ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-04-24 03:11:24 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

java_keystore: add certificate_path and private_key_path options (#2230)

Browse source 
* java_keystore: add `certificate_path` and `private_key_path` options

* Update DOCUMENTATION and EXAMPLES accordingly.
* Refactor integration tests to play the same tasks twice.
* Add a changelog fragment (minor_changes).

refactor DOCUMENTATION

* Add useful info for better understanding of what options allow
  keystore regeneration on the fly, and what other options lead the
  module to fail, if their values change.
* Fix indentation and tenses.
* Add myself as author.

* readability-related stuff + changelog fragment
This commit is contained in:
quidame 2021-04-17 18:17:53 +02:00 committed by GitHub
parent f77aa51ab8
commit 3a8206fe62
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 328 additions and 201 deletions
Download patch file Download diff file Expand all files Collapse all files

209
plugins/modules/system/java_keystore.py
View file

@ -1,7 +1,8 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# (c) 2016, Guillaume Grossetie <ggrossetie@yuzutech.fr>
# Copyright: (c) 2016, Guillaume Grossetie <ggrossetie@yuzutech.fr>
# Copyright: (c) 2021, quidame <quidame@poivron.org>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import (absolute_import, division, print_function)
@ -11,68 +12,98 @@ __metaclass__ = type
DOCUMENTATION = '''
---
module: java_keystore
short_description: Create or delete a Java keystore in JKS format.
short_description: Create a Java keystore in JKS format
description:
- Create or delete a Java keystore in JKS format for a given certificate.
- Bundle a x509 certificate and its private key into a Java Keystore in JKS format.
options:
name:
type: str
description:
- Name of the certificate.
required: true
certificate:
type: str
description:
- Certificate that should be used to create the key store.
required: true
private_key:
type: str
description:
- Private key that should be used to create the key store.
required: true
private_key_passphrase:
description:
- Pass phrase for reading the private key, if required.
type: str
required: false
version_added: '0.2.0'
password:
type: str
description:
- Password that should be used to secure the key store.
required: true
dest:
type: path
description:
- Absolute path where the jks should be generated.
required: true
owner:
description:
- Name of the user that should own jks file.
required: false
group:
description:
- Name of the group that should own jks file.
required: false
mode:
description:
- Mode the file should be.
required: false
force:
description:
- Key store will be created even if it already exists.
required: false
type: bool
default: 'no'
requirements: [openssl, keytool]
author: Guillaume Grossetie (@Mogztter)
name:
description:
- Name of the certificate in the keystore.
- If the provided name does not exist in the keystore, the module fails.
This behavior will change in a next release.
type: str
required: true
certificate:
description:
- Content of the certificate used to create the keystore.
- If the fingerprint of the provided certificate does not match the
fingerprint of the certificate bundled in the keystore, the keystore
is regenerated with the provided certificate.
- Exactly one of I(certificate) or I(certificate_path) is required.
type: str
certificate_path:
description:
- Location of the certificate used to create the keystore.
- If the fingerprint of the provided certificate does not match the
fingerprint of the certificate bundled in the keystore, the keystore
is regenerated with the provided certificate.
- Exactly one of I(certificate) or I(certificate_path) is required.
type: path
version_added: '3.0.0'
private_key:
description:
- Content of the private key used to create the keystore.
- Exactly one of I(private_key) or I(private_key_path) is required.
type: str
private_key_path:
description:
- Location of the private key used to create the keystore.
- Exactly one of I(private_key) or I(private_key_path) is required.
type: path
version_added: '3.0.0'
private_key_passphrase:
description:
- Passphrase used to read the private key, if required.
type: str
version_added: '0.2.0'
password:
description:
- Password that should be used to secure the keystore.
- If the provided password fails to unlock the keystore, the module
fails. This behavior will change in a next release.
type: str
required: true
dest:
description:
- Absolute path of the generated keystore.
type: path
required: true
force:
description:
- Keystore is created even if it already exists.
type: bool
default: 'no'
owner:
description:
- Name of the user that should own jks file.
required: false
group:
description:
- Name of the group that should own jks file.
required: false
mode:
description:
- Mode the file should be.
required: false
requirements:
- openssl in PATH
- keytool in PATH
author:
- Guillaume Grossetie (@Mogztter)
- quidame (@quidame)
extends_documentation_fragment:
- files
- files
seealso:
- module: community.general.java_cert
notes:
- I(certificate) and I(private_key) require that their contents are available
on the controller (either inline in a playbook, or with the C(file) lookup),
while I(certificate_path) and I(private_key_path) require that the files are
available on the target host.
'''
EXAMPLES = '''
- name: Create a key store for the given certificate (inline)
- name: Create a keystore for the given certificate/private key pair (inline)
community.general.java_keystore:
name: example
certificate: |
@ -88,11 +119,19 @@ EXAMPLES = '''
password: changeit
dest: /etc/security/keystore.jks
- name: Create a key store for the given certificate (lookup)
- name: Create a keystore for the given certificate/private key pair (with files on controller)
community.general.java_keystore:
name: example
certificate: "{{lookup('file', '/path/to/certificate.crt') }}"
private_key: "{{lookup('file', '/path/to/private.key') }}"
certificate: "{{ lookup('file', '/path/to/certificate.crt') }}"
private_key: "{{ lookup('file', '/path/to/private.key') }}"
password: changeit
dest: /etc/security/keystore.jks
- name: Create a keystore for the given certificate/private key pair (with files on target host)
community.general.java_keystore:
name: snakeoil
certificate_path: /etc/ssl/certs/ssl-cert-snakeoil.pem
private_key_path: /etc/ssl/private/ssl-cert-snakeoil.key
password: changeit
dest: /etc/security/keystore.jks
'''
@ -198,22 +237,32 @@ def create_tmp_private_key(module):
def cert_changed(module, openssl_bin, keytool_bin, keystore_path, keystore_pass, alias):
certificate_path = create_tmp_certificate(module)
certificate_path = module.params['certificate_path']
if certificate_path is None:
certificate_path = create_tmp_certificate(module)
try:
current_certificate_fingerprint = read_certificate_fingerprint(module, openssl_bin, certificate_path)
stored_certificate_fingerprint = read_stored_certificate_fingerprint(module, keytool_bin, alias, keystore_path, keystore_pass)
return current_certificate_fingerprint != stored_certificate_fingerprint
finally:
os.remove(certificate_path)
if module.params['certificate_path'] is None:
os.remove(certificate_path)
def create_jks(module, name, openssl_bin, keytool_bin, keystore_path, password, keypass):
if module.check_mode:
return module.exit_json(changed=True)
certificate_path = create_tmp_certificate(module)
private_key_path = create_tmp_private_key(module)
certificate_path = module.params['certificate_path']
if certificate_path is None:
certificate_path = create_tmp_certificate(module)
private_key_path = module.params['private_key_path']
if private_key_path is None:
private_key_path = create_tmp_private_key(module)
keystore_p12_path = create_path()
try:
if os.path.exists(keystore_path):
os.remove(keystore_path)
@ -257,8 +306,10 @@ def create_jks(module, name, openssl_bin, keytool_bin, keystore_path, password,
cmd=import_keystore_cmd,
rc=rc)
finally:
os.remove(certificate_path)
os.remove(private_key_path)
if module.params['certificate_path'] is None:
os.remove(certificate_path)
if module.params['private_key_path'] is None:
os.remove(private_key_path)
os.remove(keystore_p12_path)
@ -301,23 +352,33 @@ class ArgumentSpec(object):
self.supports_check_mode = True
self.add_file_common_args = True
argument_spec = dict(
name=dict(required=True),
certificate=dict(required=True, no_log=True),
private_key=dict(required=True, no_log=True),
password=dict(required=True, no_log=True),
dest=dict(required=True, type='path'),
force=dict(required=False, default=False, type='bool'),
private_key_passphrase=dict(required=False, no_log=True, type='str')
name=dict(type='str', required=True),
dest=dict(type='path', required=True),
certificate=dict(type='str', no_log=True),
certificate_path=dict(type='path'),
private_key=dict(type='str', no_log=True),
private_key_path=dict(type='path', no_log=False),
private_key_passphrase=dict(type='str', no_log=True),
password=dict(type='str', required=True, no_log=True),
force=dict(type='bool', default=False),
)
choose_between = (
['certificate', 'certificate_path'],
['private_key', 'private_key_path'],
)
self.argument_spec = argument_spec
self.required_one_of = choose_between
self.mutually_exclusive = choose_between
def main():
spec = ArgumentSpec()
module = AnsibleModule(
argument_spec=spec.argument_spec,
required_one_of=spec.required_one_of,
mutually_exclusive=spec.mutually_exclusive,
supports_check_mode=spec.supports_check_mode,
add_file_common_args=spec.add_file_common_args,
supports_check_mode=spec.supports_check_mode
)
module.run_command_environ_update = dict(LANG='C', LC_ALL='C', LC_MESSAGES='C')
process_jks(module)