From ddcc0a5f7312c3001506084fa4da7bf5465faee3 2020-07-26 22:35:29
From: Branko Majic <branko@majic.rs>
Date: 2020-07-26 22:35:29
Subject: [PATCH] MAR-162: Make the default_https_tls_certificate and default_https_tls_key parameters mandatory:

- Dropped the defaults from web_server role.
- Updated group variables in role tests.
- Changed the key/certificate file extensions to be more descriptive.
- Updated role reference documentation.
- Updated usage instructions to include the mandatory parameters.

---

diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index fcdf6782d348ededf8470b90b28c7ed57830c7a6..53d12ddbb994223d001732bc766ad424efdd148b 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -1386,11 +1386,11 @@ Parameters
   clients will be served with ``Strict-Transport-Security`` header with value of
   ``max-age=31536000; includeSubDomains``.
 
-**default_https_tls_certificate** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/' + ansible_fqdn + '_https.pem') }}``)
+**default_https_tls_certificate** (string, mandatory)
   X.509 certificate used for TLS for HTTPS service. The file will be stored in
   directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_https.pem``.
 
-**default_https_tls_key** (string, optional, ``{{ lookup('file', tls_private_key_dir + '/' + ansible_fqdn + '_https.key') }}``)
+**default_https_tls_key** (string, mandatory)
   Private key used for TLS for HTTPS service. The file will be stored in
   directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_https.key``.
 
diff --git a/docs/usage.rst b/docs/usage.rst
index 0de5e5e7795f57e633faa711978272c7f25f559d..e7093068920a970ff4b3c4e5e8b93c54c4e27b2a 100644
--- a/docs/usage.rst
+++ b/docs/usage.rst
@@ -1221,16 +1221,20 @@ Nginx.
           - mail_forwarder
           - web_server
 
-2. You know the drill, role configuration comes up next. Actually... The web
-   server role parameters are all optional, and they default to some ok-ish
-   values. But let us spicen up things a bit nevertheless. No configuration has
-   been deployed before for the web server, so we will be creating a new file.
+2. You know the drill, role configuration comes up next. No
+   configuration has been deployed before for the web server, so we
+   will be creating a new file. Only the TLS parameters are really
+   necessary, but we'll spice things up a bit by setting custom title
+   and message for default virtual host.
 
    :file:`~/mysite/group_vars/web.yml`
    ::
 
       ---
 
+      default_https_tls_certificate: "{{ lookup('file', 'tls/www.example.com_https.pem') }}"
+      default_https_tls_key: "{{ lookup('file', 'tls/www.example.com_https.key') }}"
+
       web_default_title: "Welcome to default page!"
       web_default_message: "Nothing to see here, move along..."
 
diff --git a/roles/web_server/defaults/main.yml b/roles/web_server/defaults/main.yml
index 8cd3b33ec90c626e0db44667539659dd494c3330..ea44145714df27aa1d6d9933ea7336d3c8f4e243 100644
--- a/roles/web_server/defaults/main.yml
+++ b/roles/web_server/defaults/main.yml
@@ -1,8 +1,6 @@
 ---
 
 default_enforce_https: true
-default_https_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' + ansible_fqdn + '_https.pem') }}"
-default_https_tls_key: "{{ lookup('file', tls_private_key_dir + '/' + ansible_fqdn + '_https.key') }}"
 web_default_title: "Welcome"
 web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL."
 web_server_tls_protocols:
diff --git a/roles/web_server/molecule/default/group_vars/parameters-mandatory.yml b/roles/web_server/molecule/default/group_vars/parameters-mandatory.yml
index d5bd3d2ddb92c5a44a1d46146c15a9531cbfaad5..04df24de1f46ec04335ff0bc2826abb4d9d64655 100644
--- a/roles/web_server/molecule/default/group_vars/parameters-mandatory.yml
+++ b/roles/web_server/molecule/default/group_vars/parameters-mandatory.yml
@@ -1,9 +1,8 @@
 ---
 
+default_https_tls_certificate: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_https.cert.pem') }}"
+default_https_tls_key: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_https.key.pem') }}"
+
 # common
 ca_certificates:
   testca: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"
-
-# Common parameters (general, not role).
-tls_certificate_dir: tests/data/x509/
-tls_private_key_dir: tests/data/x509/
diff --git a/roles/web_server/molecule/default/group_vars/parameters-optional.yml b/roles/web_server/molecule/default/group_vars/parameters-optional.yml
index 031bc97af6f11b363b52870cc6d9a846e332004a..c0dbd631bdabb4c8a25f666595477c4c49414de2 100644
--- a/roles/web_server/molecule/default/group_vars/parameters-optional.yml
+++ b/roles/web_server/molecule/default/group_vars/parameters-optional.yml
@@ -1,8 +1,8 @@
 ---
 
