diff --git a/tests/vault/env_cleanup.yml b/tests/vault/env_cleanup.yml new file mode 100644 index 0000000000000000000000000000000000000000..081a9d96460e24db37d45d8ff535ef4006d7040a --- /dev/null +++ b/tests/vault/env_cleanup.yml @@ -0,0 +1,64 @@ +# Tasks executed to clean up test environment for Vault module. + + - name: Ensure user vaults are absent + ipavault: + ipaadmin_password: SomeADMINpassword + name: + - stdvault + - symvault + - asymvault + username: "{{username}}" + state: absent + loop: + - admin + - user01 + loop_control: + loop_var: username + + - name: Ensure shared vaults are absent + ipavault: + ipaadmin_password: SomeADMINpassword + name: + - sharedvault + - svcvault + state: absent + + - name: Ensure test users do not exist. + ipauser: + ipaadmin_password: SomeADMINpassword + name: + - user01 + - user02 + - user03 + state: absent + + - name: Ensure test groups do not exist. + ipagroup: + ipaadmin_password: SomeADMINpassword + name: vaultgroup + state: absent + + - name: Remove password file from target host. + file: + path: "{{ ansible_env.HOME }}/password.txt" + state: absent + + - name: Remove public key file from target host. + file: + path: "{{ ansible_env.HOME }}/public.pem" + state: absent + + - name: Remove private key file from target host. + file: + path: "{{ ansible_env.HOME }}/private.pem" + state: absent + + - name: Remove output data file from target host. + file: + path: "{{ ansible_env.HOME }}/data.txt" + state: absent + + - name: Remove input data file from target host. + file: + path: "{{ ansible_env.HOME }}/in.txt" + state: absent diff --git a/tests/vault/env_setup.yml b/tests/vault/env_setup.yml new file mode 100644 index 0000000000000000000000000000000000000000..a8437b86053c1bec6e204ac64e60b58451c0b0d2 --- /dev/null +++ b/tests/vault/env_setup.yml @@ -0,0 +1,55 @@ +# Tasks executed to ensure a sane environment to test IPA Vault module. + + - name: Create private key file. + shell: + cmd: openssl genrsa -out private.pem 2048 + delegate_to: localhost + become: no + + - name: Create public key file. + shell: + cmd: openssl rsa -in private.pem -outform PEM -pubout -out public.pem + delegate_to: localhost + become: no + + - name: Ensure environment is clean. + import_tasks: env_cleanup.yml + + - name: Copy password file to target host. + copy: + src: "{{ playbook_dir }}/password.txt" + dest: "{{ ansible_env.HOME }}/password.txt" + + - name: Copy public key file to target host. + copy: + src: "{{ playbook_dir }}/public.pem" + dest: "{{ ansible_env.HOME }}/public.pem" + + - name: Copy private key file to target host. + copy: + src: "{{ playbook_dir }}/private.pem" + dest: "{{ ansible_env.HOME }}/private.pem" + + - name: Copy input data file to target host. + copy: + src: "{{ playbook_dir }}/in.txt" + dest: "{{ ansible_env.HOME }}/in.txt" + + - name: Ensure vaultgroup exists. + ipagroup: + ipaadmin_password: SomeADMINpassword + name: vaultgroup + + - name: Ensure testing users exist. + ipauser: + ipaadmin_password: SomeADMINpassword + users: + - name: user01 + first: First + last: Start + - name: user02 + first: Second + last: Middle + - name: user03 + first: Third + last: Last diff --git a/tests/vault/private.pem b/tests/vault/private.pem deleted file mode 100644 index 0ac895b9252a4293d19fe59f7ac4764745188609..0000000000000000000000000000000000000000 --- a/tests/vault/private.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEArM5/f6dd/YIm/a9eoGVTW8jobEgrf9PXRA3aHsA7kJo6fB18 -HD4+RVUwx/lqlkPYbUi9bXV/rJAkUwAEDOnJeqXESZ+gVCVmigRzmKWK2ad9agmY -SiqyyNxFIJvZAo0dG4CAWjYK27tLg4Ih6oGsZIDG+WVES5W89K+L0bwVjq4tshhe -DMO57unvmIKEmaBE0ewPfvkdZh5k8Gts9H4fh0fGk5tbIYa0bhwMUpL+WHOm6nbd -+n7BbaVc820TgZDO/rSYtnuXaIc6Wx0U9LXZkUmk3apMnzknNaTqguAQdTn79G8P -qrGqmyWd/E1cH2b5jzIxiGo8psL5sxWVY7WJdwIDAQABAoIBAA6e9iit14UAgx4J -vX7is9fbOtcWkB+jo94NMfxSFXgZpIMl139oQMqK97KjxsHqAaDVe7mMLH5EP96J -7M3O5g4rgl0cVWtpMrDQyZsLvqDFzBWxtCHqVPAruumUZhsSJ3lROQro8ag/w5bf -5tC5ogVq4+rsB4hBphgp1jGrsUM+E8O7DXXFH68F8WgBi725WvcjnbI9irkb0Gcq -1bCPJwN3fA1i2VWiRwVYWbNTWnDoNM9ZdYYxK0kuUkD+QtreycWPf9V49lvUi1Vp -FVNmBUDvGK3K1MwbgXRwOXhacY7Ptjkdvaeb2Qcu5RjTkruGhzUYsOP3p/cw+wKV -vzQqceECgYEA5Wz7V2SlRa2r//z+ETQkJfENJ0KDnCb0pMClCQh3jTNPA6DbhiMk -FTkcoNbqcpTiVSlvhh6TKscSgqYQUjQ/OqyG7SkjKVjQ72j5beQLxiLTtUyj1OmP -Xh9cWJXx8iQ+45cPon+kMOAIiTwiB3mmFRfQjIGve1DPUo9J+NZ4XdECgYEAwNKg -OdGYxxKtCrXVz1mdg6PDlV8qh7nxxZbPch+aMIQl1+oTCgSiw8oOYEd8g0HOdV6t -1G+IWhvPxiiWy3/AE0QhgoKk2GUsSjWSMLcJbaUzDoEHFjTLjecRlqdzo7qxRXqB -meN4L5WJYKnLC482K7hvufS+uo5fB5qwPmt13McCgYAe4TVPRP+tyjttYCr+O8tl -w/UmRKCcQu4Iwtkzxwz4V2CaN2t0uYQgyygcSfESbRGtrr8RCUp7poHKTfnCZr/f -8NrUTwYpiYfNwY5ZCSnAiG2AaIlgnfMrEwOF9OC028YPMgTrtUxvO6hKeGqIIQqG -qkbqsoXhDjZpgVnOgWeAEQKBgGuiZ0w/IqAlXbC31fUb2iBMfvXXnJ8M/dfFGmFj -IKfqbFF9WUljUxQlqya1YNzIFB5STohiBeP+2FmN+Lb5xdc7VdVLZgdhWnrGMqe8 -1Kd+6uQyxCjyKZo5nQjSymtf4GqfOs8TOdieCYSK40u9koiPONa9tuXeaU+OWslN -JQqrAoGBAJ3MKOvsnQzuZVP2vz0ZqLwIE3XjRiFGveVpizq4hwOVeuNsV08JvA0t -pueNIy9klPScFc9OUdiZWkEX09BwJkVIrOHotuSB8AStO5UAntNnuyWLJEFC4Uq4 -GpB8lbj9jkxSKaU7X3Gac23K9JL8euLh7E7rPuZRYa6mYN4nbKqu ------END RSA PRIVATE KEY----- diff --git a/tests/vault/public.pem b/tests/vault/public.pem deleted file mode 100644 index d8a9f71bf194a0ce9ca48ca54d7cb9e8477e2434..0000000000000000000000000000000000000000 --- a/tests/vault/public.pem +++ /dev/null @@ -1,9 +0,0 @@ ------BEGIN PUBLIC KEY----- -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArM5/f6dd/YIm/a9eoGVT -W8jobEgrf9PXRA3aHsA7kJo6fB18HD4+RVUwx/lqlkPYbUi9bXV/rJAkUwAEDOnJ -eqXESZ+gVCVmigRzmKWK2ad9agmYSiqyyNxFIJvZAo0dG4CAWjYK27tLg4Ih6oGs -ZIDG+WVES5W89K+L0bwVjq4tshheDMO57unvmIKEmaBE0ewPfvkdZh5k8Gts9H4f -h0fGk5tbIYa0bhwMUpL+WHOm6nbd+n7BbaVc820TgZDO/rSYtnuXaIc6Wx0U9LXZ -kUmk3apMnzknNaTqguAQdTn79G8PqrGqmyWd/E1cH2b5jzIxiGo8psL5sxWVY7WJ -dwIDAQAB ------END PUBLIC KEY----- diff --git a/tests/vault/tasks_vault_members.yml b/tests/vault/tasks_vault_members.yml new file mode 100644 index 0000000000000000000000000000000000000000..12332ff1897c2a21318e0fc69d0c67faef86ab76 --- /dev/null +++ b/tests/vault/tasks_vault_members.yml @@ -0,0 +1,318 @@ +--- +# Tasks to test member management for Vault module. + - name: Setup testing environment. + import_tasks: env_setup.yml + + - name: Ensure vault is present + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + vault_type: "{{vault.vault_type}}" + register: result + failed_when: not result.changed + when: vault.vault_type == 'standard' + + - name: Ensure vault is present + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + vault_password: SomeVAULTpassword + vault_type: "{{vault.vault_type}}" + register: result + failed_when: not result.changed + when: vault.vault_type == 'symmetric' + + - name: Ensure vault is present + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + vault_type: "{{vault.vault_type}}" + public_key: "{{lookup('file', 'private.pem') | b64encode}}" + register: result + failed_when: not result.changed + when: vault.vault_type == 'asymmetric' + + - name: Ensure vault member user is present. