21341d2d47
The input to encrypt files may be a list of paths so our validation has to evaluate and state each list entry separately. Without this we fail beacuse the list of paths is treated like a single path and that does not stat resulting in early failure. Change-Id: Ibe3f6b162c3adad928708464ea03ddded2f4c683
178 lines
6.5 KiB
YAML
178 lines
6.5 KiB
YAML
- hosts: all
|
|
tasks:
|
|
|
|
- name: Make a fake file
|
|
tempfile:
|
|
state: file
|
|
register: _tempfile
|
|
|
|
- name: Add some data
|
|
copy:
|
|
content: 'Hello, I am encrypted'
|
|
dest: '{{ _tempfile.path }}'
|
|
|
|
- name: Setup encryption variables
|
|
set_fact:
|
|
encrypt_file_keys:
|
|
- name: 'zuul-jobs-test-1'
|
|
key_id: '0xD0A3C69F209B3B8E'
|
|
gpg_asc: |
|
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
|
|
|
mDMEYgxZHhYJKwYBBAHaRw8BAQdAl9ZJaMvAc4kcO2mWFCZ5Em0xl7kRc3QYgtg0
|
|
+98sqoO0EHp1dWwtam9icy10ZXN0LTGIlAQTFgoAPBYhBKNWMSQoy8kXXIv/T9Cj
|
|
xp8gmzuOBQJiDFkeAhsDBQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIXgAAKCRDQ
|
|
o8afIJs7jqlUAQCVxaINjS5/rd1oCAp19lHrscMhFmQBOtxyU7CTDoCrCAEAh9mH
|
|
scfOGRWhxiwg0+dXe6RE/C3Kk13kdN8pfTOIGA24OARiDFkeEgorBgEEAZdVAQUB
|
|
AQdAl53uFFzrhnTTmq0YbDRtQ5KrMJYYNahImPzzrvVajW4DAQgHiHgEGBYKACAW
|
|
IQSjVjEkKMvJF1yL/0/Qo8afIJs7jgUCYgxZHgIbDAAKCRDQo8afIJs7jqE7AP9M
|
|
LRe/tJ+SeHexDI1m9tmo6xcID7UOJW8eIuuwi3kjZgEAl+WqJfqjBxJmBWIjTZcV
|
|
zA2T4i8ViORhXLo0oohQVwE=
|
|
=/liI
|
|
-----END PGP PUBLIC KEY BLOCK-----
|
|
|
|
- name: 'zuul-jobs-test-2'
|
|
key_id: '0x4E1BA7A3AB674E6F'
|
|
gpg_asc: |
|
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
|
|
|
mDMEYgxZkRYJKwYBBAHaRw8BAQdA1/5ta4i1G+NGqRWtlFuzZUmDHZP5uMt1gguX
|
|
WcXfoGW0EHp1dWwtam9icy10ZXN0LTKIlAQTFgoAPBYhBN0G/+apoMfgIYAX404b
|
|
p6OrZ05vBQJiDFmRAhsDBQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIXgAAKCRBO
|
|
G6ejq2dOb4BkAQDoHczJaUH0LRgZUE+tkxhyqYY7kevX65vxe6vAqFci1gD/VvtA
|
|
lYrnQPqGG1GqRqy7cIsCfnI5lzAlL2Q2tYdO6A24OARiDFmREgorBgEEAZdVAQUB
|
|
AQdAZsFeMnJ7FGzNXf2SbGrVvYjgX397PaY6xAQoFWe4IQQDAQgHiHgEGBYKACAW
|
|
IQTdBv/mqaDH4CGAF+NOG6ejq2dObwUCYgxZkQIbDAAKCRBOG6ejq2dOb0t2AP9b
|
|
6Lv4BKjblZOhxJbsB9qvQbeyYunCLP07lSHBEhggNQEA+Luzhn3uitf4lyNbv6cS
|
|
9p2BPtxrLR4Ab20opteZ7w0=
|
|
=is5k
|
|
-----END PGP PUBLIC KEY BLOCK-----
|
|
|
|
- name: 'zuul-jobs-test-3'
|
|
key_id: '0FDF4D29F272F75A'
|
|
gpg_asc: |
|
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
|
|
|
mDMEYgxZmxYJKwYBBAHaRw8BAQdAVUbvG30ucCb6ztQ/iuis7fX5FXssxSfbl/n8
|
|
vl/gyse0EHp1dWwtam9icy10ZXN0LTOIlAQTFgoAPBYhBHfjn1eq18PQIZ3qNA/f
|
|
TSnycvdaBQJiDFmbAhsDBQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIXgAAKCRAP
