Enable integration tests for the crypto/ namespace

[Spredzy]

SUMMARY

Crypto namespace contains the openssl modules. It has no integration
testing as of now.

This commits aims to add integration tests for the crypto namespace.
This will make it easier to spot breaking changes in the future.

This tests currently apply to:

• openssl_privatekey
• openssl_publickey
• openssl_csr

ISSUE TYPE

• Feature Pull Request

COMPONENT NAME

• crypto/
• test/integration

ANSIBLE VERSION

ansible 2.4.0 (openssl_integration_test caf6ffb395) last updated 2017/07/12 10:58:24 (GMT +200)
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/spredzy/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /home/spredzy/Projects/github.com/Spredzy/ansible/lib/ansible
  executable location = /home/spredzy/Projects/github.com/Spredzy/ansible/bin/ansible
  python version = 2.7.13 (default, May 10 2017, 20:04:28) [GCC 6.3.1 20161221 (Red Hat 6.3.1-1)]

ADDITIONAL INFORMATION

• N/A

[gundalow]

Create a new file called
test/integration/targets/openssl/aliases

Which contains

posix/ci/group1
destructive

Then you can test by doing
ansible-test integration --docker=fedora25 -v openssl_privatekey openssl_publickey

[gundalow]

Don't need this file, ansible-test will create what's needed on the fly

[Spredzy]

Hmm, I think I still need this file for other scenarios. (Tests not run via ansible-test).

Like:

• vyos: https://github.com/ansible/ansible/blob/devel/test/integration/vyos.yaml
• ovs: https://github.com/ansible/ansible/blob/devel/test/integration/ovs.yaml

[mattclay]

@gundalow is correct. Since these tests are run by ansible-test, no separate playbook is required.

[Spredzy]

@mattclay I'd like to have this file there because I'd like to be able to test those modules outside the ansible-test scope.

The idea is to test those modules with different OpenSSL implementation:

• OpenSSL
• LibreSSL
• BoringSSL

[gundalow]

Format is test/integration/targets/$module_name/ Move to targetsi.e. test/integration/targets/openssl/tasks/main.yml

[gundalow]

Move to targets directory

[gundalow]

Install whatever dependencies are needed to the OS listed in
https://github.com/ansible/ansible/blob/devel/test/runner/completion/docker.txt
+

freebsd/10.3-STABLE
freebsd/11.0-STABLE
osx/10.11
rhel/7.3

[mattclay]

The tests would be much easier to read if they were all in main.yml instead of split across multiple files. Splitting them up only makes sense when the tests are very large.

[mattclay]

You shouldn't need to install pip. That is handled by ansible-test as part of the test infrastructure.

The same is true for the other tests.

[Spredzy]

done

[mattclay]

You can remove destructive since there doesn't appear to be anything destructive about these tests.

The same is true for the other tests.

[Spredzy]

done

[gundalow]

I'd said destructive as this test uses pip to upgrade some a package.

[mattclay]

This shouldn't be needed.

The same is true for the other tests.

[Spredzy]

done

[mattclay]

Install using the pip module instead of the package module.

The same is true for the other tests.

[Spredzy]

done

[mattclay]

CI failure in integration tests. Here's one of the failures:

Traceback (most recent call last):
  File "/tmp/ansible_i__h80ey/ansible_module_openssl_csr.py", line 327, in <module>
    main()
  File "/tmp/ansible_i__h80ey/ansible_module_openssl_csr.py", line 295, in main
    csr = CertificateSigningRequest(module)
  File "/tmp/ansible_i__h80ey/ansible_module_openssl_csr.py", line 204, in __init__
    for (key, value) in self.subject.items():
RuntimeError: dictionary changed size during iteration

[pilou-]

-nameopt switch should be used in order to be compatible with OpenSSL >= 1.1.0: the default format was changed between OpenSSL 1.0.2 and OpenSSL 1.1.0.

For example openssl req -noout -subject -in csr -nameopt oneline,-space_eq with csr_cn.stdout.split('=')[-1] could be used.

[Spredzy]

done

[pilou-]

These two first tasks are duplicated in three files (openssl_csr/tasks/main.yml, openssl_privatekey/tasks/main.yml, openssl_publickey/tasks/main.yml): these tasks could be put in a dedicated role, something like setup_openssl.

[pilou-]

It seems these tests found a Python 3 related bug:

# on linux/ubuntu1604py3/1:
TASK [openssl_csr : Generate CSR] ***
The full traceback is:
Traceback (most recent call last):
   File "/tmp/ansible_xg20t0t7/ansible_module_openssl_csr.py", line 327, in <module>
     main()
   File "/tmp/ansible_xg20t0t7/ansible_module_openssl_csr.py", line 295, in main
     csr = CertificateSigningRequest(module)
   File "/tmp/ansible_xg20t0t7/ansible_module_openssl_csr.py", line 204, in __init__
     for (key, value) in self.subject.items():
 RuntimeError: dictionary changed size during iteration

OpenSuse builds failed on pip install PyOpenSSL with:

TASK [openssl_csr : Install libffi-devel] **************************************
task path: /root/ansible/test/integration/targets/openssl_csr/tasks/main.yml:1
skipping: [testhost] => {
    "changed": false, 
    "skip_reason": "Conditional result was False", 
    "skipped": true
}

TASK [openssl_csr : pip install PyOpenSSL] 
c/_cffi_backend.c:15:17: fatal error: ffi.h: No such file or directory

ansible_os_family should be used instead of ansible_distribution.

[Spredzy]

@mattclay @gundalow @pilou- all review have been addressed, could you please review this PR again ?
Thanks in advance.

[pilou-]

Two things (applicable to openssl_privakey and openssl_publickey too):

• why import_tasks: ../tests/validate.yml instead of import_tasks: validate.yml?
• why are validation tasks split in another file (validate.yml) and not kept in main.yml?

Apart from these minor points, it looks good to me.

[Spredzy]

@pilou-

why import_tasks: ../tests/validate.yml instead of import_tasks: validate.yml?

Because for some reason it can't find the proper path to the file if not specified that way.
This is the command I run:

#> source hacking/env-setup
#> ansible-test integration --docker=centos7 -v openssl_csr

why are validation tasks split in another file (validate.yml) and not kept in main.yml?

To logically separate what is the scenario I am testing vs. the test suite to validate the scenario.

If this is a blocker I could revert, but if possible, I'd like to keep it that way

[mattclay]

Please use meta dependencies instead of import_role here and in the other tests.

Example: https://github.com/ansible/ansible/blob/devel/test/integration/targets/mysql_db/meta/main.yml

This will permit ansible-test to properly handle the role dependencies when analyzing changes from PRs.

[Spredzy]

done

[Spredzy]

@mattclay commit updated. Can I ask for a new review?

[mattclay]

CI is failing with the following error:

Traceback (most recent call last):
  File "/tmp/ansible_IF6XA1/ansible_module_openssl_privatekey.py", line 294, in <module>
    main()
  File "/tmp/ansible_IF6XA1/ansible_module_openssl_privatekey.py", line 273, in main
    private_key.generate(module)
  File "/tmp/ansible_IF6XA1/ansible_module_openssl_privatekey.py", line 205, in generate
    self.fingerprint = get_fingerprint(self.path, self.passphrase)
  File "/tmp/ansible_IF6XA1/ansible_modlib.zip/ansible/module_utils/crypto.py", line 45, in get_fingerprint
TypeError: Last argument must be string or callable

[mattclay]

Once the issue exposed by the tests is fixed this should be good to merge.

[Spredzy]

Thanks @mattclay @pilou- @gundalow !