Add ecs_domain module (ansible#62007)

* Add ecs_domain module * Fixes to integration tests and module * Fixes to tests and module * Corrections to revalidation behavior, cna only revalidate domains in expiring. * Remove debugs for final test run, fix sanity check test fails. * Add checks for domain status * Add changelog fragment for new module. * Removed extra space in backtick * Minor fixes to make behavior more consistent and correct documentation. * Update lib/ansible/modules/crypto/entrust/ecs_domain.py Co-Authored-By: Felix Fontein <[email protected]> * Update lib/ansible/modules/crypto/entrust/ecs_domain.py Co-Authored-By: Felix Fontein <[email protected]> * Update lib/ansible/modules/crypto/entrust/ecs_domain.py Co-Authored-By: Felix Fontein <[email protected]> * Apply suggestions from code review Co-Authored-By: Felix Fontein <[email protected]> * Change casing of verification method enum, remove redundant changelog fragment * Return ov_eligible and ev_eligible fields even if false, as long as they're returned by ECS API
vasilyprokopov · Sep 15, 2019 · 29505cf · 29505cf
1 parent 5dbd4bc
commit 29505cf
Show file tree

Hide file tree

Showing 6 changed files with 713 additions and 0 deletions.
diff --git a/lib/ansible/modules/crypto/entrust/ecs_domain.py b/lib/ansible/modules/crypto/entrust/ecs_domain.py
diff --git a/test/integration/targets/ecs_domain/aliases b/test/integration/targets/ecs_domain/aliases
@@ -0,0 +1,15 @@
+# Not enabled due to lack of access to test environments. May be enabled using custom integration_config.yml
+# Example integation_config.yml
+# ---
+# entrust_api_user:
+# entrust_api_key:
+# entrust_api_client_cert_path: /var/integration-testing/publicCert.pem
+# entrust_api_client_cert_key_path: /var/integration-testing/privateKey.pem
+# entrust_api_ip_address: 127.0.0.1
+# entrust_cloud_ip_address: 127.0.0.1
+# # Used for certificate path validation of QA environments - we chose not to support disabling path validation ever.
+# cacerts_bundle_path_local: /var/integration-testing/cacerts
+
+### WARNING: This test will update HOSTS file and CERTIFICATE STORE of target host, in order to be able to validate
+# to a QA environment. ###
+unsupported
diff --git a/test/integration/targets/ecs_domain/defaults/main.yml b/test/integration/targets/ecs_domain/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+# defaults file for test_ecs_domain
diff --git a/test/integration/targets/ecs_domain/meta/main.yml b/test/integration/targets/ecs_domain/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+  - prepare_tests
diff --git a/test/integration/targets/ecs_domain/tasks/main.yml b/test/integration/targets/ecs_domain/tasks/main.yml
@@ -0,0 +1,270 @@
+---
+## Verify that integration_config was specified
+- block:
+  - assert:
+      that:
+        - entrust_api_user is defined
+        - entrust_api_key is defined
+        - entrust_api_ip_address is defined
+        - entrust_cloud_ip_address is defined
+        - entrust_api_client_cert_path is defined or entrust_api_client_cert_contents is defined
+        - entrust_api_client_cert_key_path is defined or entrust_api_client_cert_key_contents
+        - cacerts_bundle_path_local is defined
+
+## SET UP TEST ENVIRONMENT ########################################################################
+- name: copy the files needed for verifying test server certificate to the host
+  copy:
+    src: '{{ cacerts_bundle_path_local }}/'
+    dest: '{{ cacerts_bundle_path }}'
+
+- name: Update the CA certificates for our QA certs (collection may need updating if new QA environments used)
+  command: c_rehash {{ cacerts_bundle_path }}
+
+- name: Update hosts file
+  lineinfile:
+    path: /etc/hosts
+    state: present
+    regexp: 'api.entrust.net$'
+    line: '{{ entrust_api_ip_address }} api.entrust.net'
+
+- name: Update hosts file
+  lineinfile:
+    path: /etc/hosts
+    state: present
+    regexp: 'cloud.entrust.net$'
+    line: '{{ entrust_cloud_ip_address }} cloud.entrust.net'
+
+- name: Clear out the temporary directory for storing the API connection information
+  file:
+    path: '{{ tmpdir_path }}'
+    state: absent
+
+- name: Create a directory for storing the API connection Information
+  file:
+    path: '{{ tmpdir_path }}'
+    state: directory
+
+- name: Copy the files needed for the connection to entrust API to the host
+  copy:
+    src: '{{ entrust_api_client_cert_path }}'
+    dest: '{{ entrust_api_cert }}'
+
+- name: Copy the files needed for the connection to entrust API to the host
+  copy:
+    src: '{{ entrust_api_client_cert_key_path }}'
+    dest: '{{ entrust_api_cert_key }}'
+
+- block:
+  - name: Have ECS request a domain validation via dns
+    ecs_domain:
+      domain_name: dns.{{ common_name }}
