rework test struture and finish fleshing it out

ansible-collections · Jul 20, 2020 · e5bdc28 · e5bdc28
1 parent 9ff52e6
commit e5bdc28
Show file tree

Hide file tree

Showing 9 changed files with 629 additions and 121 deletions.
diff --git a/tests/integration/targets/ansible_aws_module/roles/ansible_aws_module/files/amazonroot.pem b/tests/integration/targets/ansible_aws_module/roles/ansible_aws_module/files/amazonroot.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
+ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
+b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
+MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
+b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
+ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
+9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
+IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
+VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
+93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
+jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA
+A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI
+U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs
+N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv
+o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU
+5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy
+rqXRfboQnoZsG4q5WTP468SQvvG5
+-----END CERTIFICATE-----
diff --git a/tests/integration/targets/ansible_aws_module/roles/ansible_aws_module/files/isrg-x1.pem b/tests/integration/targets/ansible_aws_module/roles/ansible_aws_module/files/isrg-x1.pem
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+-----END CERTIFICATE-----
diff --git a/.../integration/targets/ansible_aws_module/roles/ansible_aws_module/library/boto3_example.py b/.../integration/targets/ansible_aws_module/roles/ansible_aws_module/library/boto3_example.py
@@ -32,7 +32,7 @@ def main():
     try:
         images = client.describe_images(ImageIds=[], Filters=filters, Owners=['amazon'], ExecutableUsers=[])
     except (BotoCoreError, ClientError) as e:
-        module.fail_json_aws(e, msg='Failed to retrieve list of amis')
+        module.fail_json_aws(e, msg='Fail JSON AWS')
 
