-
Notifications
You must be signed in to change notification settings - Fork 23.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
postgresql SSL related tests, Backport/2.8/55288 (#55801)
* postgresql SSL related tests (#55288) * postgresql SSL tests * postgresql SSL tests, added link to officiall doc (cherry picked from commit f8c4726) * postgresql SSL related tests: added changelog fragment
- Loading branch information
1 parent
00b4a52
commit f7dd79a
Showing
4 changed files
with
121 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
bugfixes: | ||
- postgresql - added initial SSL related tests |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,105 @@ | ||
# Copyright: (c) 2019, Andrew Klychkov (@Andersson007) <aaklychkov@mail.ru> | ||
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) | ||
|
||
# The aim of this test is to be sure that SSL options work in general | ||
# and preparing the environment for testing these options in | ||
# the following PostgreSQL modules (ssl_db, ssl_user, certs). | ||
# Configured by https://www.postgresql.org/docs/current/ssl-tcp.html | ||
|
||
#################### | ||
# Prepare for tests: | ||
|
||
- name: postgresql SSL - create database | ||
become_user: "{{ pg_user }}" | ||
become: yes | ||
postgresql_db: | ||
name: "{{ ssl_db }}" | ||
|
||
- name: postgresql SSL - create role | ||
become_user: "{{ pg_user }}" | ||
become: yes | ||
postgresql_user: | ||
name: "{{ ssl_user }}" | ||
role_attr_flags: SUPERUSER | ||
password: "{{ ssl_pass }}" | ||
|
||
- name: postgresql SSL - install openssl | ||
become: yes | ||
package: name=openssl state=present | ||
|
||
- name: postgresql SSL - create certs 1 | ||
become_user: "{{ pg_user }}" | ||
become: yes | ||
shell: 'openssl req -new -nodes -text -out ~{{ pg_user }}/root.csr \ | ||
-keyout ~{{ pg_user }}/root.key -subj "/CN=localhost.local"' | ||
|
||
- name: postgresql SSL - set right permissions to root.key | ||
become_user: "{{ pg_user }}" | ||
become: yes | ||
file: | ||
path: '~{{ pg_user }}/root.key' | ||
mode: 0770 | ||
|
||
- name: postgresql SSL - create certs 3 | ||
become_user: "{{ pg_user }}" | ||
become: yes | ||
shell: 'openssl x509 -req -in ~{{ pg_user }}/root.csr -text -days 3650 \ | ||
-extensions v3_ca -signkey ~{{ pg_user }}/root.key -out ~{{ pg_user }}/root.crt' | ||
|
||
- name: postgresql SSL - create certs 4 | ||
become_user: "{{ pg_user }}" | ||
become: yes | ||
shell: 'openssl req -new -nodes -text -out ~{{ pg_user }}/server.csr \ | ||
-keyout ~{{ pg_user }}/server.key -subj "/CN=localhost.local"' | ||
|
||
- name: postgresql SSL - set right permissions to server.key | ||
become_user: "{{ pg_user }}" | ||
become: yes | ||
file: | ||
path: '~{{ pg_user }}/server.key' | ||
mode: 0770 | ||
|
||
- name: postgresql SSL - create certs 5 | ||
become_user: "{{ pg_user }}" | ||
become: yes | ||
shell: 'openssl x509 -req -in ~{{ pg_user }}/server.csr -text -days 365 \ | ||
-CA ~{{ pg_user }}/root.crt -CAkey ~{{ pg_user }}/root.key -CAcreateserial -out server.crt' | ||
|
||
- name: postgresql SSL - enable SSL | ||
become_user: "{{ pg_user }}" | ||
become: yes | ||
postgresql_set: | ||
login_user: "{{ pg_user }}" | ||
db: postgres | ||
name: ssl | ||
value: on | ||
|
||
- name: postgresql SSL - reload PostgreSQL to enable ssl on | ||
become: yes | ||
service: | ||
name: "{{ postgresql_service }}" | ||
state: reloaded | ||
|
||
############### | ||
# Do main tests | ||
|
||
- name: postgresql SSL - ping DB with SSL | ||
become_user: "{{ pg_user }}" | ||
become: yes | ||
postgresql_ping: | ||
db: "{{ ssl_db }}" | ||
login_user: "{{ ssl_user }}" | ||
login_password: "{{ ssl_pass }}" | ||
login_host: 127.0.0.1 | ||
login_port: 5432 | ||
ssl_mode: require | ||
ca_cert: '{{ ssl_rootcert }}' | ||
register: result | ||
|
||
- assert: | ||
that: | ||
- result.is_available == true | ||
|
||
################################################### | ||
# I decided not to clean ssl_db, ssl_user and certs | ||
# for testing options related with SSL in other modules |