summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSviatoslav Sydorenko <webknjaz@redhat.com>2023-12-06 23:18:30 +0100
committerGitHub <noreply@github.com>2023-12-06 16:18:30 -0600
commitcf15cd7d44cb349659cd089c10e26de712632e38 (patch)
tree339b9881243dc05e6465acdbc6f46a2d08acef17
parent865be9a4b798256e354e5e2279a87aabf8f279e4 (diff)
downloadansible-cf15cd7d44cb349659cd089c10e26de712632e38.zip
[backport][stable-2.14] 🧪 Replace GitHub SVN integration test with local TLS (#82370)
* [backport][stable-2.14] 🧪 Replace GitHub SVN integration test with local TLS PR #82334 * Run svn integration test locally with TLS This patch uses a `trustme` to make an ephemeral CA, and server, and client TLS artifacts for testing. These are integrated into the Apache web server via it's `mod_ssl`. Resolves #82207 * Replace GitHub SVN HTTPS URL w/ localhost over TLS This change gets rid of the need to use GitHub, which is just about to drop support for SVN [[1]]. Moreover, it eliminates the need to use external network for any SVN commands in the test. [1]: https://github.blog/2023-01-20-sunsetting-subversion-support/ (cherry picked from commit dd0138ba2127eac0e809d68e00ae117df56db77e) * Implement compat w/ opensuse15, centos7 & rhel7/8
-rw-r--r--test/integration/targets/subversion/roles/subversion/defaults/main.yml5
-rw-r--r--test/integration/targets/subversion/roles/subversion/tasks/setup.yml65
-rw-r--r--test/integration/targets/subversion/roles/subversion/tasks/tests.yml32
-rw-r--r--test/integration/targets/subversion/roles/subversion/templates/subversion.conf.j211
-rw-r--r--test/integration/targets/subversion/vars/Alpine.yml1
-rw-r--r--test/integration/targets/subversion/vars/RedHat.yml1
-rw-r--r--test/integration/targets/subversion/vars/Ubuntu-20.yml2
7 files changed, 103 insertions, 14 deletions
diff --git a/test/integration/targets/subversion/roles/subversion/defaults/main.yml b/test/integration/targets/subversion/roles/subversion/defaults/main.yml
index e647d598b6..02ecd1ea4d 100644
--- a/test/integration/targets/subversion/roles/subversion/defaults/main.yml
+++ b/test/integration/targets/subversion/roles/subversion/defaults/main.yml
@@ -3,8 +3,7 @@ apache_port: 11386 # cannot use 80 as httptester overrides this
subversion_test_dir: /tmp/ansible-svn-test-dir
subversion_server_dir: /tmp/ansible-svn # cannot use a path in the home dir without userdir or granting exec permission to the apache user
subversion_repo_name: ansible-test-repo
-subversion_repo_url: http://127.0.0.1:{{ apache_port }}/svn/{{ subversion_repo_name }}
-subversion_repo_auth_url: http://127.0.0.1:{{ apache_port }}/svnauth/{{ subversion_repo_name }}
+subversion_repo_url: https://localhost:{{ apache_port }}/svn/{{ subversion_repo_name }} # svn can't verify TLS certificates against IP addresses
+subversion_repo_auth_url: https://localhost:{{ apache_port }}/svnauth/{{ subversion_repo_name }}
subversion_username: subsvn_user'''
subversion_password: Password123!
