From ca784c26d35c9496661e0cd2fabd5e3527c86624 2020-08-26 16:55:16
From: Branko Majic <branko@majic.rs>
Date: 2020-08-26 16:55:16
Subject: [PATCH] MAR-150: Use Gimmecert for X.509 test fixtures in the common role:

- Drop the statically-generated X.509 certificates used for testing.
- Introduce fixture playbook in preparation phase that sets-up the
  necessary certificates.
- Update the tests to use the fixture.
- Dynamically calculate the OpenSSL hash for CA certificate instead of
  having the hard-coded value.
- Add the fixture artefacts to .gitignore files.

---

diff --git a/.gitignore b/.gitignore
index 821c8dccb9b9e5610ea8ed23f2e7f6344d03ecac..629dbff8752e4f5323c89f2fd1bfbb0837607425 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,6 +22,10 @@ testsite/backup_keyring/
 .cache
 .yamllint
 
+# Ignore test fixtures.
+**/tests/data/.gimmecert
+**/tests/data/x509
+
 # Ignore test report artefacts
 test_report*
 
diff --git a/roles/common/molecule/default/fixtures.yml b/roles/common/molecule/default/fixtures.yml
new file mode 100644
index 0000000000000000000000000000000000000000..c436e4d7a019cfa5481b344fc900bb0046f60e5f
--- /dev/null
+++ b/roles/common/molecule/default/fixtures.yml
@@ -0,0 +1,24 @@
+---
+
+- hosts: localhost
+  connection: local
+  gather_facts: false
+
+  tasks:
+
+    - name: Remove existing X.509 material
+      file:
+        path: "tests/data/.gimmecert"
+        state: absent
+
+    - name: Initialise the CA hierarchy
+      command: "gimmecert init --ca-hierarchy-depth 2"
+      args:
+        creates: "tests/data/.gimmecert"
+        chdir: "tests/data/"
+
+    - name: Link to the generated X.509 material
+      file:
+        src: ".gimmecert"
+        dest: "tests/data/x509"
+        state: link
diff --git a/roles/common/molecule/default/group_vars/parameters-optional.yml b/roles/common/molecule/default/group_vars/parameters-optional.yml
index 0dcfd196da82e0f423d63c46189619672c1522ee..8e280225ce24bf6b37ad400bed9df7ccba33250c 100644
--- a/roles/common/molecule/default/group_vars/parameters-optional.yml
+++ b/roles/common/molecule/default/group_vars/parameters-optional.yml
@@ -34,8 +34,8 @@ common_packages:
   - libmariadbclient-dev-compat
   - emacs24-nox
 ca_certificates:
-  cacert1: "{{ lookup('file', 'tests/data/x509/ca1.cert.pem') }}"
-  cacert2: "{{ lookup('file', 'tests/data/x509/ca2.cert.pem') }}"
+  cacert1: "{{ lookup('file', 'tests/data/x509/ca/level1.cert.pem') }}"
+  cacert2: "{{ lookup('file', 'tests/data/x509/ca/level2.cert.pem') }}"
 extra_backup_patterns:
   - /home/user1
   - /home/user2
diff --git a/roles/common/molecule/default/prepare.yml b/roles/common/molecule/default/prepare.yml
index 939d81f1082f9aca527cdb9459530d0b734b35af..855490b8f4750252796bf83f09194aed6d3d111d 100644
--- a/roles/common/molecule/default/prepare.yml
+++ b/roles/common/molecule/default/prepare.yml
@@ -1,5 +1,8 @@
 ---
 