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + users: + - user02 + register: result + failed_when: not result.changed + + - name: Ensure vault member user is present, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + users: + - user02 + register: result + failed_when: result.changed + + - name: Ensure more vault member users are present. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + users: + - admin + - user02 + register: result + failed_when: not result.changed + + - name: Ensure vault member user is still present. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + users: + - user02 + register: result + failed_when: result.changed + + - name: Ensure vault users are absent. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + users: + - admin + - user02 + state: absent + register: result + failed_when: not result.changed + + - name: Ensure vault users are absent, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + users: + - admin + - user02 + state: absent + register: result + failed_when: result.changed + + - name: Ensure vault user is absent, once more. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + users: + - admin + state: absent + register: result + failed_when: result.changed + + - name: Ensure vault member group is present. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + groups: vaultgroup + register: result + failed_when: not result.changed + + - name: Ensure vault member group is present, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + groups: vaultgroup + register: result + failed_when: result.changed + + - name: Ensure vault member group is absent. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + groups: vaultgroup + state: absent + register: result + failed_when: not result.changed + + - name: Ensure vault member group is absent, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + groups: vaultgroup + state: absent + register: result + failed_when: result.changed + + - name: Ensure vault member service is present. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + services: "HTTP/{{ groups.ipaserver[0] }}" + register: result + failed_when: not result.changed + + - name: Ensure vault member service is present, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + services: "HTTP/{{ groups.ipaserver[0] }}" + register: result + failed_when: result.changed + + - name: Ensure vault member service is absent. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + services: "HTTP/{{ groups.ipaserver[0] }}" + state: absent + register: result + failed_when: not result.changed + + - name: Ensure vault member service is absent, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + action: member + services: "HTTP/{{ groups.ipaserver[0] }}" + state: absent + register: result + failed_when: result.changed + + - name: Ensure user03 is an owner of vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + owners: user03 + action: member + register: result + failed_when: not result.changed + + - name: Ensure user03 is an owner of vault, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + owners: user03 + action: member + register: result + failed_when: result.changed + + - name: Ensure user03 is not owner of vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + owners: user03 + state: absent + action: member + register: result + failed_when: not result.changed + + - name: Ensure user03 is not owner of vault, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + owners: user03 + state: absent + action: member + register: result + failed_when: result.changed + + - name: Ensure vaultgroup is an ownergroup of vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + ownergroups: vaultgroup + action: member + register: result + failed_when: not result.changed + + - name: Ensure vaultgroup is an ownergroup of vault, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + ownergroups: vaultgroup + action: member + register: result + failed_when: result.changed + + - name: Ensure vaultgroup is not ownergroup of vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + ownergroups: vaultgroup + state: absent + action: member + register: result + failed_when: not result.changed + + - name: Ensure vaultgroup is not ownergroup of vault, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + ownergroups: vaultgroup + state: absent + action: member + register: result + failed_when: result.changed + + - name: Ensure service is an owner of vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + ownerservices: "HTTP/{{ groups.ipaserver[0] }}" + action: member + register: result + failed_when: not result.changed + + - name: Ensure service is an owner of vault, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + ownerservices: "HTTP/{{ groups.ipaserver[0] }}" + action: member + register: result + failed_when: result.changed + + - name: Ensure service is not owner of vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + ownerservices: "HTTP/{{ groups.ipaserver[0] }}" + state: absent + action: member + register: result + failed_when: not result.changed + + - name: Ensure service is not owner of vault, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + ownerservices: "HTTP/{{ groups.ipaserver[0] }}" + state: absent + action: member + register: result + failed_when: result.changed + + - name: Ensure {{vault.vault_type}} vault is absent + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + state: absent + register: result + failed_when: not result.changed + + - name: Ensure {{vault.vault_type}} vault is absent, again + ipavault: + ipaadmin_password: SomeADMINpassword + name: "{{vault.name}}" + state: absent + register: result + failed_when: result.changed + + - name: Cleanup testing environment. + import_tasks: env_cleanup.yml diff --git a/tests/vault/test_vault.yml b/tests/vault/test_vault.yml deleted file mode 100644 index 2e2c03e3fce0d3503dcccec36a26ac20b3bca232..0000000000000000000000000000000000000000 --- a/tests/vault/test_vault.yml +++ /dev/null @@ -1,925 +0,0 @@ ---- -- name: Test vault - hosts: ipaserver - become: true - # Need to gather facts for ansible_env. - gather_facts: true - - tasks: - - - name: Copy password file to target host. - copy: - src: "{{ playbook_dir }}/password.txt" - dest: "{{ ansible_env.HOME }}/password.txt" - - - name: Copy public key file to target host. - copy: - src: "{{ playbook_dir }}/public.pem" - dest: "{{ ansible_env.HOME }}/public.pem" - - - name: Copy private key file to target host. - copy: - src: "{{ playbook_dir }}/private.pem" - dest: "{{ ansible_env.HOME }}/private.pem" - - - name: Copy input data file to target host. - copy: - src: "{{ playbook_dir }}/in.txt" - dest: "{{ ansible_env.HOME }}/in.txt" - - - name: Ensure user vaults are absent - ipavault: - ipaadmin_password: SomeADMINpassword - name: - - stdvault - - symvault - - asymvault - username: user01 - state: absent - - - name: Ensure test users do not exist. - ipauser: - ipaadmin_password: SomeADMINpassword - name: - - user01 - - user02 - - user03 - state: absent - - - name: Ensure test groups do not exist. - ipagroup: - ipaadmin_password: SomeADMINpassword - name: vaultgroup - state: absent - - - name: Ensure vaultgroup exists. - ipagroup: - ipaadmin_password: SomeADMINpassword - name: vaultgroup - - - name: Ensure user01 exists. - ipauser: - ipaadmin_password: SomeADMINpassword - name: user01 - first: First - last: Start - - - name: Ensure user02 exists. - ipauser: - ipaadmin_password: SomeADMINpassword - name: user02 - first: Second - last: Middle - - - name: Ensure user03 exists. - ipauser: - ipaadmin_password: SomeADMINpassword - name: user03 - first: Third - last: Last - - - name: Ensure shared vaults are absent - ipavault: - ipaadmin_password: SomeADMINpassword - name: sharedvault - shared: True - state: absent - - - name: Ensure standard vault is absent - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - state: absent - - - name: Ensure service vault is absent - ipavault: - ipaadmin_password: SomeADMINpassword - name: svcvault - service: "HTTP/{{ groups.ipaserver[0] }}" - state: absent - - # tests - - name: Ensure standard vault is present - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - vault_type: standard - register: result - failed_when: not result.changed - - - name: Ensure standard vault is present, again - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - vault_type: standard - register: result - failed_when: result.changed - - - name: Ensure standard vault is absent - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - state: absent - register: result - failed_when: not result.changed - - - name: Ensure standard vault is absent, again - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - state: absent - register: result - failed_when: result.changed - - - name: Ensure symmetric vault is present - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - username: user01 - vault_password: SomeVAULTpassword - vault_type: symmetric - register: result - failed_when: not result.changed - - - name: Ensure symmetric vault is present, again - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - username: user01 - vault_password: SomeVAULTpassword - vault_type: symmetric - register: result - failed_when: result.changed - - - name: Archive data to symmetric vault - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - username: user01 - vault_password: SomeVAULTpassword - vault_data: Hello World. - register: result - failed_when: not result.changed - - - name: Archive data with non-ASCII characters to symmetric vault - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - username: user01 - vault_password: SomeVAULTpassword - vault_data: The world of π is half rounded. - register: result - failed_when: not result.changed - - - name: Ensure symmetric vault is absent - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - username: user01 - state: absent - register: result - failed_when: not result.changed - - - name: Ensure symmetric vault is absent, again - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - username: user01 - state: absent - register: result - failed_when: result.changed - - - name: Ensure symmetric vault is present - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - username: user01 - vault_password: SomeVAULTpassword - vault_type: symmetric - register: result - failed_when: not result.changed - - - name: Ensure symmetric vault is present, with a different password - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - username: user01 - vault_password: SomeOtherVAULTpassword - vault_type: symmetric - register: result - failed_when: result.changed - - - name: Ensure symmetric vault is absent - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - username: user01 - state: absent - register: result - failed_when: not result.changed - - - name: Ensure symmetric vault is present, with password from file. - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - username: user01 - vault_password_file: "{{ ansible_env.HOME }}/password.txt" - vault_type: symmetric - register: result - failed_when: not result.changed - - - name: Ensure symmetric vault is present, with password from file, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - username: user01 - vault_password_file: password.txt - vault_type: symmetric - register: result - failed_when: result.changed - - - name: Ensure asymmetric vault is present, with public key file. - ipavault: - ipaadmin_password: SomeADMINpassword - name: asymvault - username: admin - description: An asymmetric private vault. - public_key_file: "{{ ansible_env.HOME }}/public.pem" - vault_type: asymmetric - register: result - failed_when: not result.changed - - - name: Ensure asymmetric vault is present, with public key file, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: asymvault - username: admin - description: An asymmetric private vault. - public_key_file: "{{ ansible_env.HOME }}/public.pem" - vault_type: asymmetric - register: result - failed_when: result.changed - - - name: Archive data in asymmetric vault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: asymvault - username: admin - vault_data: Hello World. - register: result - failed_when: not result.changed - - - name: Ensure asymmetric vault is absent. - ipavault: - ipaadmin_password: SomeADMINpassword - name: asymvault - username: admin - state: absent - register: result - failed_when: not result.changed - - - name: Ensure asymmetric vault is absent, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: asymvault - username: admin - state: absent - register: result - failed_when: result.changed - - - name: Ensure asymmetric vault is present. - ipavault: - ipaadmin_password: SomeADMINpassword - name: asymvault - username: user01 - description: An asymmetric private vault. - vault_public_key: - LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFyTTUvZjZkZC9ZSW0vYTllb0dWVApXOGpvYkVncmY5UFhSQTNhSHNBN2tKbzZmQjE4SEQ0K1JWVXd4L2xxbGtQWWJVaTliWFYvckpBa1V3QUVET25KCmVxWEVTWitnVkNWbWlnUnptS1dLMmFkOWFnbVlTaXF5eU54RklKdlpBbzBkRzRDQVdqWUsyN3RMZzRJaDZvR3MKWklERytXVkVTNVc4OUsrTDBid1ZqcTR0c2hoZURNTzU3dW52bUlLRW1hQkUwZXdQZnZrZFpoNWs4R3RzOUg0ZgpoMGZHazV0YklZYTBiaHdNVXBMK1dIT202bmJkK243QmJhVmM4MjBUZ1pETy9yU1l0bnVYYUljNld4MFU5TFhaCmtVbWszYXBNbnprbk5hVHFndUFRZFRuNzlHOFBxckdxbXlXZC9FMWNIMmI1anpJeGlHbzhwc0w1c3hXVlk3V0oKZHdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== - vault_type: asymmetric - register: result - failed_when: not result.changed - - - name: Ensure asymmetric vault is present, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: asymvault - username: user01 - description: An asymmetric private vault. - vault_public_key: - LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFyTTUvZjZkZC9ZSW0vYTllb0dWVApXOGpvYkVncmY5UFhSQTNhSHNBN2tKbzZmQjE4SEQ0K1JWVXd4L2xxbGtQWWJVaTliWFYvckpBa1V3QUVET25KCmVxWEVTWitnVkNWbWlnUnptS1dLMmFkOWFnbVlTaXF5eU54RklKdlpBbzBkRzRDQVdqWUsyN3RMZzRJaDZvR3MKWklERytXVkVTNVc4OUsrTDBid1ZqcTR0c2hoZURNTzU3dW52bUlLRW1hQkUwZXdQZnZrZFpoNWs4R3RzOUg0ZgpoMGZHazV0YklZYTBiaHdNVXBMK1dIT202bmJkK243QmJhVmM4MjBUZ1pETy9yU1l0bnVYYUljNld4MFU5TFhaCmtVbWszYXBNbnprbk5hVHFndUFRZFRuNzlHOFBxckdxbXlXZC9FMWNIMmI1anpJeGlHbzhwc0w1c3hXVlk3V0oKZHdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== - vault_type: asymmetric - register: result - failed_when: result.changed - - - name: Archive data in asymmetric vault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: asymvault - username: user01 - vault_data: Hello World. - register: result - failed_when: not result.changed - - - name: Retrieve data from asymmetric vault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: asymvault - username: user01 - vault_type: asymmetric - private_key: - LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBck01L2Y2ZGQvWUltL2E5ZW9HVlRXOGpvYkVncmY5UFhSQTNhSHNBN2tKbzZmQjE4CkhENCtSVlV3eC9scWxrUFliVWk5YlhWL3JKQWtVd0FFRE9uSmVxWEVTWitnVkNWbWlnUnptS1dLMmFkOWFnbVkKU2lxeXlOeEZJSnZaQW8wZEc0Q0FXallLMjd0TGc0SWg2b0dzWklERytXVkVTNVc4OUsrTDBid1ZqcTR0c2hoZQpETU81N3Vudm1JS0VtYUJFMGV3UGZ2a2RaaDVrOEd0czlINGZoMGZHazV0YklZYTBiaHdNVXBMK1dIT202bmJkCituN0JiYVZjODIwVGdaRE8vclNZdG51WGFJYzZXeDBVOUxYWmtVbWszYXBNbnprbk5hVHFndUFRZFRuNzlHOFAKcXJHcW15V2QvRTFjSDJiNWp6SXhpR284cHNMNXN4V1ZZN1dKZHdJREFRQUJBb0lCQUE2ZTlpaXQxNFVBZ3g0Sgp2WDdpczlmYk90Y1drQitqbzk0Tk1meFNGWGdacElNbDEzOW9RTXFLOTdLanhzSHFBYURWZTdtTUxINUVQOTZKCjdNM081ZzRyZ2wwY1ZXdHBNckRReVpzTHZxREZ6Qld4dENIcVZQQXJ1dW1VWmhzU0ozbFJPUXJvOGFnL3c1YmYKNXRDNW9nVnE0K3JzQjRoQnBoZ3Axakdyc1VNK0U4TzdEWFhGSDY4RjhXZ0JpNzI1V3Zjam5iSTlpcmtiMEdjcQoxYkNQSndOM2ZBMWkyVldpUndWWVdiTlRXbkRvTk05WmRZWXhLMGt1VWtEK1F0cmV5Y1dQZjlWNDlsdlVpMVZwCkZWTm1CVUR2R0szSzFNd2JnWFJ3T1hoYWNZN1B0amtkdmFlYjJRY3U1UmpUa3J1R2h6VVlzT1AzcC9jdyt3S1YKdnpRcWNlRUNnWUVBNVd6N1YyU2xSYTJyLy96K0VUUWtKZkVOSjBLRG5DYjBwTUNsQ1FoM2pUTlBBNkRiaGlNawpGVGtjb05icWNwVGlWU2x2aGg2VEtzY1NncVlRVWpRL09xeUc3U2tqS1ZqUTcyajViZVFMeGlMVHRVeWoxT21QClhoOWNXSlh4OGlRKzQ1Y1BvbitrTU9BSWlUd2lCM21tRlJmUWpJR3ZlMURQVW85SitOWjRYZEVDZ1lFQXdOS2cKT2RHWXh4S3RDclhWejFtZGc2UERsVjhxaDdueHhaYlBjaCthTUlRbDErb1RDZ1NpdzhvT1lFZDhnMEhPZFY2dAoxRytJV2h2UHhpaVd5My9BRTBRaGdvS2syR1VzU2pXU01MY0piYVV6RG9FSEZqVExqZWNSbHFkem83cXhSWHFCCm1lTjRMNVdKWUtuTEM0ODJLN2h2dWZTK3VvNWZCNXF3UG10MTNNY0NnWUFlNFRWUFJQK3R5anR0WUNyK084dGwKdy9VbVJLQ2NRdTRJd3Rrenh3ejRWMkNhTjJ0MHVZUWd5eWdjU2ZFU2JSR3RycjhSQ1VwN3BvSEtUZm5DWnIvZgo4TnJVVHdZcGlZZk53WTVaQ1NuQWlHMkFhSWxnbmZNckV3T0Y5T0MwMjhZUE1nVHJ0VXh2TzZoS2VHcUlJUXFHCnFrYnFzb1hoRGpacGdWbk9nV2VBRVFLQmdHdWlaMHcvSXFBbFhiQzMxZlViMmlCTWZ2WFhuSjhNL2RmRkdtRmoKSUtmcWJGRjlXVWxqVXhRbHF5YTFZTnpJRkI1U1RvaGlCZVArMkZtTitMYjV4ZGM3VmRWTFpnZGhXbnJHTXFlOAoxS2QrNnVReXhDanlLWm81blFqU3ltdGY0R3FmT3M4VE9kaWVDWVNLNDB1OWtvaVBPTmE5dHVYZWFVK09Xc2xOCkpRcXJBb0dCQUozTUtPdnNuUXp1WlZQMnZ6MFpxTHdJRTNYalJpRkd2ZVZwaXpxNGh3T1ZldU5zVjA4SnZBMHQKcHVlTkl5OWtsUFNjRmM5T1VkaVpXa0VYMDlCd0prVklyT0hvdHVTQjhBU3RPNVVBbnRObnV5V0xKRUZDNFVxNApHcEI4bGJqOWpreFNLYVU3WDNHYWMyM0s5Skw4ZXVMaDdFN3JQdVpSWWE2bVlONG5iS3F1Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== - state: retrieved - register: result - failed_when: result.changed or result.failed or result['data'] != 'Hello World.' - - - name: Retrieve data from asymmetric vault, with private key file. - ipavault: - ipaadmin_password: SomeADMINpassword - name: asymvault - username: user01 - vault_type: asymmetric - private_key_file: "{{ ansible_env.HOME }}/private.pem" - state: retrieved - register: result - failed_when: result.failed or result.changed or result['data'] != 'Hello World.' - - - name: Ensure asymmetric vault is absent. - ipavault: - ipaadmin_password: SomeADMINpassword - name: asymvault - username: user01 - state: absent - register: result - failed_when: not result.changed - - - name: Ensure asymmetric vault is absent, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: asymvault - username: user01 - state: absent - register: result - failed_when: result.changed - - - name: Ensure standard vault is present. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - vault_type: standard - username: user01 - description: A standard private vault. - register: result - failed_when: not result.changed - - - name: Ensure standard vault is present, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - vault_type: standard - description: A standard private vault. - register: result - failed_when: result.changed - - - name: Archive data in standard vault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - vault_data: Hello World. - register: result - failed_when: not result.changed - - - name: Retrieve data from standard vault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - out: "{{ ansible_env.HOME }}/data.txt" - state: retrieved - register: result - failed_when: result.changed - - - name: Verify retrieved data. - slurp: - src: "{{ ansible_env.HOME }}/data.txt" - register: slurpfile - failed_when: slurpfile['content'] | b64decode != 'Hello World.' - - - name: Archive data in standard vault, from file. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - in: "{{ ansible_env.HOME }}/in.txt" - register: result - failed_when: not result.changed - - - name: Retrieve data from standard vault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - vault_type: standard - state: retrieved - register: result - failed_when: result.data != 'Another World.' or result.changed - - - name: Ensure standard vault member user is present. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - users: - - user02 - register: result - failed_when: not result.changed - - - name: Ensure standard vault member user is present, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - users: - - user02 - register: result - failed_when: result.changed - - - name: Ensure more vault member users are present. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - users: - - user01 - - user02 - register: result - failed_when: not result.changed - - - name: Ensure vault member user is still present. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - users: - - user02 - register: result - failed_when: result.changed - - - name: Ensure vault users are absent. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - users: - - user01 - - user02 - state: absent - register: result - failed_when: not result.changed - - - name: Ensure vault users are absent, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - users: - - user01 - - user02 - state: absent - register: result - failed_when: result.changed - - - name: Ensure vault user is absent, once more. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - users: - - user01 - state: absent - register: result - failed_when: result.changed - - - name: Ensure vault member group is present. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - groups: vaultgroup - register: result - failed_when: not result.changed - - - name: Ensure vault member group is present, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - groups: vaultgroup - register: result - failed_when: result.changed - - - name: Ensure vault member group is absent. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - groups: vaultgroup - state: absent - register: result - failed_when: not result.changed - - - name: Ensure vault member group is absent, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - groups: vaultgroup - state: absent - register: result - failed_when: result.changed - - - name: Ensure vault member service is present. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - services: "HTTP/{{ groups.ipaserver[0] }}" - register: result - failed_when: not result.changed - - - name: Ensure vault member service is present, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - services: "HTTP/{{ groups.ipaserver[0] }}" - register: result - failed_when: result.changed - - - name: Ensure vault member service is absent. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - services: "HTTP/{{ groups.ipaserver[0] }}" - state: absent - register: result - failed_when: not result.changed - - - name: Ensure vault member service is absent, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - action: member - services: "HTTP/{{ groups.ipaserver[0] }}" - state: absent - register: result - failed_when: result.changed - - - name: Ensure vault is absent. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - state: absent - register: result - failed_when: not result.changed - - - name: Ensure vault is absent, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - state: absent - register: result - failed_when: result.changed - - - name: Ensure shared vault is present. - ipavault: - ipaadmin_password: SomeADMINpassword - name: sharedvault - shared: True - ipavaultpassword: SomeVAULTpassword - register: result - failed_when: not result.changed - - - name: Ensure shared vault is absent. - ipavault: - ipaadmin_password: SomeADMINpassword - name: sharedvault - shared: True - state: absent - register: result - failed_when: not result.changed - - - name: Ensure service vault is present. - ipavault: - ipaadmin_password: SomeADMINpassword - name: svcvault - ipavaultpassword: SomeVAULTpassword - service: "HTTP/{{ groups.ipaserver[0] }}" - register: result - failed_when: not result.changed - - - name: Ensure service vault is absent. - ipavault: - ipaadmin_password: SomeADMINpassword - name: svcvault - service: "HTTP/{{ groups.ipaserver[0] }}" - state: absent - register: result - failed_when: not result.changed - - - name: Ensure vault is present, with members. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - vault_type: standard - users: - - user02 - - user03 - groups: - - vaultgroup - register: result - failed_when: not result.changed - - - name: Ensure vault is present, with members, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - vault_type: standard - users: - - user02 - - user03 - groups: - - vaultgroup - register: result - failed_when: result.changed - - - name: Ensure user02 is not a member of vault stdvault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - users: user02 - state: absent - action: member - register: result - failed_when: not result.changed - - - name: Ensure user02 is not a member of vault stdvault, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - users: user02 - state: absent - action: member - register: result - failed_when: result.changed - - - name: Ensure user02 is a member of vault stdvault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - users: user02 - action: member - register: result - failed_when: not result.changed - - - name: Ensure user02 is a member of vault