f2cfa6c356
If a key is in our existing keyring has an expiry date (or, has expired), always import the provided value again as it may be refreshing the value. Add an expiring key to test the matching; although on an ephemeral node we're importing always anyway. Also update the file test to a stat -- this is better than a weird error from gpg later. Change-Id: I8e7bc38c68c224795630b90a1b989098a7661491
154 lines
5.9 KiB
YAML
154 lines
5.9 KiB
YAML
- hosts: all
|
|
tasks:
|
|
|
|
- name: Make a fake file
|
|
tempfile:
|
|
state: file
|
|
register: _tempfile
|
|
|
|
- name: Add some data
|
|
copy:
|
|
content: 'Hello, I am encrypted'
|
|
dest: '{{ _tempfile.path }}'
|
|
|
|
- name: Setup encryption variables
|
|
set_fact:
|
|
encrypt_file_keys:
|
|
- name: 'zuul-jobs-test-1'
|
|
key_id: '0xD0A3C69F209B3B8E'
|
|
gpg_asc: |
|
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
|
|
|
mDMEYgxZHhYJKwYBBAHaRw8BAQdAl9ZJaMvAc4kcO2mWFCZ5Em0xl7kRc3QYgtg0
|
|
+98sqoO0EHp1dWwtam9icy10ZXN0LTGIlAQTFgoAPBYhBKNWMSQoy8kXXIv/T9Cj
|
|
xp8gmzuOBQJiDFkeAhsDBQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIXgAAKCRDQ
|
|
o8afIJs7jqlUAQCVxaINjS5/rd1oCAp19lHrscMhFmQBOtxyU7CTDoCrCAEAh9mH
|
|
scfOGRWhxiwg0+dXe6RE/C3Kk13kdN8pfTOIGA24OARiDFkeEgorBgEEAZdVAQUB
|
|
AQdAl53uFFzrhnTTmq0YbDRtQ5KrMJYYNahImPzzrvVajW4DAQgHiHgEGBYKACAW
|
|
IQSjVjEkKMvJF1yL/0/Qo8afIJs7jgUCYgxZHgIbDAAKCRDQo8afIJs7jqE7AP9M
|
|
LRe/tJ+SeHexDI1m9tmo6xcID7UOJW8eIuuwi3kjZgEAl+WqJfqjBxJmBWIjTZcV
|
|
zA2T4i8ViORhXLo0oohQVwE=
|
|
=/liI
|
|
-----END PGP PUBLIC KEY BLOCK-----
|
|
|
|
- name: 'zuul-jobs-test-2'
|
|
key_id: '0x4E1BA7A3AB674E6F'
|
|
gpg_asc: |
|
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
|
|
|
mDMEYgxZkRYJKwYBBAHaRw8BAQdA1/5ta4i1G+NGqRWtlFuzZUmDHZP5uMt1gguX
|
|
WcXfoGW0EHp1dWwtam9icy10ZXN0LTKIlAQTFgoAPBYhBN0G/+apoMfgIYAX404b
|
|
p6OrZ05vBQJiDFmRAhsDBQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIXgAAKCRBO
|
|
G6ejq2dOb4BkAQDoHczJaUH0LRgZUE+tkxhyqYY7kevX65vxe6vAqFci1gD/VvtA
|
|
lYrnQPqGG1GqRqy7cIsCfnI5lzAlL2Q2tYdO6A24OARiDFmREgorBgEEAZdVAQUB
|
|
AQdAZsFeMnJ7FGzNXf2SbGrVvYjgX397PaY6xAQoFWe4IQQDAQgHiHgEGBYKACAW
|
|
IQTdBv/mqaDH4CGAF+NOG6ejq2dObwUCYgxZkQIbDAAKCRBOG6ejq2dOb0t2AP9b
|
|
6Lv4BKjblZOhxJbsB9qvQbeyYunCLP07lSHBEhggNQEA+Luzhn3uitf4lyNbv6cS
|
|
9p2BPtxrLR4Ab20opteZ7w0=
|
|
=is5k
|
|
-----END PGP PUBLIC KEY BLOCK-----
|
|
|
|
- name: 'zuul-jobs-test-3'
|
|
key_id: '0FDF4D29F272F75A'
|
|
gpg_asc: |
|
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
|
|
|
mDMEYgxZmxYJKwYBBAHaRw8BAQdAVUbvG30ucCb6ztQ/iuis7fX5FXssxSfbl/n8
|
|
vl/gyse0EHp1dWwtam9icy10ZXN0LTOIlAQTFgoAPBYhBHfjn1eq18PQIZ3qNA/f
|
|
TSnycvdaBQJiDFmbAhsDBQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIXgAAKCRAP
|
|
300p8nL3WqgFAQCNhAEx7yC7UMV81IhiWMCDLK66eeHF16CiqPMabwlOEAD/V1cQ
|
|
NYCJekbq8GEcB3i36yIMPJokrPmXf6mkebs6vA24OARiDFmbEgorBgEEAZdVAQUB
|
|
AQdAPGKpDC3HpbRCJYkMzwY2NybY+/+G1beIjlDjpaxf/mIDAQgHiHgEGBYKACAW
|
|
IQR3459XqtfD0CGd6jQP300p8nL3WgUCYgxZmwIbDAAKCRAP300p8nL3WlQpAQC1
|
|
qwAAr63kwKKszAN+J32EGSaXp+dsR04367XacSJ3aQD/Tu6q45tF0t4G0dQIpzxT
|
|
jnHN/zEM7eyW45Jf/V8migI=
|
|
=CRYD
|
|
-----END PGP PUBLIC KEY BLOCK-----
|
|
|
|
# NOTE(ianw): This key expires 2106-01-01 which is the
|
|
# maximum I seem to be able to convince gpg to do ATM.
|
|
# Someone else will have to regenerate it then because I am
|
|
# not likely to be available to do it.
|
|
- name: 'zuul-jobs-test-4'
|
|
key_id: '4A8C7A2A7E55816E'
|
|
gpg_asc: |
|
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
|
|
|
mDMEYg9K5BYJKwYBBAHaRw8BAQdAIIezhOWTs9ggMpfePn/6B5sNY5/Bn9CguDcy
|
|
gKrjoIC0EHp1dWwtam9icy10ZXN0LTSImgQTFgoAQhYhBJZPfDNqTyma/Ekg0kqM
|
|
eip+VYFuBQJiD0rkAhsDBQmdv6CsBQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIX
|
|
gAAKCRBKjHoqflWBbnOPAP9kJgpMbHh83haH7o+O1jJTbsW9XVX7Aq196ZbEiUhx
|
|
5QD9FFfKnDQ7q8XX6rOK6joLG9Cq8pX5q6tSouqygKKicQm4OARiD0rkEgorBgEE
|
|
AZdVAQUBAQdAJ2oXpzmh5vUKhWr7PCT6y4nhIcs9bdnKFiIWfEinGVMDAQgHiHgE
|
|
GBYKACAWIQSWT3wzak8pmvxJINJKjHoqflWBbgUCYg9K5AIbDAAKCRBKjHoqflWB
|
|
btm1AQC+lvLW8iLbsKde5cqHlGAKgY7KPi5BKxSCzwdRuX3qGAEAvFKGNoEjmUzF
|
|
7SUjadUXXizJoeJ9feocDzfBiaH53w8=
|
|
=XCeq
|
|
-----END PGP PUBLIC KEY BLOCK-----
|
|
|
|
- name: Encrypt file
|
|
include_role:
|
|
name: encrypt-file
|
|
vars:
|
|
encrypt_file: '{{ _tempfile.path }}'
|
|
encrypt_file_recipients:
|
|
- zuul-jobs-test-2
|
|
- zuul-jobs-test-3
|
|
- zuul-jobs-test-4
|
|
|
|
- name: Check output file
|
|
stat:
|
|
path: '{{ _tempfile.path }}.gpg'
|
|
register: _output
|
|
|
|
- name: Ensure exists
|
|
fail:
|
|
msg: 'Output file not found'
|
|
when: not _output.stat.exists
|
|
|
|
- name: Dump gpg packets
|
|
command: gpg --list-packets '{{ _tempfile.path }}.gpg'
|
|
register: _gpg_output
|
|
# Because it can't decrypt, gpg give an error. But we're
|
|
# interested in the encryption packets so expect this.
|
|
failed_when: _gpg_output.rc != 2
|
|
|
|
- name: Show gpg command output
|
|
debug:
|
|
var: _gpg_output
|
|
|
|
- name: Validate packets
|
|
assert:
|
|
that:
|
|
- "'zuul-jobs-test-1' not in _gpg_output.stdout"
|
|
- "'zuul-jobs-test-2' in _gpg_output.stdout"
|
|
- "'zuul-jobs-test-3' in _gpg_output.stdout"
|
|
- "'zuul-jobs-test-4' in _gpg_output.stdout"
|
|
|
|
- name: Remove encrypted output file
|
|
file:
|
|
path: '{{ _tempfile.path }}.gpg'
|
|
state: absent
|
|
|
|
# Do it again to exercise already imported keys path
|
|
- name: Encrypt file
|
|
include_role:
|
|
name: encrypt-file
|
|
vars:
|
|
encrypt_file: '{{ _tempfile.path }}'
|
|
encrypt_file_recipients:
|
|
- zuul-jobs-test-2
|
|
- zuul-jobs-test-3
|
|
- zuul-jobs-test-4
|
|
|
|
- name: Remove temporary file
|
|
file:
|
|
path: '{{ _tempfile.path }}'
|
|
state: absent
|
|
when: _tempfile.path is defined
|
|
|
|
- name: Remove encrypted output file
|
|
file:
|
|
path: '{{ _tempfile.path }}.gpg'
|
|
state: absent
|