-subversion_external_repo_url: https://github.com/ansible/ansible.github.com # GitHub serves SVN
diff --git a/test/integration/targets/subversion/roles/subversion/tasks/setup.yml b/test/integration/targets/subversion/roles/subversion/tasks/setup.yml
index 61ddeef79b..880c295cf2 100644
--- a/test/integration/targets/subversion/roles/subversion/tasks/setup.yml
+++ b/test/integration/targets/subversion/roles/subversion/tasks/setup.yml
@@ -33,6 +33,60 @@
include_tasks: setup_selinux.yml
when: ansible_selinux.status == "enabled"
+- name: Generate CA and TLS certificates via trustme
+ vars:
+ venv_path: >-
+ {{ subversion_server_dir }}/.venv
+ venv_python: >-
+ {{ subversion_server_dir }}/.venv/bin/python
+ block:
+ - name: trustme -- provision a venv
+ command: >-
+ {{ ansible_python_interpreter }}
+ -{% if ansible_python.version.major != 2 %}I{% endif %}m
+ {% if ansible_python.version.major != 2 %}venv{%
+ else %}virtualenv{% endif %}
+
+ {{ venv_path }}
+ - name: trustme -- upgrade pip in venv | RHEL 7.9 & 8.8+py36
+ when: >- # these don't know how to notice `cryptography` wheels
+ ansible_distribution == 'RedHat'
+ and ansible_distribution_major_version | int < 9
+ pip:
+ name: pip
+ state: latest
+ virtualenv: >-
+ {{ venv_path }}
+ - name: trustme -- install tool
+ pip:
+ name: trustme
+ virtualenv: >-
+ {{ venv_path }}
+ - name: trustme -- generate CA and TLS certs
+ command:
+ argv:
+ - >-
+ {{ venv_python }}
+ - -{%- if ansible_python.version.major != 2 -%}I{%- endif -%}m
+ - trustme
+ - --dir={{ subversion_server_dir }}
+
+- name: symlink trustme certificates into apache config dir - Red Hat
+ when: ansible_os_family in ['RedHat']
+ # when: ansible_distribution in ['Fedora', 'RedHat']
+ file:
+ src: /tmp/ansible-svn/server.{{ item.trustme_filetype }}
+ dest: /etc/pki/tls/{{ item.apache_target_path }}
+ state: link
+ force: yes # Othewise Apache on CentOS 7 uses its own fake certificate
+ loop:
+ - apache_target_path: certs/localhost.crt
+ trustme_filetype: pem
+ - apache_target_path: certs/server-chain.crt
+ trustme_filetype: pem
+ - apache_target_path: private/localhost.key
+ trustme_filetype: key
+
- name: template out configuration file
template:
src: subversion.conf.j2
@@ -66,3 +120,14 @@
async: 3600 # We kill apache manually in the clean up phase
poll: 0
when: ansible_os_family in ['RedHat']
+
+- lineinfile:
+ dest: >-
+ {{ ansible_env.HOME }}/.subversion/servers
+ regexp: >-
+ ^#\s*ssl-authority-files\s*=\s*
+ line: >-
+ ssl-authority-files = {{ subversion_server_dir }}/client.pem
+ insertafter: >-
+ ^\[global\]
+ state: present
diff --git a/test/integration/targets/subversion/roles/subversion/tasks/tests.yml b/test/integration/targets/subversion/roles/subversion/tasks/tests.yml
index b8f85d95c7..70737a19fc 100644
--- a/test/integration/targets/subversion/roles/subversion/tasks/tests.yml
+++ b/test/integration/targets/subversion/roles/subversion/tasks/tests.yml
@@ -18,10 +18,11 @@
# checks out every branch so using a small repo
-- name: initial checkout
+- name: initial checkout with validate_certs=true
subversion:
repo: '{{ subversion_repo_url }}'
dest: '{{ subversion_test_dir }}/svn'
+ validate_certs: yes
register: subverted
- name: check if dir was checked out
@@ -130,16 +131,27 @@
- "export_branches.stat.isdir"
- "subverted4.changed"
-- name: clone a small external repo with validate_certs=true
+- name: unconfigure client-side TLS trust
+ block:
+ - name: remove TLS CA chain file path from the SVN config
+ lineinfile:
+ dest: >-
+ {{ ansible_env.HOME }}/.subversion/servers
+ regexp: >-
+ ^(?:#)?\s*ssl-authority-files\s*=\s*
