mirror of https://github.com/ansible/ansible.git
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
268 lines
7.8 KiB
YAML
268 lines
7.8 KiB
YAML
---
|
|
#
|
|
# Save initial state
|
|
#
|
|
- name: Retrieve a list of gpg keys are installed for package checking
|
|
shell: 'rpm -q gpg-pubkey | sort'
|
|
register: list_of_pubkeys
|
|
|
|
- name: Retrieve the gpg keys used to verify packages
|
|
command: 'rpm -q --qf %{description} gpg-pubkey'
|
|
register: pubkeys
|
|
|
|
- name: Save gpg keys to a file
|
|
copy:
|
|
content: "{{ pubkeys['stdout'] }}\n"
|
|
dest: '{{ remote_tmp_dir }}/pubkeys'
|
|
mode: 0600
|
|
|
|
#
|
|
# Tests start
|
|
#
|
|
- name: download EPEL GPG key
|
|
get_url:
|
|
url: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7
|
|
dest: /tmp/RPM-GPG-KEY-EPEL-7
|
|
|
|
- name: download sl rpm
|
|
get_url:
|
|
url: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/sl-5.02-1.el7.x86_64.rpm
|
|
dest: /tmp/sl.rpm
|
|
|
|
- name: remove EPEL GPG key from keyring
|
|
rpm_key:
|
|
state: absent
|
|
key: /tmp/RPM-GPG-KEY-EPEL-7
|
|
|
|
- name: check GPG signature of sl. Should fail
|
|
shell: "rpm --checksig /tmp/sl.rpm"
|
|
register: sl_check
|
|
ignore_errors: yes
|
|
|
|
- name: confirm that signature check failed
|
|
assert:
|
|
that:
|
|
- "'MISSING KEYS' in sl_check.stdout or 'SIGNATURES NOT OK' in sl_check.stdout"
|
|
- "sl_check.failed"
|
|
|
|
- name: remove EPEL GPG key from keyring (idempotent)
|
|
rpm_key:
|
|
state: absent
|
|
key: /tmp/RPM-GPG-KEY-EPEL-7
|
|
register: idempotent_test
|
|
|
|
- name: check idempotence
|
|
assert:
|
|
that: "not idempotent_test.changed"
|
|
|
|
- name: add EPEL GPG key to key ring
|
|
rpm_key:
|
|
state: present
|
|
key: /tmp/RPM-GPG-KEY-EPEL-7
|
|
|
|
- name: add EPEL GPG key to key ring (idempotent)
|
|
rpm_key:
|
|
state: present
|
|
key: /tmp/RPM-GPG-KEY-EPEL-7
|
|
register: key_idempotence
|
|
|
|
- name: verify idempotence
|
|
assert:
|
|
that: "not key_idempotence.changed"
|
|
|
|
- name: check GPG signature of sl. Should return okay
|
|
shell: "rpm --checksig /tmp/sl.rpm"
|
|
register: sl_check
|
|
|
|
- name: confirm that signature check succeeded
|
|
assert:
|
|
that: "'rsa sha1 (md5) pgp md5 OK' in sl_check.stdout or 'digests signatures OK' in sl_check.stdout"
|
|
|
|
- name: remove GPG key from url
|
|
rpm_key:
|
|
state: absent
|
|
key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7
|
|
|
|
- name: Confirm key is missing
|
|
shell: "rpm --checksig /tmp/sl.rpm"
|
|
register: sl_check
|
|
ignore_errors: yes
|
|
|
|
- name: confirm that signature check failed
|
|
assert:
|
|
that:
|
|
- "'MISSING KEYS' in sl_check.stdout or 'SIGNATURES NOT OK' in sl_check.stdout"
|
|
- "sl_check.failed"
|
|
|
|
- name: add GPG key from url
|
|
rpm_key:
|
|
state: present
|
|
key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7
|
|
|
|
- name: check GPG signature of sl. Should return okay
|
|
shell: "rpm --checksig /tmp/sl.rpm"
|
|
register: sl_check
|
|
|
|
- name: confirm that signature check succeeded
|
|
assert:
|
|
that: "'rsa sha1 (md5) pgp md5 OK' in sl_check.stdout or 'digests signatures OK' in sl_check.stdout"
|
|
|
|
- name: remove all keys from key ring
|
|
shell: "rpm -q gpg-pubkey | xargs rpm -e"
|
|
|
|
- name: add very first key on system
|
|
rpm_key:
|
|
state: present
|
|
key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7
|
|
|
|
- name: check GPG signature of sl. Should return okay
|
|
shell: "rpm --checksig /tmp/sl.rpm"
|
|
register: sl_check
|
|
|
|
- name: confirm that signature check succeeded
|
|
assert:
|
|
that: "'rsa sha1 (md5) pgp md5 OK' in sl_check.stdout or 'digests signatures OK' in sl_check.stdout"
|
|
|
|
- name: get keyid
|
|
shell: "rpm -q gpg-pubkey | head -n 1 | xargs rpm -q --qf %{version}"
|
|
register: key_id
|
|
|
|
- name: remove GPG key using keyid
|
|
rpm_key:
|
|
state: absent
|
|
key: "{{ key_id.stdout }}"
|
|
register: remove_keyid
|
|
failed_when: remove_keyid.changed == false
|
|
|
|
- name: remove GPG key using keyid (idempotent)
|
|
rpm_key:
|
|
state: absent
|
|
key: "{{ key_id.stdout }}"
|
|
register: key_id_idempotence
|
|
|
|
