[backport][stable-2.14] 🧪 Replace GitHub SVN integration test with local TLS (#82370)

* [backport][stable-2.14] 🧪 Replace GitHub SVN integration test with local TLS

PR #82334

* Run svn integration test locally with TLS

This patch uses a `trustme` to make an ephemeral CA, and server, and
client TLS artifacts for testing. These are integrated into the Apache
web server via it's `mod_ssl`.

Resolves #82207

* Replace GitHub SVN HTTPS URL w/ localhost over TLS

This change gets rid of the need to use GitHub, which is just about to
drop support for SVN [[1]]. Moreover, it eliminates the need to use
external network for any SVN commands in the test.

[1]: https://github.blog/2023-01-20-sunsetting-subversion-support/

(cherry picked from commit dd0138ba21)

* Implement compat w/ opensuse15, centos7 & rhel7/8
pull/82381/head
Sviatoslav Sydorenko 12 months ago committed by GitHub
parent 865be9a4b7
commit cf15cd7d44
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -3,8 +3,7 @@ apache_port: 11386 # cannot use 80 as httptester overrides this
subversion_test_dir: /tmp/ansible-svn-test-dir subversion_test_dir: /tmp/ansible-svn-test-dir
subversion_server_dir: /tmp/ansible-svn # cannot use a path in the home dir without userdir or granting exec permission to the apache user subversion_server_dir: /tmp/ansible-svn # cannot use a path in the home dir without userdir or granting exec permission to the apache user
subversion_repo_name: ansible-test-repo subversion_repo_name: ansible-test-repo
subversion_repo_url: http://127.0.0.1:{{ apache_port }}/svn/{{ subversion_repo_name }} subversion_repo_url: https://localhost:{{ apache_port }}/svn/{{ subversion_repo_name }} # svn can't verify TLS certificates against IP addresses
subversion_repo_auth_url: http://127.0.0.1:{{ apache_port }}/svnauth/{{ subversion_repo_name }} subversion_repo_auth_url: https://localhost:{{ apache_port }}/svnauth/{{ subversion_repo_name }}
subversion_username: subsvn_user''' subversion_username: subsvn_user'''
subversion_password: Password123! subversion_password: Password123!
subversion_external_repo_url: https://github.com/ansible/ansible.github.com # GitHub serves SVN

@ -33,6 +33,60 @@
include_tasks: setup_selinux.yml include_tasks: setup_selinux.yml
when: ansible_selinux.status == "enabled" when: ansible_selinux.status == "enabled"
- name: Generate CA and TLS certificates via trustme
vars:
venv_path: >-
{{ subversion_server_dir }}/.venv
venv_python: >-
{{ subversion_server_dir }}/.venv/bin/python
block:
- name: trustme -- provision a venv
command: >-
{{ ansible_python_interpreter }}
-{% if ansible_python.version.major != 2 %}I{% endif %}m
{% if ansible_python.version.major != 2 %}venv{%
else %}virtualenv{% endif %}
{{ venv_path }}
- name: trustme -- upgrade pip in venv | RHEL 7.9 & 8.8+py36
when: >- # these don't know how to notice `cryptography` wheels
ansible_distribution == 'RedHat'
and ansible_distribution_major_version | int < 9
pip:
name: pip
state: latest
virtualenv: >-
{{ venv_path }}
- name: trustme -- install tool
pip:
name: trustme
virtualenv: >-
{{ venv_path }}
- name: trustme -- generate CA and TLS certs
command:
argv:
- >-
{{ venv_python }}
- -{%- if ansible_python.version.major != 2 -%}I{%- endif -%}m
- trustme
- --dir={{ subversion_server_dir }}
- name: symlink trustme certificates into apache config dir - Red Hat
when: ansible_os_family in ['RedHat']
# when: ansible_distribution in ['Fedora', 'RedHat']
file:
src: /tmp/ansible-svn/server.{{ item.trustme_filetype }}
dest: /etc/pki/tls/{{ item.apache_target_path }}
state: link
force: yes # Othewise Apache on CentOS 7 uses its own fake certificate
loop:
- apache_target_path: certs/localhost.crt
trustme_filetype: pem
- apache_target_path: certs/server-chain.crt
trustme_filetype: pem
- apache_target_path: private/localhost.key
trustme_filetype: key
- name: template out configuration file - name: template out configuration file
template: template:
src: subversion.conf.j2 src: subversion.conf.j2
@ -66,3 +120,14 @@
async: 3600 # We kill apache manually in the clean up phase async: 3600 # We kill apache manually in the clean up phase
poll: 0 poll: 0
when: ansible_os_family in ['RedHat'] when: ansible_os_family in ['RedHat']
- lineinfile:
dest: >-
{{ ansible_env.HOME }}/.subversion/servers
regexp: >-
^#\s*ssl-authority-files\s*=\s*
line: >-
ssl-authority-files = {{ subversion_server_dir }}/client.pem
insertafter: >-
^\[global\]
state: present

