-
Notifications
You must be signed in to change notification settings - Fork 1
test: strengthen molecule tests against false-passes (audit fixes) #155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
Oddly
wants to merge
19
commits into
main
Choose a base branch
from
fix/molecule-test-audit
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
19 commits
Select commit
Hold shift + click to select a range
80d8750
test: parameterise shared verify_es_health on scheme
Oddly 4bdfdf7
test: rename misleading molecule scenario directories
Oddly da41ae2
test(cert_renewal): assert fingerprints actually change after renewal
Oddly ef2ef54
test(elasticsearch_upgrade): assert handler suppression, JVM-loaded, …
Oddly 2e98360
test(elasticsearch_*_certs): assert deployed certs match the source PEMs
Oddly 3a8bbb3
test(*_tls): probe TLS handshake instead of trusting an open socket
Oddly a33ae18
test(beats_security, elasticstack_default): assert end-to-end ingest
Oddly ca1942e
test(cert_info_module): register and assert on every negative-path call
Oddly cee1950
test(elasticsearch_default): don't skip the rotation guard on its own…
Oddly a451248
test(kibana_custom): add negative sniff_on_start assertion for 9.x
Oddly 8f24cf4
test(logstash_centralized_pipelines): confirm Logstash actually starts
Oddly 50ef908
test(elasticsearch_diagnostics): require real diagnostic content, not…
Oddly eaf53e2
test(logstash_standalone_certs): add scenario for the actually-uncove…
Oddly 43e6605
test: address ansible-lint findings in the audit-fix commits
Oddly bfffafd
ci: memory-aware admission gate for the molecule runner pool
Oddly ed71aaf
test: fix five scenarios surfaced by CI on the audit-fixes branch
Oddly 1dcdaae
test: fix three more scenarios surfaced on the latest CI run
Oddly d90780d
test: two more scenarios surfaced after the previous round
Oddly 0e72cd2
test(beats_security): bump ES host to 6 GB so debian13 + r9 doesn't OOM
Oddly File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,107 @@ | ||
| --- | ||
| # Tests the oddly.elasticstack.cert_info module across happy and failure paths. | ||
| # Invoked directly via `ansible-playbook` from .github/workflows/test_plugins.yml | ||
| # (this is not a molecule scenario — there is no molecule.yml). | ||
| - name: Converge | ||
| hosts: localhost | ||
| tasks: | ||
|
|
||
| # --- Happy path --- | ||
|
|
||
| - name: Run cert_info on a valid PKCS#12 with the right passphrase | ||
| oddly.elasticstack.cert_info: | ||
| path: files/es-ca/elastic-stack-ca.p12 | ||
| passphrase: PleaseChangeMe | ||
| register: _ci_ok | ||
|
|
||
| - name: Show happy-path result | ||
| ansible.builtin.debug: | ||
| var: _ci_ok | ||
|
|
||
| - name: Assert happy-path returned the expected fields | ||
| ansible.builtin.assert: | ||
| that: | ||
| - _ci_ok is not failed | ||
| - _ci_ok.not_valid_after is defined | ||
| - _ci_ok.not_valid_before is defined | ||
| - _ci_ok.subject is defined | ||
| # An empty/None response would fail the date arithmetic below in | ||
| # surprising ways; check the date parses to a real timestamp. | ||
| - (_ci_ok.not_valid_after | regex_replace('[+-]\d{2}:\d{2}$', '') | to_datetime('%Y-%m-%d %H:%M:%S')).year >= 2020 | ||
| fail_msg: "cert_info happy-path did not return the expected dict shape: {{ _ci_ok }}" | ||
|
|
||
| - name: Compute days until expiry (smoke-test the typical caller pattern) | ||
| ansible.builtin.debug: | ||
| msg: >- | ||
| Cert expires in | ||