+ state: absent
+ - name: drop the client TLS CA chain file
+ file:
+ path: >-
+ {{ subversion_server_dir }}/client.pem
+ state: absent
+
+- name: >-
+ clone a HTTPS-accessible repo with validate_certs=false
+ and untrusted CA over TLS
subversion:
- repo: "{{ subversion_external_repo_url }}"
- dest: "{{ subversion_test_dir }}/svn-external1"
- validate_certs: yes
-
-- name: clone a small external repo with validate_certs=false
- subversion:
- repo: "{{ subversion_external_repo_url }}"
- dest: "{{ subversion_test_dir }}/svn-external2"
+ repo: '{{ subversion_repo_url }}'
+ dest: '{{ subversion_test_dir }}/svn-untrusted-tls'
validate_certs: no
# TBA: test for additional options or URL variants welcome
diff --git a/test/integration/targets/subversion/roles/subversion/templates/subversion.conf.j2 b/test/integration/targets/subversion/roles/subversion/templates/subversion.conf.j2
index 86f4070741..133c70c635 100644
--- a/test/integration/targets/subversion/roles/subversion/templates/subversion.conf.j2
+++ b/test/integration/targets/subversion/roles/subversion/templates/subversion.conf.j2
@@ -19,6 +19,7 @@ LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
+Include mods-available/ssl.load
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
IncludeOptional conf-enabled/*.conf
@@ -32,6 +33,7 @@ IncludeOptional sites-enabled/*conf
{% elif ansible_os_family == "FreeBSD" %}
Include /usr/local/etc/apache24/httpd.conf
+LoadModule ssl_module libexec/apache24/mod_ssl.so
LoadModule dav_module libexec/apache24/mod_dav.so
LoadModule dav_svn_module libexec/apache24/mod_dav_svn.so
LoadModule authz_svn_module libexec/apache24/mod_authz_svn.so
@@ -48,7 +50,14 @@ Include /etc/httpd/conf/httpd.conf
{% endif %}
PidFile {{ subversion_server_dir }}/apache.pid
-Listen 127.0.0.1:{{ apache_port }}
+Listen 127.0.0.1:{{ apache_port }} https
+{% if ansible_distribution not in ["Alpine", "CentOS", "Fedora", "openSUSE Leap", "Ubuntu"] %}
+Listen [::1]:{{ apache_port }} https
+{% endif %}
+SSLEngine on
+SSLCertificateFile {{ subversion_server_dir }}/server.pem
+SSLCertificateKeyFile {{ subversion_server_dir }}/server.key
+SSLCertificateChainFile {{ subversion_server_dir }}/server.pem
ErrorLog {{ subversion_server_dir }}/apache2-error.log
<Location /svn>
diff --git a/test/integration/targets/subversion/vars/Alpine.yml b/test/integration/targets/subversion/vars/Alpine.yml
index e224c13c49..71077b1205 100644
--- a/test/integration/targets/subversion/vars/Alpine.yml
+++ b/test/integration/targets/subversion/vars/Alpine.yml
@@ -5,5 +5,6 @@ subversion_packages:
- apache2-webdav
- apache2-utils
- apache2-ctl
+- apache2-ssl
apache_user: apache
apache_group: apache
diff --git a/test/integration/targets/subversion/vars/RedHat.yml b/test/integration/targets/subversion/vars/RedHat.yml
index 3e3f910938..a3298318a0 100644
--- a/test/integration/targets/subversion/vars/RedHat.yml
+++ b/test/integration/targets/subversion/vars/RedHat.yml
@@ -1,6 +1,7 @@
---
subversion_packages:
- mod_dav_svn
+- mod_ssl
- subversion
upgrade_packages:
# prevent sqlite from being out-of-sync with the version subversion was compiled with
diff --git a/test/integration/targets/subversion/vars/Ubuntu-20.yml b/test/integration/targets/subversion/vars/Ubuntu-20.yml
index dfe131b0e2..bfd880fd58 100644
--- a/test/integration/targets/subversion/vars/Ubuntu-20.yml
+++ b/test/integration/targets/subversion/vars/Ubuntu-20.yml
@@ -1,5 +1,7 @@
---
subversion_packages:
+- apache2 # /usr/sbin/apachectl
+- apache2-utils # htpasswd
- subversion
- libapache2-mod-svn
apache_user: www-data