From 5b28cd65f09c18820e54396f9707647ee77cc234 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Mon, 18 Feb 2019 17:16:57 +0100 Subject: [PATCH] luks_device: add integration tests (#52359) * Add first version of luks_device tests. * Do ~ expansion manually. * Try to enable RHEL8. * Adjust to older losetup version. * Make sure cryptsetup is installed. --- test/integration/targets/luks_device/aliases | 6 + .../targets/luks_device/files/keyfile1 | 1 + .../targets/luks_device/files/keyfile2 | 1 + .../targets/luks_device/tasks/main.yml | 33 ++++ .../targets/luks_device/tasks/run-test.yml | 8 + .../tasks/tests/create-destroy.yml | 187 ++++++++++++++++++ .../tasks/tests/key-management.yml | 123 ++++++++++++ 7 files changed, 359 insertions(+) create mode 100644 test/integration/targets/luks_device/aliases create mode 100644 test/integration/targets/luks_device/files/keyfile1 create mode 100644 test/integration/targets/luks_device/files/keyfile2 create mode 100644 test/integration/targets/luks_device/tasks/main.yml create mode 100644 test/integration/targets/luks_device/tasks/run-test.yml create mode 100644 test/integration/targets/luks_device/tasks/tests/create-destroy.yml create mode 100644 test/integration/targets/luks_device/tasks/tests/key-management.yml diff --git a/test/integration/targets/luks_device/aliases b/test/integration/targets/luks_device/aliases new file mode 100644 index 0000000000..aa3892a34c --- /dev/null +++ b/test/integration/targets/luks_device/aliases @@ -0,0 +1,6 @@ +shippable/posix/group2 +skip/osx +skip/freebsd +skip/docker +needs/root +destructive diff --git a/test/integration/targets/luks_device/files/keyfile1 b/test/integration/targets/luks_device/files/keyfile1 new file mode 100644 index 0000000000..5e40c08770 --- /dev/null +++ b/test/integration/targets/luks_device/files/keyfile1 @@ -0,0 +1 @@ +asdf \ No newline at end of file diff --git a/test/integration/targets/luks_device/files/keyfile2 b/test/integration/targets/luks_device/files/keyfile2 new file mode 100644 index 0000000000..5e4f256515 --- /dev/null +++ b/test/integration/targets/luks_device/files/keyfile2 @@ -0,0 +1 @@ +test1234 \ No newline at end of file diff --git a/test/integration/targets/luks_device/tasks/main.yml b/test/integration/targets/luks_device/tasks/main.yml new file mode 100644 index 0000000000..9793704581 --- /dev/null +++ b/test/integration/targets/luks_device/tasks/main.yml @@ -0,0 +1,33 @@ +--- +- name: Make sure cryptsetup is installed + package: + name: cryptsetup + state: present + become: yes +- name: Create cryptfile + command: dd if=/dev/zero of={{ output_dir.replace('~', ansible_env.HOME) }}/cryptfile bs=1M count=32 +- name: Create lookback device + command: losetup -f {{ output_dir.replace('~', ansible_env.HOME) }}/cryptfile + become: yes +- name: Determine loop device name + command: losetup -j {{ output_dir.replace('~', ansible_env.HOME) }}/cryptfile --output name + become: yes + register: cryptfile_device_output +- set_fact: + cryptfile_device: "{{ cryptfile_device_output.stdout_lines[1] }}" +- block: + - include_tasks: run-test.yml + with_fileglob: + - "tests/*.yml" + always: + - name: Make sure LUKS device is gone + luks_device: + device: "{{ cryptfile_device }}" + state: absent + become: yes + ignore_errors: yes + - command: losetup -d "{{ cryptfile_device }}" + become: yes + - file: + dest: "{{ output_dir }}/cryptfile" + state: absent diff --git a/test/integration/targets/luks_device/tasks/run-test.yml b/test/integration/targets/luks_device/tasks/run-test.yml new file mode 100644 index 0000000000..a2ec73b24b --- /dev/null +++ b/test/integration/targets/luks_device/tasks/run-test.yml @@ -0,0 +1,8 @@ +--- +- name: Make sure LUKS device is gone + luks_device: + device: "{{ cryptfile_device }}" + state: absent + become: yes +- name: "Loading tasks from {{ item }}" + include_tasks: "{{ item }}" diff --git a/test/integration/targets/luks_device/tasks/tests/create-destroy.yml b/test/integration/targets/luks_device/tasks/tests/create-destroy.yml new file mode 100644 index 0000000000..b5bdd73ea1 --- /dev/null +++ b/test/integration/targets/luks_device/tasks/tests/create-destroy.yml @@ -0,0 +1,187 @@ +--- +#- name: Create (check) +# luks_device: +# device: "{{ cryptfile_device }}" +# state: present +# keyfile: "{{ role_path }}/files/keyfile1" +# check_mode: yes +# become: yes +# register: create_check +- name: Create + luks_device: + device: "{{ cryptfile_device }}" + state: present + keyfile: "{{ role_path }}/files/keyfile1" + become: yes + register: create +- name: Create (idempotent) + luks_device: + device: "{{ cryptfile_device }}" + state: present + keyfile: "{{ role_path }}/files/keyfile1" + become: yes + register: create_idem +#- name: Create (idempotent, check) +# luks_device: +# device: "{{ cryptfile_device }}" +# state: present +# keyfile: "{{ role_path }}/files/keyfile1" +# check_mode: yes +# become: yes +# register: create_idem_check +- assert: + that: + #- create_check is changed + - create is changed + - create_idem is not changed + #- create_idem_check is not changed + +#- name: Open (check) +# luks_device: +# device: "{{ cryptfile_device }}" +# state: opened +# keyfile: "{{ role_path }}/files/keyfile1" +# check_mode: yes +# become: yes +# register: open_check +- name: Open + luks_device: + device: "{{ cryptfile_device }}" + state: opened + keyfile: "{{ role_path }}/files/keyfile1" + become: yes + register: open +- name: Open (idempotent) + luks_device: + device: "{{ cryptfile_device }}" + state: opened + keyfile: "{{ role_path }}/files/keyfile1" + become: yes + register: open_idem +#- name: Open (idempotent, check) +# luks_device: +# device: "{{ cryptfile_device }}" +# state: opened +# keyfile: "{{ role_path }}/files/keyfile1" +# check_mode: yes +# become: yes +# register: open_idem_check +- assert: + that: + #- open_check is changed + - open is changed + - open_idem is not changed + #- open_idem_check is not changed + +#- name: Closed (via name, check) +# luks_device: +# name: "{{ open.name }}" +# state: closed +# check_mode: yes +# become: yes +# register: close_check +- name: Closed (via name) + luks_device: + name: "{{ open.name }}" + state: closed + become: yes + register: close +- name: Closed (via name, idempotent) + luks_device: + name: "{{ open.name }}" + state: closed + become: yes + register: close_idem +#- name: Closed (via name, idempotent, check) +# luks_device: +# name: "{{ open.name }}" +# state: closed +# check_mode: yes +# become: yes +# register: close_idem_check +- assert: + that: + #- close_check is changed + - close is changed + - close_idem is not changed + #- close_idem_check is not changed + +- name: Re-open + luks_device: + device: "{{ cryptfile_device }}" + state: opened + keyfile: "{{ role_path }}/files/keyfile1" + become: yes + +#- name: Closed (via device, check) +# luks_device: +# device: "{{ cryptfile_device }}" +# state: closed +# check_mode: yes +# become: yes +# register: close_check +- name: Closed (via device) + luks_device: + device: "{{ cryptfile_device }}" + state: closed + become: yes + register: close +- name: Closed (via device, idempotent) + luks_device: + device: "{{ cryptfile_device }}" + state: closed + become: yes + register: close_idem +#- name: Closed (via device, idempotent, check) +# luks_device: +# device: "{{ cryptfile_device }}" +# state: closed +# check_mode: yes +# become: yes +# register: close_idem_check +- assert: + that: + #- close_check is changed + - close is changed + - close_idem is not changed + #- close_idem_check is not changed + +- name: Re-opened + luks_device: + device: "{{ cryptfile_device }}" + state: opened + keyfile: "{{ role_path }}/files/keyfile1" + become: yes + +#- name: Absent (check) +# luks_device: +# device: "{{ cryptfile_device }}" +# state: absent +# check_mode: yes +# become: yes +# register: absent_check +- name: Absent + luks_device: + device: "{{ cryptfile_device }}" + state: absent + become: yes + register: absent +- name: Absent (idempotence) + luks_device: + device: "{{ cryptfile_device }}" + state: absent + become: yes + register: absent_idem +#- name: Absent (idempotence, check) +# luks_device: +# device: "{{ cryptfile_device }}" +# state: absent +# check_mode: yes +# become: yes +# register: absent_idem_check +- assert: + that: + #- absent_check is changed + - absent is changed + - absent_idem is not changed + #- absent_idem_check is not changed diff --git a/test/integration/targets/luks_device/tasks/tests/key-management.yml b/test/integration/targets/luks_device/tasks/tests/key-management.yml new file mode 100644 index 0000000000..963d05a7a0 --- /dev/null +++ b/test/integration/targets/luks_device/tasks/tests/key-management.yml @@ -0,0 +1,123 @@ +--- +- name: Create with keyfile1 + luks_device: + device: "{{ cryptfile_device }}" + state: closed + keyfile: "{{ role_path }}/files/keyfile1" + become: yes + +# Access: keyfile1 + +- name: Try to open with keyfile1 + luks_device: + device: "{{ cryptfile_device }}" + state: opened + keyfile: "{{ role_path }}/files/keyfile1" + become: yes + ignore_errors: yes + register: open_try +- assert: + that: + - open_try is not failed +- name: Close + luks_device: + device: "{{ cryptfile_device }}" + state: closed + +- name: Try to open with keyfile2 + luks_device: + device: "{{ cryptfile_device }}" + state: opened + keyfile: "{{ role_path }}/files/keyfile2" + become: yes + ignore_errors: yes + register: open_try +- assert: + that: + - open_try is failed + +- name: Give access to keyfile2 + luks_device: + device: "{{ cryptfile_device }}" + state: closed + keyfile: "{{ role_path }}/files/keyfile1" + new_keyfile: "{{ role_path }}/files/keyfile2" + become: yes + +# Access: keyfile1 and keyfile2 + +- name: Try to open with keyfile2 + luks_device: + device: "{{ cryptfile_device }}" + state: opened + keyfile: "{{ role_path }}/files/keyfile2" + become: yes + ignore_errors: yes + register: open_try +- assert: + that: + - open_try is not failed +- name: Close + luks_device: + device: "{{ cryptfile_device }}" + state: closed + +- name: Remove access from keyfile1 + luks_device: + device: "{{ cryptfile_device }}" + state: closed + keyfile: "{{ role_path }}/files/keyfile1" + remove_keyfile: "{{ role_path }}/files/keyfile1" + become: yes + +# Access: keyfile2 + +- name: Try to open with keyfile1 + luks_device: + device: "{{ cryptfile_device }}" + state: opened + keyfile: "{{ role_path }}/files/keyfile1" + become: yes + ignore_errors: yes + register: open_try +- assert: + that: + - open_try is failed + +- name: Try to open with keyfile2 + luks_device: + device: "{{ cryptfile_device }}" + state: opened + keyfile: "{{ role_path }}/files/keyfile2" + become: yes + ignore_errors: yes + register: open_try +- assert: + that: + - open_try is not failed +- name: Close + luks_device: + device: "{{ cryptfile_device }}" + state: closed + +- name: Remove access from keyfile2 + luks_device: + device: "{{ cryptfile_device }}" + state: closed + keyfile: "{{ role_path }}/files/keyfile2" + remove_keyfile: "{{ role_path }}/files/keyfile2" + become: yes + +# Access: none + +- name: Try to open with keyfile2 + luks_device: + device: "{{ cryptfile_device }}" + state: opened + keyfile: "{{ role_path }}/files/keyfile2" + become: yes + ignore_errors: yes + register: open_try +- assert: + that: + - open_try is failed