From 15238064af08001bd42209db579b5dcf32ee307e Mon Sep 17 00:00:00 2001 From: Jordan Borean Date: Wed, 30 Oct 2024 06:34:03 +1000 Subject: [PATCH] Update CI setup Updates CI to test out sanity on both 2.18 and 2.19 now that devel has been bumped to a new version. Include the new sanity ignore file for 2.19 and fix up the cert generation for the LDAPS CA certificate. --- .azure-pipelines/azure-pipelines.yml | 15 +++ .../setup_certificate/files/generate_cert.sh | 116 +++++++++--------- tests/sanity/ignore-2.19.txt | 0 3 files changed, 76 insertions(+), 55 deletions(-) create mode 100644 tests/sanity/ignore-2.19.txt diff --git a/.azure-pipelines/azure-pipelines.yml b/.azure-pipelines/azure-pipelines.yml index b04fc81..555476a 100644 --- a/.azure-pipelines/azure-pipelines.yml +++ b/.azure-pipelines/azure-pipelines.yml @@ -78,6 +78,20 @@ stages: test: units - name: Lint test: lint + - stage: Ansible_2_18 + displayName: Ansible 2.18 + dependsOn: + - Dependencies + jobs: + - template: templates/matrix.yml + parameters: + nameFormat: "{0}" + testFormat: "2.18/{0}" + targets: + - name: Sanity + test: sanity + - name: Units + test: units - stage: Ansible_2_17 displayName: Ansible 2.17 dependsOn: @@ -146,6 +160,7 @@ stages: condition: succeededOrFailed() dependsOn: - Ansible_devel + - Ansible_2_18 - Ansible_2_17 - Ansible_2_16 - Ansible_2_15 diff --git a/tests/integration/targets/inventory_ldap/roles/setup_certificate/files/generate_cert.sh b/tests/integration/targets/inventory_ldap/roles/setup_certificate/files/generate_cert.sh index 3657573..8a0f5c1 100644 --- a/tests/integration/targets/inventory_ldap/roles/setup_certificate/files/generate_cert.sh +++ b/tests/integration/targets/inventory_ldap/roles/setup_certificate/files/generate_cert.sh @@ -5,65 +5,18 @@ set -o pipefail -eux TARGET="${1}" PASSWORD="${2}" -generate () { - NAME="${1}" - SUBJECT="${2}" - KEY="${3}" - CA_NAME="${4}" - CA_OPTIONS=("-CA" "${CA_NAME}.pem" "-CAkey" "${CA_NAME}.key" "-CAcreateserial") - - cat > openssl.conf << EOL +echo "Generating CA certificate" +cat > openssl.conf << EOL distinguished_name = req_distinguished_name [req_distinguished_name] - -[req] -basicConstraints = CA:FALSE -keyUsage = digitalSignature,keyEncipherment -extendedKeyUsage = serverAuth -subjectAltName = DNS:${SUBJECT} +[v3_ca] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, keyCertSign EOL - echo "Generating ${NAME} signed cert" - openssl req \ - -new \ - "-${KEY}" \ - -subj "/CN=${SUBJECT}" \ - -newkey rsa:2048 \ - -keyout "${NAME}.key" \ - -out "${NAME}.csr" \ - -config openssl.conf \ - -reqexts req \ - -passin pass:"${PASSWORD}" \ - -passout pass:"${PASSWORD}" - - openssl x509 \ - -req \ - -in "${NAME}.csr" \ - "-${KEY}" \ - -out "${NAME}.pem" \ - -days 365 \ - -extfile openssl.conf \ - -extensions req \ - -passin pass:"${PASSWORD}" \ - "${CA_OPTIONS[@]}" - - # PBE-SHA1-3DES/nomac is used for compatibility with Server 2016 and older - openssl pkcs12 \ - -export \ - -out "${NAME}.pfx" \ - -inkey "${NAME}.key" \ - -in "${NAME}.pem" \ - -keypbe PBE-SHA1-3DES \ - -certpbe PBE-SHA1-3DES \ - -nomac \ - -passin pass:"${PASSWORD}" \ - -passout pass:"${PASSWORD}" - - rm openssl.conf -} - -echo "Generating CA certificate" openssl genrsa \ -aes256 \ -out ca.key \ @@ -74,9 +27,62 @@ openssl req \ -x509 \ -days 365 \ -key ca.key \ + -config openssl.conf \ + -extensions v3_ca \ -out ca.pem \ -subj "/CN=microsoft.ad root" \ -passin pass:"${PASSWORD}" echo "Generating ${TARGET} LDAPS certificate" -generate ldaps "${TARGET}" sha256 ca +cat > openssl.conf << EOL +distinguished_name = req_distinguished_name + +[req_distinguished_name] + +[req] +basicConstraints = CA:FALSE +keyUsage = digitalSignature,keyEncipherment +extendedKeyUsage = serverAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +subjectAltName = DNS:${TARGET} +EOL + +openssl req \ + -new \ + -sha256 \ + -subj "/CN=${TARGET}" \ + -newkey rsa:2048 \ + -keyout "ldaps.key" \ + -out "ldaps.csr" \ + -passin pass:"${PASSWORD}" \ + -passout pass:"${PASSWORD}" + +openssl x509 \ + -req \ + -in "ldaps.csr" \ + -sha256 \ + -out "ldaps.pem" \ + -days 365 \ + -extfile openssl.conf \ + -extensions req \ + -passin pass:"${PASSWORD}" \ + -CA "ca.pem" \ + -CAkey "ca.key" \ + -CAcreateserial + +# PBE-SHA1-3DES/nomac is used for compatibility with Server 2016 and older +openssl pkcs12 \ + -export \ + -out "ldaps.pfx" \ + -inkey "ldaps.key" \ + -in "ldaps.pem" \ + -keypbe PBE-SHA1-3DES \ + -certpbe PBE-SHA1-3DES \ + -nomac \ + -passin pass:"${PASSWORD}" \ + -passout pass:"${PASSWORD}" + +rm ca.srl +rm ldaps.csr +rm openssl.conf diff --git a/tests/sanity/ignore-2.19.txt b/tests/sanity/ignore-2.19.txt new file mode 100644 index 0000000..e69de29