.run_luks_open(module.params['device'],
-                                name)
+                                    module.params['keyfile'],
-        except ValueError as e:
+                                    name)
-            module.fail_json(msg="luks_device error: %s" % e)
+            except ValueError as e:
                module.fail_json(msg="luks_device error: %s" % e)
        result['name'] = name
        result['changed'] = True
        if module.check_mode:
            module.exit_json(**result)
    # luks close
    if conditions.luks_close():
@ -513,39 +523,51 @@ def run_module():
                module.fail_json(msg="luks_device error: %s" % e)
        else:
            name = module.params['name']
-        try:
+        if not module.check_mode:
-            crypt.run_luks_close(name)
+            try:
-        except ValueError as e:
+                crypt.run_luks_close(name)
-            module.fail_json(msg="luks_device error: %s" % e)
+            except ValueError as e:
                module.fail_json(msg="luks_device error: %s" % e)
        result['changed'] = True
        if module.check_mode:
            module.exit_json(**result)
    # luks add key
    if conditions.luks_add_key():
-        try:
+        if not module.check_mode:
-            crypt.run_luks_add_key(module.params['device'],
+            try:
-                                   module.params['keyfile'],
+                crypt.run_luks_add_key(module.params['device'],
-                                   module.params['new_keyfile'])
+                                       module.params['keyfile'],
-        except ValueError as e:
+                                       module.params['new_keyfile'])
-            module.fail_json(msg="luks_device error: %s" % e)
+            except ValueError as e:
                module.fail_json(msg="luks_device error: %s" % e)
        result['changed'] = True
        if module.check_mode:
            module.exit_json(**result)
    # luks remove key
    if conditions.luks_remove_key():
-        try:
+        if not module.check_mode:
-            crypt.run_luks_remove_key(module.params['device'],
+            try:
-                                      module.params['remove_keyfile'],
+                crypt.run_luks_remove_key(module.params['device'],
-                                      force_remove_last_key=module.params['force_remove_last_key'])
+                                          module.params['remove_keyfile'],
-        except ValueError as e:
+                                          force_remove_last_key=module.params['force_remove_last_key'])
-            module.fail_json(msg="luks_device error: %s" % e)
+            except ValueError as e:
                module.fail_json(msg="luks_device error: %s" % e)
        result['changed'] = True
        if module.check_mode:
            module.exit_json(**result)
    # luks remove
    if conditions.luks_remove():
-        try:
+        if not module.check_mode:
-            crypt.run_luks_remove(module.params['device'])
+            try:
-        except ValueError as e:
+                crypt.run_luks_remove(module.params['device'])
-            module.fail_json(msg="luks_device error: %s" % e)
+            except ValueError as e:
                module.fail_json(msg="luks_device error: %s" % e)
        result['changed'] = True
        if module.check_mode:
            module.exit_json(**result)
    # Success - return result
    module.exit_json(**result)
--- a/test/integration/targets/luks_device/tasks/tests/create-destroy.yml
+++ b/test/integration/targets/luks_device/tasks/tests/create-destroy.yml
@ -1,12 +1,12 @@
 ---
-#- name: Create (check)
+- name: Create (check)
-#  luks_device:
+  luks_device:
-#    device: "{{ cryptfile_device }}"
+    device: "{{ cryptfile_device }}"
-#    state: present
+    state: present
-#    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ role_path }}/files/keyfile1"
-#  check_mode: yes
+  check_mode: yes
-#  become: yes
+  become: yes
-#  register: create_check
+  register: create_check
 - name: Create
  luks_device:
    device: "{{ cryptfile_device }}"
@ -21,29 +21,29 @@
    keyfile: "{{ role_path }}/files/keyfile1"
  become: yes
  register: create_idem
-#- name: Create (idempotent, check)
+- name: Create (idempotent, check)
-#  luks_device:
+  luks_device:
-#    device: "{{ cryptfile_device }}"
+    device: "{{ cryptfile_device }}"
-#    state: present
+    state: present
-#    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ role_path }}/files/keyfile1"
-#  check_mode: yes
+  check_mode: yes
-#  become: yes
+  become: yes
-#  register: create_idem_check
+  register: create_idem_check
 - assert:
    that:
-    #- create_check is changed
+    - create_check is changed
    - create is changed
    - create_idem is not changed
-    #- create_idem_check is not changed
+    - create_idem_check is not changed
-#- name: Open (check)
+- name: Open (check)
-#  luks_device:
+  luks_device:
-#    device: "{{ cryptfile_device }}"
+    device: "{{ cryptfile_device }}"
-#    state: opened
+    state: opened
-#    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ role_path }}/files/keyfile1"
-#  check_mode: yes
+  check_mode: yes
-#  become: yes
+  become: yes
-#  register: open_check
+  register: open_check
 - name: Open
  luks_device:
    device: "{{ cryptfile_device }}"
@ -58,28 +58,28 @@
    keyfile: "{{ role_path }}/files/keyfile1"
  become: yes
  register: open_idem