     # Return something, just because we can.
     module.exit_json(

diff --git a/tests/integration/targets/ansible_aws_module/roles/ansible_aws_module/tasks/ca_bundle.yml b/tests/integration/targets/ansible_aws_module/roles/ansible_aws_module/tasks/ca_bundle.yml
@@ -0,0 +1,158 @@
+---
+- name: 'Create temporary location for CA files'
+  tempfile:
+    state: directory
+    suffix: 'test-CAs'
+  register: ca_tmp
+
+- name: 'Ensure we have Amazons root CA available to us'
+  copy:
+    src: 'amazonroot.pem'
+    dest: '{{ ca_tmp.path }}/amazonroot.pem'
+
+- name: 'Ensure we have a another CA (ISRG-X1) bundle available to us'
+  copy:
+    src: 'isrg-x1.pem'
+    dest: '{{ ca_tmp.path }}/isrg-x1.pem'
+
+##################################################################################
+# Test disabling cert validation (make sure we don't error)
+
+- name: 'Test basic operation using default CA bundle (no validation) - parameter'
+  boto3_example:
+    region: '{{ aws_region }}'
+    access_key: '{{ aws_access_key }}'
+    secret_key: '{{ aws_secret_key }}'
+    security_token: '{{ security_token }}'
+    validate_certs: False
+  register: default_bundle_result
+
+- assert:
+    that:
+    - default_bundle_result is successful
+
+##################################################################################
+# Tests using Amazon's CA (the one the endpoint certs should be signed with)
+
+- name: 'Test basic operation using Amazons root CA - parameter'
+  boto3_example:
+    region: '{{ aws_region }}'
+    access_key: '{{ aws_access_key }}'
+    secret_key: '{{ aws_secret_key }}'
+    security_token: '{{ security_token }}'
+    aws_ca_bundle: '{{ ca_tmp.path }}/amazonroot.pem'
+  register: amazon_ca_result
+
+- assert:
+    that:
+    - amazon_ca_result is successful
+
+- name: 'Test basic operation using Amazons root CA - environment'
+  boto3_example:
+    region: '{{ aws_region }}'
+    access_key: '{{ aws_access_key }}'
+    secret_key: '{{ aws_secret_key }}'
+    security_token: '{{ security_token }}'
+  environment:
+    AWS_CA_BUNDLE: '{{ ca_tmp.path }}/amazonroot.pem'
+  register: amazon_ca_result
+
+- assert:
+    that:
+    - amazon_ca_result is successful
+
+- name: 'Test basic operation using Amazons root CA (no validation) - parameter'
+  boto3_example:
+    region: '{{ aws_region }}'
+    access_key: '{{ aws_access_key }}'
+    secret_key: '{{ aws_secret_key }}'
+    security_token: '{{ security_token }}'
+    aws_ca_bundle: '{{ ca_tmp.path }}/amazonroot.pem'
+    validate_certs: False
+  register: amazon_ca_result
+
+- assert:
+    that:
+    - amazon_ca_result is successful
+
+- name: 'Test basic operation using Amazons root CA (no validation) - environment'
+  boto3_example:
+    region: '{{ aws_region }}'
+    access_key: '{{ aws_access_key }}'
+    secret_key: '{{ aws_secret_key }}'
+    security_token: '{{ security_token }}'
+    validate_certs: False
+  environment:
+    AWS_CA_BUNDLE: '{{ ca_tmp.path }}/amazonroot.pem'
+  register: amazon_ca_result
+
+- assert:
+    that:
+    - amazon_ca_result is successful
+
+##################################################################################
+# Tests using ISRG's CA (one that the endpoint certs *aren't* signed with)
+
+- name: 'Test basic operation using a different CA - parameter'
+  boto3_example:
+    region: '{{ aws_region }}'
+    access_key: '{{ aws_access_key }}'
+    secret_key: '{{ aws_secret_key }}'
+    security_token: '{{ security_token }}'
+    aws_ca_bundle: '{{ ca_tmp.path }}/isrg-x1.pem'
+  register: isrg_ca_result
+  ignore_errors: yes
+
+- assert:
+    that:
+    - isrg_ca_result is failed
+    # Caught when we try to do something, and passed to fail_json_aws
+    - '"CERTIFICATE_VERIFY_FAILED" in isrg_ca_result.msg'
+    - '"Fail JSON AWS" in isrg_ca_result.msg'
+
+- name: 'Test basic operation using a different CA - environment'
+  boto3_example:
+    region: '{{ aws_region }}'
+    access_key: '{{ aws_access_key }}'
+    secret_key: '{{ aws_secret_key }}'
+    security_token: '{{ security_token }}'
+  environment:
+    AWS_CA_BUNDLE: '{{ ca_tmp.path }}/isrg-x1.pem'
+  register: isrg_ca_result
+  ignore_errors: yes
+
+- assert:
+    that:
+    - isrg_ca_result is failed
+    # Caught when we try to do something, and passed to fail_json_aws
+    - '"CERTIFICATE_VERIFY_FAILED" in isrg_ca_result.msg'
+    - '"Fail JSON AWS" in isrg_ca_result.msg'
+
+- name: 'Test basic operation using a different CA (no validation) - parameter'
+  boto3_example:
+    region: '{{ aws_region }}'
+    access_key: '{{ aws_access_key }}'
+    secret_key: '{{ aws_secret_key }}'
+    security_token: '{{ security_token }}'
+    aws_ca_bundle: '{{ ca_tmp.path }}/isrg-x1.pem'
+    validate_certs: False
+  register: isrg_ca_result
+
+- assert:
+    that:
+    - isrg_ca_result is successful
+
+- name: 'Test basic operation using a different CA (no validation) - environment'
+  boto3_example:
+    region: '{{ aws_region }}'
+    access_key: '{{ aws_access_key }}'
+    secret_key: '{{ aws_secret_key }}'
+    security_token: '{{ security_token }}'
+    validate_certs: False
+  environment:
+    AWS_CA_BUNDLE: '{{ ca_tmp.path }}/isrg-x1.pem'
+  register: isrg_ca_result
+
+- assert:
+    that:
+    - isrg_ca_result is successful