stdvault, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - users: user03 - action: member - register: result - failed_when: result.changed - - - name: Ensure user03 owns vault stdvault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - owners: user03 - action: member - register: result - failed_when: not result.changed - - - name: Ensure user03 owns vault stdvault, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - owners: user03 - action: member - register: result - failed_when: result.changed - - - name: Ensure user03 is not owner of stdvault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - owners: user03 - state: absent - action: member - register: result - failed_when: not result.changed - - - name: Ensure user03 is not owner of stdvault, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - owners: user03 - state: absent - action: member - register: result - failed_when: result.changed - - - name: Ensure vaultgroup is owner of stdvault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - ownergroups: vaultgroup - action: member - register: result - failed_when: not result.changed - - - name: Ensure vaultgroup is owner of stdvault, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - ownergroups: vaultgroup - action: member - register: result - failed_when: result.changed - - - name: Ensure vaultgroup is not owner of stdvault. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - ownergroups: vaultgroup - state: absent - action: member - register: result - failed_when: not result.changed - - - name: Ensure vaultgroup is not owner of stdvault, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - ownergroups: vaultgroup - state: absent - action: member - register: result - failed_when: result.changed - - - name: Ensure vault is owned by HTTP service. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - ownerservices: "HTTP/{{ groups.ipaserver[0] }}" - action: member - register: result - failed_when: not result.changed - - - name: Ensure vault is owned by HTTP service, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - ownerservices: "HTTP/{{ groups.ipaserver[0] }}" - action: member - register: result - failed_when: result.changed - - - name: Ensure vault is not owned by HTTP service. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - ownerservices: "HTTP/{{ groups.ipaserver[0] }}" - state: absent - action: member - register: result - failed_when: not result.changed - - - name: Ensure vault is not owned by HTTP service, again. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - ownerservices: "HTTP/{{ groups.ipaserver[0] }}" - state: absent - action: member - register: result - failed_when: result.changed - - - name: Ensure vault is absent. - ipavault: - ipaadmin_password: SomeADMINpassword - name: stdvault - username: user01 - state: absent - - # cleaup - - name: Ensure user01 vaults are absent - ipavault: - ipaadmin_password: SomeADMINpassword - name: - - stdvault - - symvault - - asymvault - username: user01 - state: absent - - - name: Ensure test vaults are absent - ipavault: - ipaadmin_password: SomeADMINpassword - name: - - stdvault - - symvault - - asymvault - username: admin - state: absent - - - name: Ensure shared vaults are absent - ipavault: - ipaadmin_password: SomeADMINpassword - name: sharedvault - shared: True - state: absent - - - name: Ensure service vaults are absent - ipavault: - ipaadmin_password: SomeADMINpassword - name: svcvault - service: "HTTP/{{ groups.ipaserver[0] }}" - state: absent - - - name: Ensure test users do not exist. - ipauser: - ipaadmin_password: SomeADMINpassword - name: - - user01 - - user02 - - user03 - state: absent - - - name: Ensure test groups do not exist. - ipagroup: - ipaadmin_password: SomeADMINpassword - name: vaultgroup - state: absent - - - name: Remove password file from target host. - file: - path: "{{ ansible_env.HOME }}/password.txt" - state: absent - - - name: Remove public key file from target host. - file: - path: "{{ ansible_env.HOME }}/public.pem" - state: absent - - - name: Remove private key file from target host. - file: - path: "{{ ansible_env.HOME }}/private.pem" - state: absent - - - name: Remove output data file from target host. - file: - path: "{{ ansible_env.HOME }}/data.txt" - state: absent - - - name: Remove input data file from target host. - file: - path: "{{ ansible_env.HOME }}/in.txt" - state: absent diff --git a/tests/vault/test_vault_asymmetric.yml b/tests/vault/test_vault_asymmetric.yml new file mode 100644 index 0000000000000000000000000000000000000000..1a1d3dcab5ca1d6248c27ace0d8a928c015733aa --- /dev/null +++ b/tests/vault/test_vault_asymmetric.yml @@ -0,0 +1,192 @@ +--- +- name: Test vault + hosts: ipaserver + become: true + # Need to gather facts for ansible_env. + gather_facts: true + + tasks: + - name: Setup testing environment. + import_tasks: env_setup.yml + + - name: Ensure asymmetric vault is present + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + vault_type: asymmetric + public_key: "{{ lookup('file', 'public.pem') | b64encode }}" + register: result + failed_when: not result.changed + + - name: Ensure asymmetric vault is present, again + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + vault_type: asymmetric + public_key: "{{ lookup('file', 'public.pem') | b64encode }}" + register: result + failed_when: result.changed + + - name: Archive data to asymmetric vault + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + data: Hello World. + register: result + failed_when: not result.changed + + - name: Retrieve data from asymmetric vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + private_key: "{{ lookup('file', 'private.pem') | b64encode }}" + state: retrieved + register: result + failed_when: result.data != 'Hello World.' or result.changed + + - name: Retrieve data from asymmetric vault into file {{ ansible_env.HOME }}/data.txt. + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + out: "{{ ansible_env.HOME }}/data.txt" + private_key: "{{ lookup('file', 'private.pem') | b64encode }}" + state: retrieved + register: result + failed_when: result.changed + + - name: Verify retrieved data. + slurp: + src: "{{ ansible_env.HOME }}/data.txt" + register: slurpfile + failed_when: slurpfile['content'] | b64decode != 'Hello World.' + + - name: Archive data with non-ASCII