+      verification_method: dns
+      entrust_api_user: '{{ entrust_api_user }}'
+      entrust_api_key: '{{ entrust_api_key }}'
+      entrust_api_client_cert_path: '{{ entrust_api_cert }}'
+      entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'
+    register: dns_result
+
+  - assert:
+      that:
+        - dns_result is not failed
+        - dns_result.changed
+        - dns_result.domain_status == 'INITIAL_VERIFICATION'
+        - dns_result.verification_method == 'dns'
+        - dns_result.dns_location is string
+        - dns_result.dns_contents is string
+        - dns_result.dns_resource_type is string
+        - dns_result.file_location is undefined
+        - dns_result.file_contents is undefined
+        - dns_result.emails is undefined
+
+  - name: Have ECS request a domain validation via web_server
+    ecs_domain:
+      domain_name: FILE.{{ common_name }}
+      verification_method: web_server
+      entrust_api_user: '{{ entrust_api_user }}'
+      entrust_api_key: '{{ entrust_api_key }}'
+      entrust_api_client_cert_path: '{{ entrust_api_cert }}'
+      entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'
+    register: file_result
+
+  - assert:
+      that:
+        - file_result is not failed
+        - file_result.changed
+        - file_result.domain_status == 'INITIAL_VERIFICATION'
+        - file_result.verification_method == 'web_server'
+        - file_result.dns_location is undefined
+        - file_result.dns_contents is undefined
+        - file_result.dns_resource_type is undefined
+        - file_result.file_location is string
+        - file_result.file_contents is string
+        - file_result.emails is undefined
+
+  - name: Have ECS request a domain validation via email
+    ecs_domain:
+      domain_name: email.{{ common_name }}
+      verification_method: email
+      verification_email: [email protected]
+      entrust_api_user: '{{ entrust_api_user }}'
+      entrust_api_key: '{{ entrust_api_key }}'
+      entrust_api_client_cert_path: '{{ entrust_api_cert }}'
+      entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'
+    register: email_result
+
+  - assert:
+      that:
+        - email_result is not failed
+        - email_result.changed
+        - email_result.domain_status == 'INITIAL_VERIFICATION'
+        - email_result.verification_method == 'email'
+        - email_result.dns_location is undefined
+        - email_result.dns_contents is undefined
+        - email_result.dns_resource_type is undefined
+        - email_result.file_location is undefined
+        - email_result.file_contents is undefined
+        - email_result.emails[0] == '[email protected]'
+
+  - name: Have ECS request a domain validation via email with no address provided
+    ecs_domain:
+      domain_name: email2.{{ common_name }}
+      verification_method: email
+      entrust_api_user: '{{ entrust_api_user }}'
+      entrust_api_key: '{{ entrust_api_key }}'
+      entrust_api_client_cert_path: '{{ entrust_api_cert }}'
+      entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'
+    register: email_result2
+
+  - assert:
+      that:
+        - email_result2 is not failed
+        - email_result2.changed
+        - email_result2.domain_status == 'INITIAL_VERIFICATION'
+        - email_result2.verification_method == 'email'
+        - email_result2.dns_location is undefined
+        - email_result2.dns_contents is undefined
+        - email_result2.dns_resource_type is undefined
+        - email_result2.file_location is undefined
+        - email_result2.file_contents is undefined
+        - email_result2.emails is defined
+
+  - name: Have ECS request a domain validation via manual
+    ecs_domain:
+      domain_name: manual.{{ common_name }}
+      verification_method: manual
+      entrust_api_user: '{{ entrust_api_user }}'
+      entrust_api_key: '{{ entrust_api_key }}'
+      entrust_api_client_cert_path: '{{ entrust_api_cert }}'
+      entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'
+    register: manual_result
+
+  - assert:
+      that:
+        - manual_result is not failed
+        - manual_result.changed
+        - manual_result.domain_status == 'INITIAL_VERIFICATION'
+        - manual_result.verification_method == 'manual'
+        - manual_result.dns_location is undefined
+        - manual_result.dns_contents is undefined
+        - manual_result.dns_resource_type is undefined
+        - manual_result.file_location is undefined
+        - manual_result.file_contents is undefined
+        - manual_result.emails is undefined
+
+  - name: Have ECS request a domain validation via dns that remains unchanged
+    ecs_domain:
+      domain_name: dns.{{ common_name }}
+      verification_method: dns
+      entrust_api_user: '{{ entrust_api_user }}'
