Vendor Galaxy Roles and Collections

ansible_collections/community/sops/tests/integration/targets/age/aliases

@@ -0,0 +1,8 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+gha/main
+skip/aix
+skip/osx
+skip/freebsd

ansible_collections/community/sops/tests/integration/targets/age/meta/main.yml

@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_sops
+  - setup_remote_tmp_dir

ansible_collections/community/sops/tests/integration/targets/age/tasks/main.yml

@@ -0,0 +1,82 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Determine whether sops, age, and sops with age are supported
+  set_fact:
+    supports_sops_and_age: >-
+      {{ sops_installed and age_installed and sops_version_remote is version('3.7.0', '>=') }}
+
+- when: supports_sops_and_age
+  block:
+    - name: Create local temporary directory
+      tempfile:
+        state: directory
+        suffix: .test
+      delegate_to: localhost
+      register: local_tmp_dir
+
+    - name: Record local temporary directory
+      set_fact:
+        local_tmp_dir: "{{ local_tmp_dir.path }}"
+
+    - name: Create age keys
+      command: age-keygen --output {{ local_tmp_dir }}/{{ item }}
+      delegate_to: localhost
+      loop:
+        - identity_1
+        - identity_2
+        - identity_3
+        - identity_4
+
+    - vars:
+        identity_files:
+          - name: identities_all
+            id_files:
+              - identity_1
+              - identity_2
+              - identity_3
+              - identity_4
+          - name: identities_1_2_3
+            id_files:
+              - identity_1
+              - identity_2
+              - identity_3
+          - name: identities_4
+            id_files:
+              - identity_4
+      block:
+        - name: Create local identity files
+          copy:
+            dest: '{{ local_tmp_dir }}/{{ item.name }}'
+            content: |
+              {% for id_file in item.id_files %}
+              {{   lookup('file', local_tmp_dir ~ '/' ~ id_file) }}
+              {% endfor %}
+          delegate_to: localhost
+          loop: '{{ identity_files }}'
+
+        - name: Create remote identity files
+          copy:
+            dest: '{{ remote_tmp_dir }}/{{ item.name }}'
+            content: |
+              {% for id_file in item.id_files %}
+              {{   lookup('file', local_tmp_dir ~ '/' ~ id_file) }}
+              {% endfor %}
+          loop: '{{ identity_files }}'
+
+    - name: Read identity public keys
+      set_fact:
+        identity_1: "{{ lookup('file', local_tmp_dir ~ '/identity_1') | regex_search('public key: ([a-zA-Z0-9]+)', '\\1') | first }}"
+        identity_2: "{{ lookup('file', local_tmp_dir ~ '/identity_2') | regex_search('public key: ([a-zA-Z0-9]+)', '\\1') | first }}"
+        identity_3: "{{ lookup('file', local_tmp_dir ~ '/identity_3') | regex_search('public key: ([a-zA-Z0-9]+)', '\\1') | first }}"
+        identity_4: "{{ lookup('file', local_tmp_dir ~ '/identity_4') | regex_search('public key: ([a-zA-Z0-9]+)', '\\1') | first }}"
+
+    - include_tasks: test.yml
+  always:
+    - name: Delete temporary directory
+      file:
+        path: '{{ local_tmp_dir }}'
+        state: absent
+      delegate_to: localhost

