You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
64 lines
1.8 KiB
64 lines
1.8 KiB
---
|
|
- name: Verify
|
|
hosts: all
|
|
become: true
|
|
|
|
vars:
|
|
private_keys:
|
|
- koji-ca.key
|
|
- "{{ koji_server_ca_fqdn }}.key"
|
|
|
|
public_keys:
|
|
- koji-ca.crt
|
|
- "{{ koji_server_ca_fqdn }}.crt"
|
|
- "{{ koji_server_ca_fqdn }}.chain.crt"
|
|
|
|
tasks:
|
|
- name: Collect Koji CA private keys stats
|
|
ansible.builtin.stat:
|
|
path: "{{ ('/etc/pki/koji', item) | path_join }}"
|
|
loop: "{{ private_keys }}"
|
|
register: private_keys_stats
|
|
|
|
- name: Verify Koji CA private keys stats
|
|
ansible.builtin.assert:
|
|
that: |
|
|
item.stat.exists and
|
|
item.stat.mode == '0600' and
|
|
item.stat.pw_name == 'root' and
|
|
item.stat.gr_name == 'root'
|
|
loop: "{{ private_keys_stats.results }}"
|
|
|
|
- name: Collect Koji CA public keys stats
|
|
ansible.builtin.stat:
|
|
path: "{{ ('/etc/pki/koji', item) | path_join }}"
|
|
loop: "{{ public_keys }}"
|
|
register: public_keys_stats
|
|
|
|
- name: Verify Koji CA public keys stats
|
|
ansible.builtin.assert:
|
|
that: |
|
|
item.stat.exists and
|
|
item.stat.mode == '0644' and
|
|
item.stat.pw_name == 'root' and
|
|
item.stat.gr_name == 'root'
|
|
loop: "{{ public_keys_stats.results }}"
|
|
|
|
- name: Verify Koji certificate chain
|
|
ansible.builtin.command:
|
|
argv:
|
|
- openssl
|
|
- verify
|
|
- -CAfile
|
|
- /etc/pki/koji/koji-ca.crt
|
|
- -untrusted
|
|
- "/etc/pki/koji/{{ koji_server_ca_fqdn }}.chain.crt"
|
|
- "/etc/pki/koji/{{ koji_server_ca_fqdn }}.crt"
|
|
register: openssl_verify
|
|
|
|
- name: Check Koji certificate chain verification status
|
|
ansible.builtin.assert:
|
|
that: |
|
|
openssl_verify.rc == 0 and
|
|
openssl_verify.stdout == '/etc/pki/koji/{{ koji_server_ca_fqdn }}.crt: OK'
|