-#- name: Open (idempotent, check)
+- name: Open (idempotent, check)
-#  luks_device:
+  luks_device:
-#    device: "{{ cryptfile_device }}"
+    device: "{{ cryptfile_device }}"
-#    state: opened
+    state: opened
-#    keyfile: "{{ role_path }}/files/keyfile1"
+    keyfile: "{{ role_path }}/files/keyfile1"
-#  check_mode: yes
+  check_mode: yes
-#  become: yes
+  become: yes
-#  register: open_idem_check
+  register: open_idem_check
 - assert:
    that:
-    #- open_check is changed
+    - open_check is changed
    - open is changed
    - open_idem is not changed
-    #- open_idem_check is not changed
+    - open_idem_check is not changed
-#- name: Closed (via name, check)
+- name: Closed (via name, check)
-#  luks_device:
+  luks_device:
-#    name: "{{ open.name }}"
+    name: "{{ open.name }}"
-#    state: closed
+    state: closed
-#  check_mode: yes
+  check_mode: yes
-#  become: yes
+  become: yes
-#  register: close_check
+  register: close_check
 - name: Closed (via name)
  luks_device:
    name: "{{ open.name }}"
@ -92,19 +92,19 @@
    state: closed
  become: yes
  register: close_idem
-#- name: Closed (via name, idempotent, check)
+- name: Closed (via name, idempotent, check)
-#  luks_device:
+  luks_device:
-#    name: "{{ open.name }}"
+    name: "{{ open.name }}"
-#    state: closed
+    state: closed
-#  check_mode: yes
+  check_mode: yes
-#  become: yes
+  become: yes
-#  register: close_idem_check
+  register: close_idem_check
 - assert:
    that:
-    #- close_check is changed
+    - close_check is changed
    - close is changed
    - close_idem is not changed
-    #- close_idem_check is not changed
+    - close_idem_check is not changed
 - name: Re-open
  luks_device:
@ -113,13 +113,13 @@
    keyfile: "{{ role_path }}/files/keyfile1"
  become: yes
-#- name: Closed (via device, check)
+- name: Closed (via device, check)
-#  luks_device:
+  luks_device:
-#    device: "{{ cryptfile_device }}"
+    device: "{{ cryptfile_device }}"
-#    state: closed
+    state: closed
-#  check_mode: yes
+  check_mode: yes
-#  become: yes
+  become: yes
-#  register: close_check
+  register: close_check
 - name: Closed (via device)
  luks_device:
    device: "{{ cryptfile_device }}"
@ -132,20 +132,20 @@
    state: closed
  become: yes
  register: close_idem
-#- name: Closed (via device, idempotent, check)
+- name: Closed (via device, idempotent, check)
-#  luks_device:
+  luks_device:
-#    device: "{{ cryptfile_device }}"
+    device: "{{ cryptfile_device }}"
-#    state: closed
+    state: closed
-#  check_mode: yes
+  check_mode: yes
-#  become: yes
+  become: yes
-#  register: close_idem_check
+  register: close_idem_check
 - assert:
    that:
-    #- close_check is changed
+    - close_check is changed
    - close is changed
    - close_idem is not changed
-    #- close_idem_check is not changed
+    - close_idem_check is not changed
-  
+
 - name: Re-opened
  luks_device:
    device: "{{ cryptfile_device }}"
@ -153,13 +153,13 @@
    keyfile: "{{ role_path }}/files/keyfile1"
  become: yes
-#- name: Absent (check)
+- name: Absent (check)
-#  luks_device:
+  luks_device:
-#    device: "{{ cryptfile_device }}"
+    device: "{{ cryptfile_device }}"
-#    state: absent
+    state: absent
-#  check_mode: yes
+  check_mode: yes
-#  become: yes
+  become: yes
-#  register: absent_check
+  register: absent_check
 - name: Absent
  luks_device:
    device: "{{ cryptfile_device }}"
@ -172,16 +172,16 @@
    state: absent
  become: yes
  register: absent_idem
-#- name: Absent (idempotence, check)
+- name: Absent (idempotence, check)
-#  luks_device:
+  luks_device:
-#    device: "{{ cryptfile_device }}"
+    device: "{{ cryptfile_device }}"
-#    state: absent
+    state: absent
-#  check_mode: yes
+  check_mode: yes
-#  become: yes
+  become: yes
-#  register: absent_idem_check
+  register: absent_idem_check
 - assert:
    that:
-    #- absent_check is changed
+    - absent_check is changed
    - absent is changed
    - absent_idem is not changed
-    #- absent_idem_check is not changed
+    - absent_idem_check is not changed
--- a/test/integration/targets/luks_device/tasks/tests/device-check.yml
+++ b/test/integration/targets/luks_device/tasks/tests/device-check.yml
@ -0,0 +1,48 @@
 ---
 - name: Create with invalid device name (check)
  luks_device:
    device: /dev/asdfasdfasdf
    state: present
    keyfile: "{{ role_path }}/files/keyfile1"
  check_mode: yes
  ignore_errors: yes
  become: yes
  register: create_check
 - name: Create with invalid device name
  luks_device:
    device: /dev/asdfasdfasdf
    state: present
    keyfile: "{{ role_path }}/files/keyfile1"
  ignore_errors: yes
  become: yes
  register: create
 - assert:
    that:
      - create_check is failed
      - create is failed
      - "'o such file or directory' in create_check.msg"
      - "'o such file or directory' in create.msg"
 - name: Create with something which is not a device (check)
  luks_device:
    device: /tmp/
    state: present
    keyfile: "{{ role_path }}/files/keyfile1"
  check_mode: yes
  ignore_errors: yes
  become: yes
  register: create_check
 - name: Create with something which is not a device
  luks_device:
    device: /tmp/
    state: present
    keyfile: "{{ role_path }}/files/keyfile1"
  ignore_errors: yes
  become: yes
  register: create
 - assert:
    that:
      - create_check is failed
      - create is failed
      - "'is not a device' in create_check.msg"
      - "'is not a device' in create.msg"