ansible_collections/community/sops/tests/integration/targets/age/tasks/test.yml

@@ -0,0 +1,132 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Create encrypted files
+  sops_encrypt:
+    path: '{{ remote_tmp_dir }}/{{ item.name }}.sops.yaml'
+    age: '{{ item.identities }}'
+    age_keyfile: '{{ remote_tmp_dir }}/identities_all'
+    content_yaml: '{{ item.data }}'
+  loop: '{{ data }}'
+  vars:
+    data:
+      - name: enc-1
+        identities:
+          - '{{ identity_1 }}'
+          - '{{ identity_2 }}'
+          - '{{ identity_3 }}'
+          - '{{ identity_4 }}'
+        data:
+          foo: bar
+          baz: this is a secret
+          bam: true
+          int: 3
+      - name: enc-2
+        identities:
+          - '{{ identity_1 }}'
+          - '{{ identity_2 }}'
+          - '{{ identity_4 }}'
+        data:
+          foo: 19
+          bar: this is another secret
+      - name: enc-3
+        identities:
+          - '{{ identity_4 }}'
+        data:
+          foo: 23
+
+- name: Copy encrypted files to localhost
+  fetch:
+    src: '{{ remote_tmp_dir }}/{{ item }}.sops.yaml'
+    dest: '{{ local_tmp_dir }}/'
+    flat: true
+  loop:
+    - enc-1
+    - enc-2
+    - enc-3
+
+- name: Decrypt some data (3.7.0+)
+  set_fact:
+    decrypt_1: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_keyfile=local_tmp_dir ~ '/identities_all') | from_yaml }}"
+    decrypt_1_1: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_1') | from_yaml }}"
+    decrypt_1_2: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_2') | from_yaml }}"
+    decrypt_1_3: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_3') | from_yaml }}"
+    decrypt_1_4: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_4') | from_yaml }}"
+    decrypt_1_1_2_3: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_keyfile=local_tmp_dir ~ '/identities_1_2_3') | from_yaml }}"
+    decrypt_2: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-2.sops.yaml', age_keyfile=local_tmp_dir ~ '/identities_all') | from_yaml }}"
+    decrypt_2_1: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-2.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_1') | from_yaml }}"
+    decrypt_2_2: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-2.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_2') | from_yaml }}"
+    decrypt_2_4: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-2.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_4') | from_yaml }}"
+    decrypt_2_1_2_3: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-2.sops.yaml', age_keyfile=local_tmp_dir ~ '/identities_1_2_3') | from_yaml }}"
+    decrypt_3: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-3.sops.yaml', age_keyfile=local_tmp_dir ~ '/identities_all') | from_yaml }}"
+    decrypt_3_4: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-3.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_4') | from_yaml }}"
+
+- name: Validate decryption
+  assert:
+    that:
+      - decrypt_1.foo == 'bar'
+      - decrypt_1.baz == 'this is a secret'
+      - decrypt_1.bam == true
+      - decrypt_1.int == 3
+      - decrypt_1 == decrypt_1_1
+      - decrypt_1 == decrypt_1_2
+      - decrypt_1 == decrypt_1_3
+      - decrypt_1 == decrypt_1_4
+      - decrypt_1 == decrypt_1_1_2_3
+      - decrypt_2.foo == 19
+      - decrypt_2.bar == 'this is another secret'
+      - decrypt_2.bam is undefined
+      - decrypt_2.int is undefined
+      - decrypt_2 == decrypt_2_1
+      - decrypt_2 == decrypt_2_2
+      - decrypt_2 == decrypt_2_4
+      - decrypt_2 == decrypt_2_1_2_3
+      - decrypt_3.foo == 23
+      - decrypt_3.bar is undefined
+      - decrypt_3.bam is undefined
+      - decrypt_3.int is undefined
+      - decrypt_3 == decrypt_3_4
+
+- when: >-
+    sops_version_controller is version('3.7.1', '>=')
+  block:
+    - name: Decrypt some data (3.7.1+)
+      set_fact:
+        decrypt_1b: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_key=lookup('file', local_tmp_dir ~ '/identities_all')) | from_yaml }}"
+        decrypt_1_1b: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_key=lookup('file', local_tmp_dir ~ '/identity_1')) | from_yaml }}"
+        decrypt_1_2b: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_key=lookup('file', local_tmp_dir ~ '/identity_2')) | from_yaml }}"
+        decrypt_1_3b: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_key=lookup('file', local_tmp_dir ~ '/identity_3')) | from_yaml }}"
+        decrypt_1_4b: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_key=lookup('file', local_tmp_dir ~ '/identity_4')) | from_yaml }}"
+        decrypt_1_1_2_3b: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_key=lookup('file', local_tmp_dir ~ '/identities_1_2_3')) | from_yaml }}"
+
+    - name: Validate decryption
+      assert:
+        that:
+          - decrypt_1 == decrypt_1b
+          - decrypt_1 == decrypt_1_1b
+          - decrypt_1 == decrypt_1_2b
+          - decrypt_1 == decrypt_1_3b
+          - decrypt_1 == decrypt_1_4b
+          - decrypt_1 == decrypt_1_1_2_3b
+
+- name: Failed encryption 1
+  debug:
+    msg: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-2.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_3') | from_yaml }}"
+  ignore_errors: true
+  register: failure_1
+
+- name: Failed encryption 2
+  debug:
+    msg: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-3.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_1') | from_yaml }}"
+  ignore_errors: true
+  register: failure_2
+
+- name: Validate failed decryption
+  assert:
+    that:
+      - failure_1 is failed
+      - "'CouldNotRetrieveKey' in failure_1.msg"
+      - failure_2 is failed
+      - "'CouldNotRetrieveKey' in failure_2.msg"