|
|
300p8nL3WqgFAQCNhAEx7yC7UMV81IhiWMCDLK66eeHF16CiqPMabwlOEAD/V1cQ
|
|
NYCJekbq8GEcB3i36yIMPJokrPmXf6mkebs6vA24OARiDFmbEgorBgEEAZdVAQUB
|
|
AQdAPGKpDC3HpbRCJYkMzwY2NybY+/+G1beIjlDjpaxf/mIDAQgHiHgEGBYKACAW
|
|
IQR3459XqtfD0CGd6jQP300p8nL3WgUCYgxZmwIbDAAKCRAP300p8nL3WlQpAQC1
|
|
qwAAr63kwKKszAN+J32EGSaXp+dsR04367XacSJ3aQD/Tu6q45tF0t4G0dQIpzxT
|
|
jnHN/zEM7eyW45Jf/V8migI=
|
|
=CRYD
|
|
-----END PGP PUBLIC KEY BLOCK-----
|
|
|
|
# NOTE(ianw): This key expires 2106-01-01 which is the
|
|
# maximum I seem to be able to convince gpg to do ATM.
|
|
# Someone else will have to regenerate it then because I am
|
|
# not likely to be available to do it.
|
|
- name: 'zuul-jobs-test-4'
|
|
key_id: '4A8C7A2A7E55816E'
|
|
gpg_asc: |
|
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
|
|
|
mDMEYg9K5BYJKwYBBAHaRw8BAQdAIIezhOWTs9ggMpfePn/6B5sNY5/Bn9CguDcy
|
|
gKrjoIC0EHp1dWwtam9icy10ZXN0LTSImgQTFgoAQhYhBJZPfDNqTyma/Ekg0kqM
|
|
eip+VYFuBQJiD0rkAhsDBQmdv6CsBQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIX
|
|
gAAKCRBKjHoqflWBbnOPAP9kJgpMbHh83haH7o+O1jJTbsW9XVX7Aq196ZbEiUhx
|
|
5QD9FFfKnDQ7q8XX6rOK6joLG9Cq8pX5q6tSouqygKKicQm4OARiD0rkEgorBgEE
|
|
AZdVAQUBAQdAJ2oXpzmh5vUKhWr7PCT6y4nhIcs9bdnKFiIWfEinGVMDAQgHiHgE
|
|
GBYKACAWIQSWT3wzak8pmvxJINJKjHoqflWBbgUCYg9K5AIbDAAKCRBKjHoqflWB
|
|
btm1AQC+lvLW8iLbsKde5cqHlGAKgY7KPi5BKxSCzwdRuX3qGAEAvFKGNoEjmUzF
|
|
7SUjadUXXizJoeJ9feocDzfBiaH53w8=
|
|
=XCeq
|
|
-----END PGP PUBLIC KEY BLOCK-----
|
|
|
|
- name: Encrypt file
|
|
include_role:
|
|
name: encrypt-file
|
|
vars:
|
|
encrypt_file: '{{ _tempfile.path }}'
|
|
encrypt_file_recipients:
|
|
- zuul-jobs-test-2
|
|
- zuul-jobs-test-3
|
|
- zuul-jobs-test-4
|
|
|
|
- name: Check output file
|
|
stat:
|
|
path: '{{ _tempfile.path }}.gpg'
|
|
register: _output
|
|
|
|
- name: Ensure exists
|
|
fail:
|
|
msg: 'Output file not found'
|
|
when: not _output.stat.exists
|
|
|
|
- name: Dump gpg packets
|
|
command: gpg --list-packets '{{ _tempfile.path }}.gpg'
|
|
register: _gpg_output
|
|
# Because it can't decrypt, gpg give an error. But we're
|
|
# interested in the encryption packets so expect this.
|
|
failed_when: _gpg_output.rc != 2
|
|
|
|
- name: Show gpg command output
|
|
debug:
|
|
var: _gpg_output
|
|
|
|
- name: Validate packets
|
|
assert:
|
|
that:
|
|
- "'zuul-jobs-test-1' not in _gpg_output.stdout"
|
|
- "'zuul-jobs-test-2' in _gpg_output.stdout"
|
|
- "'zuul-jobs-test-3' in _gpg_output.stdout"
|
|
- "'zuul-jobs-test-4' in _gpg_output.stdout"
|
|
|
|
- name: Remove encrypted output file
|
|
file:
|
|
path: '{{ _tempfile.path }}.gpg'
|
|
state: absent
|
|
|
|
- name: Make a second fake file
|
|
tempfile:
|
|
state: file
|
|
register: _tempfile2
|
|
|
|
- name: Add some data to second fake file
|
|
copy:
|
|
content: 'Hello, I am encrypted. This is the second file.'
|
|
dest: '{{ _tempfile2.path }}'
|
|
|
|
# Do it again to exercise already imported keys path and check we can
|
|
# encrypt multiple files.
|
|
- name: Encrypt file
|
|
include_role:
|
|
name: encrypt-file
|
|
vars:
|
|
encrypt_file:
|
|
- '{{ _tempfile.path }}'
|
|
- '{{ _tempfile2.path }}'
|
|
encrypt_file_recipients:
|
|
- zuul-jobs-test-2
|
|
- zuul-jobs-test-3
|
|
- zuul-jobs-test-4
|
|
|
|
- name: Remove temporary file
|
|
file:
|
|
path: '{{ _tempfile.path }}'
|
|
state: absent
|
|
when: _tempfile.path is defined
|
|
|
|
- name: Remove encrypted output file
|
|
file:
|
|
path: '{{ _tempfile.path }}.gpg'
|
|
state: absent
|
|
|
|
- name: Remove second temporary file
|
|
file:
|
|
path: '{{ _tempfile2.path }}'
|
|
state: absent
|
|
when: _tempfile2.path is defined
|
|
|
|
- name: Remove second encrypted output file
|
|
file:
|
|
path: '{{ _tempfile2.path }}.gpg'
|
|
state: absent
|