From 7d699d3c4020c4a5c406bee89550bd97ead248a0 Mon Sep 17 00:00:00 2001
From: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
Date: Wed, 14 Apr 2021 14:44:46 +0200
Subject: [ANSIBLE 3.2.0] Fix regex pattern in 'certificates' role

[MOLECULE] Add verifier test for SubjectAlternativeName validation

Issue-ID: OOM-2722
Change-Id: I8ff9fb88d5166f3d5eba5f364f9110b3b12cd47e
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
---
 .../molecule/default/tests/test_infrastructure.py     | 19 +++++++++++++++++++
 .../certificates/tasks/generate-certificates.yml      |  2 +-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/ansible/roles/certificates/molecule/default/tests/test_infrastructure.py b/ansible/roles/certificates/molecule/default/tests/test_infrastructure.py
index ca5e89cc..61c06634 100644
--- a/ansible/roles/certificates/molecule/default/tests/test_infrastructure.py
+++ b/ansible/roles/certificates/molecule/default/tests/test_infrastructure.py
@@ -2,6 +2,7 @@ import os
 import pytest
 
 import testinfra.utils.ansible_runner
+from cryptography import x509
 
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('infrastructure')
@@ -12,6 +13,16 @@ def group_vars(host):
     return host.ansible.get_variables()
 
 
+@pytest.fixture
+def crt_alt_names(host, group_vars):
+    nexus_cert_file = host.file(group_vars["app_data_path"] + '/certs/'
+                                + 'nexus_server.crt')
+    x509_cert = x509.load_pem_x509_certificate(nexus_cert_file.content)
+    san = x509_cert.extensions.get_extension_for_class(
+          x509.SubjectAlternativeName)
+    return san.value.get_values_for_type(x509.DNSName)
+
+
 @pytest.mark.parametrize('cert_file', [
     'nexus_server.crt',
     'nexus_server.csr',
@@ -30,3 +41,11 @@ def test_generated_cert_files_copied_to_infra(host, cert_file, group_vars):
     with open("molecule/default/certs/" + cert_file) as local_cert_file:
         local_content = local_cert_file.read().strip()
     assert local_content == f.content_string.strip()
+
+
+@pytest.mark.parametrize('alt_names', [
+    'molecule.sim.host1',
+    'molecule.sim.host2'
+])
+def test_subject_alt_name_valid(alt_names, crt_alt_names):
+    assert alt_names in crt_alt_names
diff --git a/ansible/roles/certificates/tasks/generate-certificates.yml b/ansible/roles/certificates/tasks/generate-certificates.yml
index 43b774bc..d2a9f4ec 100644
--- a/ansible/roles/certificates/tasks/generate-certificates.yml
+++ b/ansible/roles/certificates/tasks/generate-certificates.yml
@@ -59,7 +59,7 @@
     extended_key_usage:
       - serverAuth
     subject_alt_name:
-      "{{ all_simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}"
+      "{{ all_simulated_hosts | map('regex_replace', '^(.*)$', 'DNS:\\1') | list }}"
 
 - name: Sign Nexus certificate
   openssl_certificate:
-- 
cgit 1.2.3-korg