New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable integration tests for the crypto/ namespace #26684
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Create a new file called
test/integration/targets/openssl/aliases
Which contains
posix/ci/group1
destructive
Then you can test by doing
ansible-test integration --docker=fedora25 -v openssl_privatekey openssl_publickey
test/integration/openssl.yml
Outdated
@@ -0,0 +1,6 @@ | |||
--- |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't need this file, ansible-test
will create what's needed on the fly
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, I think I still need this file for other scenarios. (Tests not run via ansible-test).
Like:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gundalow is correct. Since these tests are run by ansible-test
, no separate playbook is required.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mattclay I'd like to have this file there because I'd like to be able to test those modules outside the ansible-test
scope.
The idea is to test those modules with different OpenSSL implementation:
- OpenSSL
- LibreSSL
- BoringSSL
@@ -0,0 +1,19 @@ | |||
- name: Generate a private key |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Format is test/integration/targets/$module_name/ Move to
targetsi.e.
test/integration/targets/openssl/tasks/main.yml
@@ -0,0 +1,35 @@ | |||
- name: Validate private key (test) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Move to targets
directory
@@ -0,0 +1,19 @@ | |||
- name: Generate a private key |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Install whatever dependencies are needed to the OS listed in
https://github.com/ansible/ansible/blob/devel/test/runner/completion/docker.txt
+
freebsd/10.3-STABLE
freebsd/11.0-STABLE
osx/10.11
rhel/7.3
2dc0b62
to
43d0a17
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The tests would be much easier to read if they were all in main.yml
instead of split across multiple files. Splitting them up only makes sense when the tests are very large.
become: yes | ||
package: | ||
name: python-pip | ||
state: latest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You shouldn't need to install pip. That is handled by ansible-test
as part of the test infrastructure.
The same is true for the other tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
@@ -0,0 +1,2 @@ | |||
posix/ci/group1 | |||
destructive |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can remove destructive
since there doesn't appear to be anything destructive about these tests.
The same is true for the other tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd said destructive as this test uses pip to upgrade some a package.
become: yes | ||
package: | ||
name: epel-release | ||
state: latest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This shouldn't be needed.
The same is true for the other tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
package: | ||
name: PyOpenSSL | ||
state: latest | ||
use: pip |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Install using the pip module instead of the package module.
The same is true for the other tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
c778ec7
to
780e480
Compare
CI failure in integration tests. Here's one of the failures:
|
shell: 'openssl rsa -noout -modulus -in {{ output_dir }}/privatekey.pem | openssl md5' | ||
register: privatekey_modulus | ||
|
||
- name: Validate CSR (test - Common Name) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-nameopt
switch should be used in order to be compatible with OpenSSL >= 1.1.0: the default format was changed between OpenSSL 1.0.2 and OpenSSL 1.1.0.
For example openssl req -noout -subject -in csr -nameopt oneline,-space_eq
with csr_cn.stdout.split('=')[-1]
could be used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
@@ -0,0 +1,23 @@ | |||
- name: Install libffi-devel |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These two first tasks are duplicated in three files (openssl_csr/tasks/main.yml
, openssl_privatekey/tasks/main.yml
, openssl_publickey/tasks/main.yml
): these tasks could be put in a dedicated role, something like setup_openssl
.
It seems these tests found a Python 3 related bug:
OpenSuse builds failed on
|
780e480
to
c94c132
Compare
3b37e61
to
c8ff742
Compare
0e298fb
to
9833e0f
Compare
privatekey_path: '{{ output_dir }}/privatekey.pem' | ||
commonName: 'www.ansible.com' | ||
|
||
- import_tasks: ../tests/validate.yml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Two things (applicable to openssl_privakey
and openssl_publickey
too):
- why
import_tasks: ../tests/validate.yml
instead ofimport_tasks: validate.yml
? - why are validation tasks split in another file (
validate.yml
) and not kept inmain.yml
?
Apart from these minor points, it looks good to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why import_tasks: ../tests/validate.yml instead of import_tasks: validate.yml?
Because for some reason it can't find the proper path to the file if not specified that way.
This is the command I run:
#> source hacking/env-setup
#> ansible-test integration --docker=centos7 -v openssl_csr
why are validation tasks split in another file (validate.yml) and not kept in main.yml?
To logically separate what is the scenario I am testing vs. the test suite to validate the scenario.
If this is a blocker I could revert, but if possible, I'd like to keep it that way
@@ -0,0 +1,14 @@ | |||
- import_role: | |||
name: setup_openssl |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use meta dependencies instead of import_role here and in the other tests.
Example: https://github.com/ansible/ansible/blob/devel/test/integration/targets/mysql_db/meta/main.yml
This will permit ansible-test to properly handle the role dependencies when analyzing changes from PRs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
9833e0f
to
91e95da
Compare
91e95da
to
6ea440d
Compare
@mattclay commit updated. Can I ask for a new review? |
CI is failing with the following error:
|
Once the issue exposed by the tests is fixed this should be good to merge. |
Crypto namespace contains the openssl modules. It has no integration testing as of now. This commits aims to add integration tests for the crypto namespace. This will make it easier to spot breaking changes in the future. This tests currently apply to: * openssl_privatekey * openssl_publickey * openssl_csr
6ea440d
to
63561b9
Compare
SUMMARY
Crypto namespace contains the openssl modules. It has no integration
testing as of now.
This commits aims to add integration tests for the crypto namespace.
This will make it easier to spot breaking changes in the future.
This tests currently apply to:
ISSUE TYPE
COMPONENT NAME
ANSIBLE VERSION
ADDITIONAL INFORMATION