+      entrust_api_key: '{{ entrust_api_key }}'
+      entrust_api_client_cert_path: '{{ entrust_api_cert }}'
+      entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'
+    register: dns_result2
+
+  - assert:
+      that:
+        - dns_result2 is not failed
+        - not dns_result2.changed
+        - dns_result2.domain_status == 'INITIAL_VERIFICATION'
+        - dns_result2.verification_method == 'dns'
+        - dns_result2.dns_location is string
+        - dns_result2.dns_contents is string
+        - dns_result2.dns_resource_type is string
+        - dns_result2.file_location is undefined
+        - dns_result2.file_contents is undefined
+        - dns_result2.emails is undefined
+
+  - name: Have ECS request a domain validation via FILE for dns, to change verification method
+    ecs_domain:
+      domain_name: dns.{{ common_name }}
+      verification_method: web_server
+      entrust_api_user: '{{ entrust_api_user }}'
+      entrust_api_key: '{{ entrust_api_key }}'
+      entrust_api_client_cert_path: '{{ entrust_api_cert }}'
+      entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'
+    register: dns_result_now_file
+
+  - assert:
+      that:
+        - dns_result_now_file is not failed
+        - dns_result_now_file.changed
+        - dns_result_now_file.domain_status == 'INITIAL_VERIFICATION'
+        - dns_result_now_file.verification_method == 'web_server'
+        - dns_result_now_file.dns_location is undefined
+        - dns_result_now_file.dns_contents is undefined
+        - dns_result_now_file.dns_resource_type is undefined
+        - dns_result_now_file.file_location is string
+        - dns_result_now_file.file_contents is string
+        - dns_result_now_file.emails is undefined
+
+  - name: Request revalidation of an approved domain
+    ecs_domain:
+      domain_name: '{{ existing_domain_common_name }}'
+      verification_method: manual
+      entrust_api_user: '{{ entrust_api_user }}'
+      entrust_api_key: '{{ entrust_api_key }}'
+      entrust_api_client_cert_path: '{{ entrust_api_cert }}'
+      entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'
+    register: manual_existing_domain
+
+  - assert:
+      that:
+        - manual_existing_domain is not failed
+        - not manual_existing_domain.changed
+        - manual_existing_domain.domain_status == 'RE_VERIFICATION'
+        - manual_existing_domain.dns_location is undefined
+        - manual_existing_domain.dns_contents is undefined
+        - manual_existing_domain.dns_resource_type is undefined
+        - manual_existing_domain.file_location is undefined
+        - manual_existing_domain.file_contents is undefined
+        - manual_existing_domain.emails is undefined
+
+  - name: Request revalidation of an approved domain
+    ecs_domain:
+      domain_name: '{{ existing_domain_common_name }}'
+      verification_method: web_server
+      entrust_api_user: '{{ entrust_api_user }}'
+      entrust_api_key: '{{ entrust_api_key }}'
+      entrust_api_client_cert_path: '{{ entrust_api_cert }}'
+      entrust_api_client_cert_key_path: '{{ entrust_api_cert_key }}'
+    register: file_existing_domain_revalidate
+
+  - assert:
+      that:
+        - file_existing_domain_revalidate is not failed
+        - file_existing_domain_revalidate.changed
+        - file_existing_domain_revalidate.domain_status == 'RE_VERIFICATION'
+        - file_existing_domain_revalidate.verification_method == 'web_server'
+        - file_existing_domain_revalidate.dns_location is undefined
+        - file_existing_domain_revalidate.dns_contents is undefined
+        - file_existing_domain_revalidate.dns_resource_type is undefined
+        - file_existing_domain_revalidate.file_location is string
+        - file_existing_domain_revalidate.file_contents is string
+        - file_existing_domain_revalidate.emails is undefined
+
+
+  always:
+    - name: clean-up temporary folder
+      file:
+        path: '{{ tmpdir_path }}'
+        state: absent
diff --git a/test/integration/targets/ecs_domain/vars/main.yml b/test/integration/targets/ecs_domain/vars/main.yml
@@ -0,0 +1,15 @@
+---
+# vars file for test_ecs_certificate
+
+# Path on various hosts that cacerts need to be put as a prerequisite to API server cert validation.
+# May need to be customized for some environments based on SSL implementations
+# that ansible "urls" module utility is using as a backing.
+cacerts_bundle_path: /etc/pki/tls/certs
+
+common_name: '{{ ansible_date_time.epoch }}.testcertificates.com'
+existing_domain_common_name: 'testcertificates.com'
+
+tmpdir_path: /tmp/ecs_cert_test/{{ ansible_date_time.epoch }}
+
+entrust_api_cert: '{{ tmpdir_path }}/authcert.cer'
+entrust_api_cert_key: '{{ tmpdir_path }}/authkey.cer'