| {{ ((_ci_ok.not_valid_after | regex_replace('[+-]\d{2}:\d{2}$', '') | to_datetime('%Y-%m-%d %H:%M:%S')) - | ||
| (ansible_facts.date_time.date | to_datetime('%Y-%m-%d'))).days }} | ||
| days | ||
|
|
||
| # --- Negative paths --- | ||
| # | ||
| # Each negative case must explicitly fail. The previous version used | ||
| # `failed_when: false` with no register/assertion, so a regression where | ||
| # cert_info started swallowing bad inputs (e.g. missing passphrase | ||
| # falling back to "" and succeeding) would have passed silently. | ||
|
|
||
| - name: Run cert_info with missing path argument # noqa: args[module] | ||
| oddly.elasticstack.cert_info: | ||
| passphrase: PleaseChangeMe | ||
| register: _ci_missing_path | ||
| failed_when: false | ||
|
|
||
| - name: Assert missing-path call failed | ||
| ansible.builtin.assert: | ||
| that: | ||
| - _ci_missing_path is failed | ||
| fail_msg: "cert_info should have failed on missing path, but returned: {{ _ci_missing_path }}" | ||
|
|
||
| - name: Run cert_info with a non-existent path | ||
| oddly.elasticstack.cert_info: | ||
| path: does-not-exist.p12 | ||
| passphrase: PleaseChangeMe | ||
| register: _ci_bad_path | ||
| failed_when: false | ||
|
|
||
| - name: Assert bad-path call failed | ||
| ansible.builtin.assert: | ||
| that: | ||
| - _ci_bad_path is failed | ||
| fail_msg: "cert_info should have failed on non-existent path, but returned: {{ _ci_bad_path }}" | ||
|
|
||
| - name: Run cert_info with the wrong passphrase | ||
| oddly.elasticstack.cert_info: | ||
| path: files/es-ca/elastic-stack-ca.p12 | ||
| passphrase: PleaseChangeMe-wrong | ||
| register: _ci_bad_pass | ||
| failed_when: false | ||
|
|
||
| - name: Assert wrong-passphrase call failed | ||
| ansible.builtin.assert: | ||
| that: | ||
| - _ci_bad_pass is failed | ||
| fail_msg: "cert_info should have failed on wrong passphrase, but returned: {{ _ci_bad_pass }}" | ||
|
|
||
| - name: Run cert_info with no passphrase against an encrypted PKCS#12 | ||
| oddly.elasticstack.cert_info: | ||
| path: files/es-ca/elastic-stack-ca.p12 | ||
| register: _ci_no_pass | ||
| failed_when: false | ||
|
|
||
| - name: Assert no-passphrase call failed | ||
| ansible.builtin.assert: | ||
| that: | ||
| - _ci_no_pass is failed | ||
| fail_msg: "cert_info should have failed when no passphrase given for an encrypted p12, but returned: {{ _ci_no_pass }}" | ||
|
|
||
| - name: Run cert_info with no parameters at all # noqa: args[module] | ||
| oddly.elasticstack.cert_info: | ||
| register: _ci_no_params | ||
| failed_when: false | ||
|
|
||
| - name: Assert no-parameters call failed | ||
| ansible.builtin.assert: | ||
| that: | ||
| - _ci_no_params is failed | ||
| fail_msg: "cert_info should have failed with no parameters, but returned: {{ _ci_no_params }}" |
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don’t bypass the expiry-buffer paths you’re trying to validate.
With Line 126 forcing CA renewal, Elasticsearch can still replace node certs through the CA-rotation path (
roles/elasticsearch/tasks/elasticsearch-security.yml:319-528) even ifelasticsearch_cert_expiration_bufferstops working. And with Line 130 still settinglogstash_cert_force_regenerate: true, Logstash renewal is unconditional because_logstash_needs_cert_renewalisforce_regenerate OR will_expire_soon(roles/logstash/tasks/logstash-security.yml:122-234). That leaves this scenario able to false-pass the exact regression this PR is trying to catch.Suggested change
🤖 Prompt for AI Agents