@ -18,10 +18,11 @@
# checks out every branch so using a small repo # checks out every branch so using a small repo
- name: initial checkout - name: initial checkout with validate_certs=true
subversion: subversion:
repo: '{{ subversion_repo_url }}' repo: '{{ subversion_repo_url }}'
dest: '{{ subversion_test_dir }}/svn' dest: '{{ subversion_test_dir }}/svn'
validate_certs: yes
register: subverted register: subverted
- name: check if dir was checked out - name: check if dir was checked out
@ -130,16 +131,27 @@
- "export_branches.stat.isdir" - "export_branches.stat.isdir"
- "subverted4.changed" - "subverted4.changed"
- name: clone a small external repo with validate_certs=true - name: unconfigure client-side TLS trust
subversion: block:
repo: "{{ subversion_external_repo_url }}" - name: remove TLS CA chain file path from the SVN config
dest: "{{ subversion_test_dir }}/svn-external1" lineinfile:
validate_certs: yes dest: >-
{{ ansible_env.HOME }}/.subversion/servers
regexp: >-
^(?:#)?\s*ssl-authority-files\s*=\s*
state: absent
- name: drop the client TLS CA chain file
file:
path: >-
{{ subversion_server_dir }}/client.pem
state: absent
- name: clone a small external repo with validate_certs=false - name: >-
clone a HTTPS-accessible repo with validate_certs=false
and untrusted CA over TLS
subversion: subversion:
repo: "{{ subversion_external_repo_url }}" repo: '{{ subversion_repo_url }}'
dest: "{{ subversion_test_dir }}/svn-external2" dest: '{{ subversion_test_dir }}/svn-untrusted-tls'
validate_certs: no validate_certs: no
# TBA: test for additional options or URL variants welcome # TBA: test for additional options or URL variants welcome

@ -19,6 +19,7 @@ LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent LogFormat "%{User-agent}i" agent
Include mods-available/ssl.load
IncludeOptional mods-enabled/*.load IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf IncludeOptional mods-enabled/*.conf
IncludeOptional conf-enabled/*.conf IncludeOptional conf-enabled/*.conf
@ -32,6 +33,7 @@ IncludeOptional sites-enabled/*conf
{% elif ansible_os_family == "FreeBSD" %} {% elif ansible_os_family == "FreeBSD" %}
Include /usr/local/etc/apache24/httpd.conf Include /usr/local/etc/apache24/httpd.conf
LoadModule ssl_module libexec/apache24/mod_ssl.so
LoadModule dav_module libexec/apache24/mod_dav.so LoadModule dav_module libexec/apache24/mod_dav.so
LoadModule dav_svn_module libexec/apache24/mod_dav_svn.so LoadModule dav_svn_module libexec/apache24/mod_dav_svn.so
LoadModule authz_svn_module libexec/apache24/mod_authz_svn.so LoadModule authz_svn_module libexec/apache24/mod_authz_svn.so
@ -48,7 +50,14 @@ Include /etc/httpd/conf/httpd.conf
{% endif %} {% endif %}
PidFile {{ subversion_server_dir }}/apache.pid PidFile {{ subversion_server_dir }}/apache.pid
Listen 127.0.0.1:{{ apache_port }} Listen 127.0.0.1:{{ apache_port }} https
{% if ansible_distribution not in ["Alpine", "CentOS", "Fedora", "openSUSE Leap", "Ubuntu"] %}
Listen [::1]:{{ apache_port }} https
{% endif %}
SSLEngine on
SSLCertificateFile {{ subversion_server_dir }}/server.pem
SSLCertificateKeyFile {{ subversion_server_dir }}/server.key
SSLCertificateChainFile {{ subversion_server_dir }}/server.pem
ErrorLog {{ subversion_server_dir }}/apache2-error.log ErrorLog {{ subversion_server_dir }}/apache2-error.log
<Location /svn> <Location /svn>

@ -5,5 +5,6 @@ subversion_packages:
- apache2-webdav - apache2-webdav
- apache2-utils - apache2-utils
- apache2-ctl - apache2-ctl
- apache2-ssl
apache_user: apache apache_user: apache
apache_group: apache apache_group: apache

@ -1,6 +1,7 @@
--- ---
subversion_packages: subversion_packages:
- mod_dav_svn - mod_dav_svn
- mod_ssl
- subversion - subversion
upgrade_packages: upgrade_packages:
# prevent sqlite from being out-of-sync with the version subversion was compiled with # prevent sqlite from being out-of-sync with the version subversion was compiled with

@ -1,5 +1,7 @@
--- ---
subversion_packages: subversion_packages:
- apache2 # /usr/sbin/apachectl
- apache2-utils # htpasswd
- subversion - subversion
- libapache2-mod-svn - libapache2-mod-svn
apache_user: www-data apache_user: www-data

Loading…
Cancel
Save