characters to asymmetric vault + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + data: The world of π is half rounded. + register: result + failed_when: not result.changed + + - name: Retrieve data from asymmetric vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + private_key: "{{ lookup('file', 'private.pem') | b64encode }}" + state: retrieved + register: result + failed_when: result.data != 'The world of π is half rounded.' or result.changed + + - name: Archive data in asymmetric vault, from file. + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + vault_type: asymmetric + in: "{{ ansible_env.HOME }}/in.txt" + register: result + failed_when: not result.changed + + - name: Retrieve data from asymmetric vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + private_key: "{{ lookup('file', 'private.pem') | b64encode }}" + state: retrieved + register: result + failed_when: result.data != 'Another World.' or result.changed + + - name: Archive data with single character to asymmetric vault + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + data: c + register: result + failed_when: not result.changed + + - name: Retrieve data from asymmetric vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + private_key: "{{ lookup('file', 'private.pem') | b64encode }}" + state: retrieved + register: result + failed_when: result.data != 'c' or result.changed + + - name: Ensure asymmetric vault is absent + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + state: absent + register: result + failed_when: not result.changed + + - name: Ensure asymmetric vault is absent, again + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + state: absent + register: result + failed_when: result.changed + + - name: Ensure asymmetric vault is present, with public key from file. + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + public_key_file: "{{ ansible_env.HOME }}/public.pem" + vault_type: asymmetric + register: result + failed_when: not result.changed + + - name: Ensure asymmetric vault is present, with password from file, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + public_key_file: "{{ ansible_env.HOME }}/public.pem" + vault_type: asymmetric + register: result + failed_when: result.changed + + - name: Archive data to asymmetric vault + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + data: Hello World. + register: result + failed_when: not result.changed + + - name: Retrieve data from asymmetric vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + private_key: "{{ lookup('file', 'private.pem') | b64encode }}" + state: retrieved + register: result + failed_when: result.data != 'Hello World.' or result.changed + + - name: Retrieve data from asymmetric vault, with password file. + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + private_key_file: "{{ ansible_env.HOME }}/private.pem" + state: retrieved + register: result + failed_when: result.data != 'Hello World.' or result.changed + + - name: Ensure asymmetric vault is absent + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + state: absent + register: result + failed_when: not result.changed + + - name: Ensure asymmetric vault is absent, again + ipavault: + ipaadmin_password: SomeADMINpassword + name: asymvault + state: absent + register: result + failed_when: result.changed + + - name: Cleanup testing environment. + import_tasks: env_setup.yml diff --git a/tests/vault/test_vault_members.yml b/tests/vault/test_vault_members.yml new file mode 100644 index 0000000000000000000000000000000000000000..219236aef176b86732f3a501b17172e0e5415da5 --- /dev/null +++ b/tests/vault/test_vault_members.yml @@ -0,0 +1,20 @@ +--- +- name: Test vault + hosts: ipaserver + become: true + # Need to gather facts for ansible_env. + gather_facts: true + + tasks: + - name: Test vault module member operations. + include_tasks: + file: tasks_vault_members.yml + apply: + tags: + - "{{ vault.vault_type }}" + loop_control: + loop_var: vault + loop: + - { name: "stdvault", vault_type: "standard" } + - { name: "symvault", vault_type: "symmetric" } + - { name: "asymvault", vault_type: "asymmetric" } diff --git a/tests/vault/test_vault_standard.yml b/tests/vault/test_vault_standard.yml new file mode 100644 index 0000000000000000000000000000000000000000..5e0da98e647c9eda079a40cae7098bae137795e1 --- /dev/null +++ b/tests/vault/test_vault_standard.yml @@ -0,0 +1,125 @@ +--- +- name: Test vault + hosts: ipaserver + become: true + # Need to gather facts for ansible_env. + gather_facts: true + + tasks: + - name: Setup testing environment. + import_tasks: env_setup.yml + + - name: Ensure standard vault is present + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + vault_type: standard + register: result + failed_when: not result.changed + + - name: Ensure standard vault is present, again + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + vault_type: standard + register: result + failed_when: result.changed + + - name: Archive data to standard vault + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + vault_data: Hello World. + register: result + failed_when: not result.changed + + - name: Retrieve data from standard vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + state: retrieved + register: result + failed_when: result.data != 'Hello World.' or result.changed + + - name: Retrieve data from standard vault into file {{ ansible_env.HOME }}/data.txt. + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + out: "{{ ansible_env.HOME }}/data.txt" + state: retrieved + register: result + failed_when: result.changed + + - name: Verify retrieved data. + slurp: + src: "{{ ansible_env.HOME }}/data.txt" + register: slurpfile + failed_when: slurpfile['content'] | b64decode != 'Hello World.' + + - name: Archive data with non-ASCII characters to standard vault + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + vault_data: The world of π is half rounded. + register: result + failed_when: not result.changed + + - name: Retrieve data from standard vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + state: retrieved + register: result + failed_when: result.data != 'The world of π is half rounded.' or result.changed + + - name: Archive data in standard vault, from file. + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + vault_type: standard + in: "{{ ansible_env.HOME }}/in.txt" + register: result + failed_when: not result.changed + + - name: Retrieve data from standard vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + state: retrieved + register: result + failed_when: result.data != 'Another World.' or result.changed + + - name: Archive data with single character to standard vault + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + vault_data: c + register: result + failed_when: not result.changed + + - name: Retrieve data from standard vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + state: retrieved + register: result + failed_when: result.data != 'c' or result.changed + + - name: Ensure standard vault is absent + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + state: absent + register: result + failed_when: not result.changed + + - name: Ensure standard vault is absent, again + ipavault: + ipaadmin_password: SomeADMINpassword + name: stdvault + state: absent + register: result + failed_when: result.changed + + - name: Cleanup testing environment. + import_tasks: env_setup.yml diff --git a/tests/vault/test_vault_symmetric.yml b/tests/vault/test_vault_symmetric.yml new file mode 100644 index 0000000000000000000000000000000000000000..c9429f4f6d3264c25296003c3f93d16c2d3ab686 --- /dev/null +++ b/tests/vault/test_vault_symmetric.yml @@ -0,0 +1,198 @@ +--- +- name: Test vault + hosts: ipaserver + become: true + # Need to gather facts for ansible_env. + gather_facts: true + + tasks: + - name: Setup testing environment. + import_tasks: env_setup.yml + + - name: Ensure symmetric vault is present + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + vault_type: symmetric + password: SomeVAULTpassword + register: result + failed_when: not result.changed + + - name: Ensure symmetric vault is present, again + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + vault_type: symmetric + password: SomeVAULTpassword + register: result + failed_when: result.changed + + - name: Archive data to symmetric vault + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + vault_data: Hello World. + password: SomeVAULTpassword + register: result + failed_when: not result.changed + + - name: Retrieve data from symmetric vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + password: SomeVAULTpassword + state: retrieved + register: result + failed_when: result.data != 'Hello World.' or result.changed + + - name: Retrieve data from symmetric vault into file {{ ansible_env.HOME }}/data.txt. + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + password: SomeVAULTpassword + out: "{{ ansible_env.HOME }}/data.txt" + state: retrieved + register: result + failed_when: result.changed + + - name: Verify retrieved data. + slurp: + src: "{{ ansible_env.HOME }}/data.txt" + register: slurpfile + failed_when: slurpfile['content'] | b64decode != 'Hello World.' + + - name: Archive data with non-ASCII characters to symmetric vault + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + password: SomeVAULTpassword + vault_data: The world of π is half rounded. + register: result + failed_when: not result.changed + + - name: Retrieve data from symmetric vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + password: SomeVAULTpassword + state: retrieved + register: result + failed_when: result.data != 'The world of π is half rounded.' or result.changed + + - name: Archive data in symmetric vault, from file. + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + in: "{{ ansible_env.HOME }}/in.txt" + password: SomeVAULTpassword + register: result + failed_when: not result.changed + + - name: Retrieve data from symmetric vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + password: SomeVAULTpassword + state: retrieved + register: result + failed_when: result.data != 'Another World.' or result.changed + + - name: Archive data with single character to symmetric vault + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + password: SomeVAULTpassword + vault_data: c + register: result + failed_when: not result.changed + + - name: Retrieve data from symmetric vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + password: SomeVAULTpassword + state: retrieved + register: result + failed_when: result.data != 'c' or result.changed + + - name: Ensure symmetric vault is absent + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + state: absent + register: result + failed_when: not result.changed + + - name: Ensure symmetric vault is absent, again + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + state: absent + register: result + failed_when: result.changed + + - name: Ensure symmetric vault is present, with password from file. + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + username: user01 + password_file: "{{ ansible_env.HOME }}/password.txt" + vault_type: symmetric + register: result + failed_when: not result.changed + + - name: Ensure symmetric vault is present, with password from file, again. + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + username: user01 + password_file: "{{ ansible_env.HOME }}/password.txt" + vault_type: symmetric + register: result + failed_when: result.changed + + - name: Archive data to symmetric vault + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + vault_data: Hello World. + password: SomeVAULTpassword + register: result + failed_when: not result.changed + + - name: Retrieve data from symmetric vault. + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + password: SomeVAULTpassword + state: retrieved + register: result + failed_when: result.data != 'Hello World.' or result.changed + + - name: Retrieve data from symmetric vault, with password file. + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + password_file: "{{ ansible_env.HOME }}/password.txt" + state: retrieved + register: result + failed_when: result.data != 'Hello World.' or result.changed + + - name: Ensure symmetric vault is absent + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + state: absent + register: result + failed_when: not result.changed + + - name: Ensure symmetric vault is absent, again + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + state: absent + register: result + failed_when: result.changed + + - name: Cleanup testing environment. + import_tasks: env_cleanup.yml