- name: verify idempotent (key_id)
|
|
assert:
|
|
that: "not key_id_idempotence.changed"
|
|
|
|
- name: add very first key on system again
|
|
rpm_key:
|
|
state: present
|
|
key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY-EPEL-7
|
|
|
|
- name: Issue 20325 - Verify fingerprint of key, invalid fingerprint - EXPECTED FAILURE
|
|
rpm_key:
|
|
key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
|
|
fingerprint: 1111 1111 1111 1111 1111 1111 1111 1111 1111 1111
|
|
register: result
|
|
failed_when: result is success
|
|
|
|
- name: Issue 20325 - Assert Verify fingerprint of key, invalid fingerprint
|
|
assert:
|
|
that:
|
|
- result is success
|
|
- result is not changed
|
|
- "'does not match any key fingerprints' in result.msg"
|
|
|
|
- name: Issue 20325 - Verify fingerprint of key, valid fingerprint
|
|
rpm_key:
|
|
key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
|
|
fingerprint: EBC6 E12C 62B1 C734 026B 2122 A20E 5214 6B8D 79E6
|
|
register: result
|
|
|
|
- name: Issue 20325 - Assert Verify fingerprint of key, valid fingerprint
|
|
assert:
|
|
that:
|
|
- result is success
|
|
- result is changed
|
|
|
|
- name: Issue 20325 - Verify fingerprint of key, valid fingerprint - Idempotent check
|
|
rpm_key:
|
|
key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
|
|
fingerprint: EBC6 E12C 62B1 C734 026B 2122 A20E 5214 6B8D 79E6
|
|
register: result
|
|
|
|
- name: Issue 20325 - Assert Verify fingerprint of key, valid fingerprint - Idempotent check
|
|
assert:
|
|
that:
|
|
- result is success
|
|
- result is not changed
|
|
|
|
# Reset to test subkey validation
|
|
- name: remove all keys from key ring
|
|
shell: "rpm -q gpg-pubkey | xargs rpm -e"
|
|
|
|
- name: Verify fingerprint of subkey, valid fingerprint
|
|
rpm_key:
|
|
key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
|
|
fingerprint: 19B7 913E 6284 8E3F 4D78 D6B4 ECD9 1AB2 2EB6 8D86
|
|
register: result
|
|
|
|
- name: Assert Verify fingerprint of key, valid fingerprint
|
|
assert:
|
|
that:
|
|
- result is success
|
|
- result is changed
|
|
|
|
- name: Verify fingerprint of subkey, valid fingerprint - Idempotent check
|
|
rpm_key:
|
|
key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
|
|
fingerprint: 19B7 913E 6284 8E3F 4D78 D6B4 ECD9 1AB2 2EB6 8D86
|
|
register: result
|
|
|
|
- name: Assert Verify fingerprint of subkey, valid fingerprint - Idempotent check
|
|
assert:
|
|
that:
|
|
- result is success
|
|
- result is not changed
|
|
|
|
# Reset to test multi-key validation
|
|
- name: remove all keys from key ring
|
|
shell: "rpm -q gpg-pubkey | xargs rpm -e"
|
|
|
|
- name: Verify fingerprint of primary and subkey, valid fingerprint
|
|
rpm_key:
|
|
key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
|
|
fingerprint:
|
|
- 19B7 913E 6284 8E3F 4D78 D6B4 ECD9 1AB2 2EB6 8D86
|
|
- EBC6 E12C 62B1 C734 026B 2122 A20E 5214 6B8D 79E6
|
|
register: result
|
|
|
|
- name: Assert Verify fingerprint of primary and subkey, valid fingerprint
|
|
assert:
|
|
that:
|
|
- result is success
|
|
- result is changed
|
|
|
|
- name: Verify fingerprint of primary and subkey, valid fingerprint - Idempotent check
|
|
rpm_key:
|
|
key: https://ci-files.testing.ansible.com/test/integration/targets/rpm_key/RPM-GPG-KEY.dag
|
|
fingerprint:
|
|
- 19B7 913E 6284 8E3F 4D78 D6B4 ECD9 1AB2 2EB6 8D86
|
|
- EBC6 E12C 62B1 C734 026B 2122 A20E 5214 6B8D 79E6
|
|
register: result
|
|
|
|
- name: Assert Verify fingerprint of primary and subkey, valid fingerprint - Idempotent check
|
|
assert:
|
|
that:
|
|
- result is success
|
|
- result is not changed
|
|
|
|
|
|
#
|
|
# Cleanup
|
|
#
|
|
- name: remove all keys from key ring
|
|
shell: "rpm -q gpg-pubkey | xargs rpm -e"
|
|
|
|
- name: Restore the gpg keys normally installed on the system
|
|
command: 'rpm --import {{ remote_tmp_dir }}/pubkeys'
|
|
|
|
- name: Retrieve a list of gpg keys are installed for package checking
|
|
shell: 'rpm -q gpg-pubkey | sort'
|
|
register: new_list_of_pubkeys
|
|
|
|
- name: Confirm that we've restored all the pubkeys
|
|
assert:
|
|
that:
|
|
- 'list_of_pubkeys["stdout"] == new_list_of_pubkeys["stdout"]'
|