 default_enforce_https: false
-default_https_tls_certificate: "{{ lookup('file', 'tests/data/x509/parameters-optional_https.cert.pem') }}"
-default_https_tls_key: "{{ lookup('file', 'tests/data/x509/parameters-optional_https.key.pem') }}"
+default_https_tls_certificate: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_https.cert.pem') }}"
+default_https_tls_key: "{{ lookup('file', 'tests/data/x509/{{ inventory_hostname }}_https.key.pem') }}"
 web_default_title: "Optional Welcome"
 web_default_message: "Welcome to parameters-optional, default virtual host."
 web_server_tls_protocols:
diff --git a/roles/web_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_https.pem b/roles/web_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_https.cert.pem
similarity index 100%
rename from roles/web_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_https.pem
rename to roles/web_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_https.cert.pem
diff --git a/roles/web_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_https.key b/roles/web_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_https.key.pem
similarity index 100%
rename from roles/web_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_https.key
rename to roles/web_server/molecule/default/tests/data/x509/parameters-mandatory-stretch64_https.key.pem
diff --git a/roles/web_server/molecule/default/tests/data/x509/parameters-optional_https.cert.pem b/roles/web_server/molecule/default/tests/data/x509/parameters-optional-stretch64_https.cert.pem
similarity index 100%
rename from roles/web_server/molecule/default/tests/data/x509/parameters-optional_https.cert.pem
rename to roles/web_server/molecule/default/tests/data/x509/parameters-optional-stretch64_https.cert.pem
diff --git a/roles/web_server/molecule/default/tests/data/x509/parameters-optional_https.key.pem b/roles/web_server/molecule/default/tests/data/x509/parameters-optional-stretch64_https.key.pem
similarity index 100%
rename from roles/web_server/molecule/default/tests/data/x509/parameters-optional_https.key.pem
rename to roles/web_server/molecule/default/tests/data/x509/parameters-optional-stretch64_https.key.pem
diff --git a/roles/web_server/molecule/default/tests/test_mandatory.py b/roles/web_server/molecule/default/tests/test_mandatory.py
index 6dd360378612801db81d5bf5edaf035d433b8c58..a94c9e8a6b248bb4fa40c58ce91e9ae334c2e058 100644
--- a/roles/web_server/molecule/default/tests/test_mandatory.py
+++ b/roles/web_server/molecule/default/tests/test_mandatory.py
@@ -21,14 +21,14 @@ def test_nginx_tls_files(host):
         assert tls_file.user == 'root'
         assert tls_file.group == 'root'
         assert tls_file.mode == 0o640
-        assert tls_file.content_string == open("tests/data/x509/%s_https.key" % hostname, "r").read().rstrip()
+        assert tls_file.content_string == open("tests/data/x509/%s_https.key.pem" % hostname, "r").read().rstrip()
 
         tls_file = host.file('/etc/ssl/certs/%s_https.pem' % hostname)
         assert tls_file.is_file
         assert tls_file.user == 'root'
         assert tls_file.group == 'root'
         assert tls_file.mode == 0o644
-        assert tls_file.content_string == open("tests/data/x509/%s_https.pem" % hostname, "r").read().rstrip()
+        assert tls_file.content_string == open("tests/data/x509/%s_https.cert.pem" % hostname, "r").read().rstrip()
 
 
 def test_certificate_validity_check_configuration(host):
diff --git a/roles/web_server/molecule/default/tests/test_optional.py b/roles/web_server/molecule/default/tests/test_optional.py
index 476c289bb464e64fce6044c063b61b7b9554f433..00cb4e637284e996178bb8a8f9bbc71560ed2cf3 100644
--- a/roles/web_server/molecule/default/tests/test_optional.py
+++ b/roles/web_server/molecule/default/tests/test_optional.py
@@ -21,14 +21,14 @@ def test_nginx_tls_files(host):
         assert tls_file.user == 'root'
         assert tls_file.group == 'root'
         assert tls_file.mode == 0o640
-        assert tls_file.content_string == open("tests/data/x509/parameters-optional_https.key.pem", "r").read().rstrip()
+        assert tls_file.content_string == open("tests/data/x509/%s_https.key.pem" % hostname, "r").read().rstrip()
 
         tls_file = host.file('/etc/ssl/certs/%s_https.pem' % hostname)
         assert tls_file.is_file
         assert tls_file.user == 'root'
         assert tls_file.group == 'root'
         assert tls_file.mode == 0o644
-        assert tls_file.content_string == open("tests/data/x509/parameters-optional_https.cert.pem", "r").read().rstrip()
+        assert tls_file.content_string == open("tests/data/x509/%s_https.cert.pem" % hostname, "r").read().rstrip()
 
 
 def test_certificate_validity_check_configuration(host):