+- name: Fixtures
+  import_playbook: fixtures.yml
+
 - name: Prepare
   hosts: all
   gather_facts: false
diff --git a/roles/common/molecule/default/tests/data/x509/ca1.cert.pem b/roles/common/molecule/default/tests/data/x509/ca1.cert.pem
deleted file mode 100644
index 1975e8e181dd6a217288b8d1ef1f2dae0272586e..0000000000000000000000000000000000000000
--- a/roles/common/molecule/default/tests/data/x509/ca1.cert.pem
+++ /dev/null
@@ -1,26 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEWTCCAsGgAwIBAgIMWTb5/yNQtPhvP22zMA0GCSqGSIb3DQEBCwUAMEgxIjAg
-BgNVBAMTGUV4YW1wbGUgSW5jLiBUZXN0IFNpdGUgQ0ExFTATBgNVBAoTDEV4YW1w
-bGUgSW5jLjELMAkGA1UEBhMCU0UwHhcNMTcwNjA2MTg1MjQ3WhcNMzcwNjAxMTg1
-MjQ3WjBIMSIwIAYDVQQDExlFeGFtcGxlIEluYy4gVGVzdCBTaXRlIENBMRUwEwYD
-VQQKEwxFeGFtcGxlIEluYy4xCzAJBgNVBAYTAlNFMIIBojANBgkqhkiG9w0BAQEF
-AAOCAY8AMIIBigKCAYEA5so5Q8YjBLgUzty+FJTamg61UcRep+KznoYMFMG3bEKE
-96lx3S9VEmYuFiJohtUemgfgckcyv46gkRhb1vOFNRRjYcOjnUgGIWzlkjnbrkZX
-ziZHfCmGSHAJk3njddbbldNNGvmLe4dXE55N94A8au/gnRDN+1GuSeUHqIUj6PI/
-dW/geA7g1WJw3PhnMoR+132iE4Wz7wKQFkusLxPdsJuVguhTIUXLoq/aNu/lhRsi
-jbOpilLJEb0c9JrwPdc3jLD6223IEtdsrxzR89kK3+xm9ebHG27YsOnGWpoocr1L
-ZjkEr4cjI2T9xx4kL/EWZiP0C2FzUYRi/Xqxz39FLCZuGeKZgoTgbAAosBq91Bk8
-2+AN4mhko8O3/NF8+2U521mFqD0EUgLUKMgS70YBSoMRzc2kY8so5iT6AN3b2CHK
-D75GSgK+8wzqgEFV2Mr5kQYUNDB7BRYfNr1usHch4dQJGXp0iBoMhOsjrGFI+ua2
-9pSn0jAEidKXKtlvq2RVAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0P
-AQH/BAUDAwcGADAdBgNVHQ4EFgQUV22OwmLmAYwZw4ES5Gk0+Pzvx+0wDQYJKoZI
-hvcNAQELBQADggGBAMqIKQORWYppRlgEWtcitOvO3pIRexVPYnrSBq1JOCIZ/1th
-D5h9BifvgmZjz4XPBmnxFX9GmgoRt61YOgrgVnuZ44+dPu0d1rvUcmbSp2/UVUlA
-3+Zgz7lgpZMsxxCPkS92Ayw1+GL3JUlOUwAbsTkAJsoodwH3COFOuDJMUqVa7uV/
-N4uLCg+xYgQnh4C+K5Jit5U4ilzsqtMQlCtkz54C6VYHGirYRf2NUahoA3+cGBbk
-K7jNY4vdNAe5l4KLvKjYeryGTvnTxJNj+y/T8RGTX29eeqO5dQmBk+mS4co9EM5Y
-REvvFLXcNkVq2W5nzZopRfFRYoaI6SMvfW6Aj5zpoGz160QTauAfnd7STsN2zJNS
-SRf14ItOpddf8uo6lwK8GZat8whxTMdxCqC/+gW1kTFxXMxsbA90lP37mANggoQ8
-NpKuV+B162FIXXLEddIKam/AhuoKqrC464UhdlMU2mSnmp4PY3CQAupKu/JTI+N5
-jz0BR7X3uoBaM8sSIw==
------END CERTIFICATE-----
diff --git a/roles/common/molecule/default/tests/data/x509/ca2.cert.pem b/roles/common/molecule/default/tests/data/x509/ca2.cert.pem
deleted file mode 100644
index 84da2b9b762d01105cb39da60bd810e6c0c40c25..0000000000000000000000000000000000000000
--- a/roles/common/molecule/default/tests/data/x509/ca2.cert.pem
+++ /dev/null
@@ -1,26 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEXTCCAsWgAwIBAgIMWTgiKTKw6gp9YCrdMA0GCSqGSIb3DQEBCwUAMEoxJDAi
-BgNVBAMTG0V4YW1wbGUgSW5jLiBUZXN0IFNpdGUgQ0EgMjEVMBMGA1UEChMMRXhh
-bXBsZSBJbmMuMQswCQYDVQQGEwJTRTAeFw0xNzA2MDcxNTU2MjVaFw0zNzA2MDIx
-NTU2MjVaMEoxJDAiBgNVBAMTG0V4YW1wbGUgSW5jLiBUZXN0IFNpdGUgQ0EgMjEV
-MBMGA1UEChMMRXhhbXBsZSBJbmMuMQswCQYDVQQGEwJTRTCCAaIwDQYJKoZIhvcN
-AQEBBQADggGPADCCAYoCggGBALVpc5fo3CYvctSV712XGeuFH6kStmf7SI6snae9
-Ej4hEaaH6U6EeH5Ty0dD/eATHnoXFYXhz+7Dxc+NtHrldUXCpsHldTr/W4heVt6y
-huZmvGDNOeUi/c7xmlGEw9MeOCPQPmmcoUmNGeWQQZig1vuOPtKJlt3CmlBh9Qp1
-fszlpQBG3ioI9HJvcs78POwjftIQ+XfMSc/28iSGJARRa8S9IF6Vm4aZkyeIxRbB
-qoxhzIw+dMb8Lx6+Ss6v1bWfvwvz5sy9W2dTBRkBzbGJiHshvhLKG6kqWlJsGYRo
-nce9L9BOlLdKTbcgBwA5DqNVECZWx+dxcB/rBCHsIFIbP9k3k8rUVqlVUW2UAVAU
-QD7eD1d1zTK1D93UpbZypAiybVHHIs8IEWywTyRbufEhEY4xf1rnEmXiUUz0Lb/D
-c3FSxzucZP9Lu9SuRu9l5Jmt3tnf2noNjExIESsI9LortNhec4h6X0Nco/GEBgPt
-COoJEocXqYICDK7G5PDzIr6oOQIDAQABo0MwQTAPBgNVHRMBAf8EBTADAQH/MA8G
-A1UdDwEB/wQFAwMHBgAwHQYDVR0OBBYEFDpPnttrAYLx7QIF8NCZwZxO009AMA0G
-CSqGSIb3DQEBCwUAA4IBgQBmWxhUA30ZBZab8x0oglu7GYfyL4wNF79UYGjLUX1C
-uEakVqbF7dt1wVDMEu8iA7qyO/LP4J53CUca3l7fxXzM420nS03qN0Ql5hPqI9QH
-dJJQiinKaOEHgIFwUFWbQ9AVW5m+yrBUK8VioYyx7djDl26Rc1khjx20Xjj+VScY
-bIonfSs2wH3XTy56LCng/tA8tWQ78e9qKsc01p1GjicUuJeIVI5wKjnptferiRes
-F2cQ8q0e554WCp1PAZ/sAtjY1J9gWFmg4MA+/eTT/I88KPuniRt0o5yobcdiy+jX
-XyrtY5gTbGrY83IFE1rxYSbsvFUfAcfm4Pm4pa3GHrr8r9eW2CT5/ZErZdMTPtxt
-B1QyExx9FK4+cPC1zMy+gTNdqenA12rOK62BtZ38jXiOmf2883kEqibh8bEROhYe
-xEcN1c0810Gf/05PmkR8jF5XKCH7H8akVSJ5obExCWilJjQObkYBI8egQRPFyy2g
-jgypn2kiGJBkYnU4qTS4aQM=
------END CERTIFICATE-----
diff --git a/roles/common/molecule/default/tests/test_parameters_optional.py b/roles/common/molecule/default/tests/test_parameters_optional.py
index 5eb4fe0073f499fb71a717e631ec2c38612cf03f..968ea44cb6a67713cb512575d08bc038a86f8612 100644
--- a/roles/common/molecule/default/tests/test_parameters_optional.py
+++ b/roles/common/molecule/default/tests/test_parameters_optional.py
@@ -182,11 +182,14 @@ def test_ca_certificates(host):
     assert ca1_cert_symlink.is_symlink
     assert ca1_cert_symlink.linked_to == '/usr/local/share/ca-certificates/cacert1.crt'
 
