postgresql SSL related tests, Backport/2.8/55288 (#55801)

* postgresql SSL related tests (#55288) * postgresql SSL tests * postgresql SSL tests, added link to officiall doc (cherry picked from commit f8c4726) * postgresql SSL related tests: added changelog fragment
ansible · May 20, 2019 · f7dd79a · f7dd79a
1 parent 00b4a52
commit f7dd79a
Show file tree

Hide file tree

Showing 4 changed files with 121 additions and 0 deletions.
diff --git a/changelogs/fragments/postgresql-add-initial-ssl-tests.yml b/changelogs/fragments/postgresql-add-initial-ssl-tests.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - postgresql - added initial SSL related tests
diff --git a/test/integration/targets/postgresql/defaults/main.yml b/test/integration/targets/postgresql/defaults/main.yml
@@ -22,3 +22,9 @@ pg_hba_test_ips:
   netmask: 'ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00'
 - source: '172.16.0.0'
   netmask: '255.255.0.0'
+
+# defaults for test SSL
+ssl_db: 'ssl_db'
+ssl_user: 'ssl_user'
+ssl_pass: 'ssl_pass'
+ssl_rootcert: '~{{ pg_user }}/root.crt'
diff --git a/test/integration/targets/postgresql/tasks/main.yml b/test/integration/targets/postgresql/tasks/main.yml
@@ -794,6 +794,13 @@
     that:
       - "result.stdout_lines[-1] == '(0 rows)'"
 
+# Test ssl.
+# Restricted using Debian family because of there are errors on other distributions
+# that not related with PostgreSQL or psycopg2 SSL support.
+# The tests' key point is to be sure that ssl options work in general
+- include: ssl.yml
+  when: ansible_os_family == 'Debian' and postgres_version_resp.stdout is version('9.4', '>=')
+
 # Test postgresql_set
 - include: postgresql_set.yml
   when: postgres_version_resp.stdout is version('9.4', '>=')
@@ -877,6 +884,7 @@
 # postgres_pg_hba module checks
 # ============================================================
 - include: postgresql_pg_hba.yml
+
 #
 # Cleanup
 #

diff --git a/test/integration/targets/postgresql/tasks/ssl.yml b/test/integration/targets/postgresql/tasks/ssl.yml
@@ -0,0 +1,105 @@
+# Copyright: (c) 2019, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru>
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+# The aim of this test is to be sure that SSL options work in general
+# and preparing the environment for testing these options in
+# the following PostgreSQL modules (ssl_db, ssl_user, certs).
+# Configured by https://www.postgresql.org/docs/current/ssl-tcp.html
+
+####################
+# Prepare for tests:
+
+- name: postgresql SSL - create database
+  become_user: "{{ pg_user }}"
+  become: yes
+  postgresql_db:
+    name: "{{ ssl_db }}"
+
+- name: postgresql SSL - create role
+  become_user: "{{ pg_user }}"
+  become: yes
+  postgresql_user:
+    name: "{{ ssl_user }}"
+    role_attr_flags: SUPERUSER
+    password: "{{ ssl_pass }}"
+
+- name: postgresql SSL - install openssl
+  become: yes
+  package: name=openssl state=present
+
+- name: postgresql SSL - create certs 1
+  become_user: "{{ pg_user }}"
+  become: yes
+  shell: 'openssl req -new -nodes -text -out ~{{ pg_user }}/root.csr \
+         -keyout ~{{ pg_user }}/root.key -subj "/CN=localhost.local"'
+
+- name: postgresql SSL - set right permissions to root.key
+  become_user: "{{ pg_user }}"
+  become: yes
+  file:
+    path: '~{{ pg_user }}/root.key'
+    mode: 0770
+
+- name: postgresql SSL - create certs 3
+  become_user: "{{ pg_user }}"
+  become: yes
+  shell: 'openssl x509 -req -in ~{{ pg_user }}/root.csr -text -days 3650 \
+         -extensions v3_ca -signkey ~{{ pg_user }}/root.key -out ~{{ pg_user }}/root.crt'
+
+- name: postgresql SSL - create certs 4
+  become_user: "{{ pg_user }}"
+  become: yes
+  shell: 'openssl req -new -nodes -text -out ~{{ pg_user }}/server.csr \
+         -keyout ~{{ pg_user }}/server.key -subj "/CN=localhost.local"'
+
+- name: postgresql SSL - set right permissions to server.key
+  become_user: "{{ pg_user }}"
+  become: yes
+  file:
+    path: '~{{ pg_user }}/server.key'
+    mode: 0770
+
+- name: postgresql SSL - create certs 5
+  become_user: "{{ pg_user }}"
+  become: yes
+  shell: 'openssl x509 -req -in ~{{ pg_user }}/server.csr -text -days 365 \
+         -CA ~{{ pg_user }}/root.crt -CAkey ~{{ pg_user }}/root.key -CAcreateserial -out server.crt'
+
+- name: postgresql SSL - enable SSL
+  become_user: "{{ pg_user }}"
+  become: yes
+  postgresql_set:
+    login_user: "{{ pg_user }}"
+    db: postgres
+    name: ssl
+    value: on
+
+- name: postgresql SSL - reload PostgreSQL to enable ssl on
+  become: yes
+  service:
+    name: "{{ postgresql_service }}"
+    state: reloaded
+
+###############
+# Do main tests
+
+- name: postgresql SSL - ping DB with SSL
+  become_user: "{{ pg_user }}"
+  become: yes
+  postgresql_ping:
+    db: "{{ ssl_db }}"
+    login_user: "{{ ssl_user }}"
+    login_password: "{{ ssl_pass }}"
+    login_host: 127.0.0.1
+    login_port: 5432
+    ssl_mode: require
+    ca_cert: '{{ ssl_rootcert }}'
+  register: result
+
+- assert:
+    that: 
+    - result.is_available == true
+
+###################################################
+# I decided not to clean ssl_db, ssl_user and certs
+# for testing options related with SSL in other modules