-    ca1_cert_hash_1 = host.file('/etc/ssl/certs/3ce70b58.0')
+    ca1_cert_hash = host.run('openssl x509 -hash -noout -in %s', '/usr/local/share/ca-certificates/cacert1.crt').stdout.strip()
+    ca1_cert_hash_file = '/etc/ssl/certs/%s.0' % ca1_cert_hash
+
+    ca1_cert_hash_1 = host.file(ca1_cert_hash_file)
     assert ca1_cert_hash_1.is_symlink
     assert ca1_cert_hash_1.linked_to == '/usr/local/share/ca-certificates/cacert1.crt'
 
-    ca1_cert_hash_1 = host.file('/etc/ssl/certs/49f72a44.0')
+    ca1_cert_hash_1 = host.file(ca1_cert_hash_file)
     assert ca1_cert_hash_1.is_symlink
     assert ca1_cert_hash_1.linked_to == '/usr/local/share/ca-certificates/cacert1.crt'
 
@@ -200,11 +203,14 @@ def test_ca_certificates(host):
     assert ca2_cert_symlink.is_symlink
     assert ca2_cert_symlink.linked_to == '/usr/local/share/ca-certificates/cacert2.crt'
 
-    ca2_cert_hash_1 = host.file('/etc/ssl/certs/a52eec00.0')
+    ca2_cert_hash = host.run('openssl x509 -hash -noout -in %s', '/usr/local/share/ca-certificates/cacert2.crt').stdout.strip()
+    ca2_cert_hash_file = '/etc/ssl/certs/%s.0' % ca2_cert_hash
+
+    ca2_cert_hash_1 = host.file(ca2_cert_hash_file)
     assert ca2_cert_hash_1.is_symlink
     assert ca2_cert_hash_1.linked_to == '/usr/local/share/ca-certificates/cacert2.crt'
 
-    ca2_cert_hash_1 = host.file('/etc/ssl/certs/a0d2e9e4.0')
+    ca2_cert_hash_1 = host.file(ca2_cert_hash_file)
     assert ca2_cert_hash_1.is_symlink
     assert ca2_cert_hash_1.linked_to == '/usr/local/share/ca-certificates/cacert2.crt'