Update java_cert module (#2008)

* porting https://github.com/ansible/ansible/pull/56778 as requested in https://github.com/ansible-collections/community.general/issues/821 * fix imports, add back trust_cacerts option * try to fix import, ansible-lint fixes * modify import to use ansible.module_utils.six instead * cleanup indentation for tests/integration/targets/java_cert/tasks/main.yml file * remove external crypto dependency - switch to openssl, work on password obfuscation, using files compare to reduce logic * java_cert - remove latest run_command using password in arguments * fix sanity check * rename changelog fragment file - wrong extension * add openssl dependency * fix openssl_bin parameter missing on _get_digest_from_x509_file function call * remove useless close files, fix paragraph, fix changelog, clean import re * fix missing dots at end-of-line in changelogs fragments * fix reminder case * fix changelog * restore .gitignore * fix indentation on integration test files, delete useless json file * fix typo importing tasks in tests/integration/targets/java_cert/tasks/main.yml * Update changelogs/fragments/2008-update-java-cert-replace-cert-when-changed.yml Co-authored-by: Felix Fontein <felix@fontein.de> * Update tests/integration/targets/java_cert/tasks/state_change.yml Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/system/java_cert.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/system/java_cert.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/system/java_cert.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/system/java_cert.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/system/java_cert.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/system/java_cert.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/system/java_cert.py Co-authored-by: Felix Fontein <felix@fontein.de> * fix hardcoded executable keytool, use re.sub instead of import, add required cert_url or cert_alias parameter when absent, fix python script and cert_url test * fix pylint issue with setupSSLServeR.py Co-authored-by: Felix Fontein <felix@fontein.de>
2025-07-08 14:20:04 -07:00 · 2021-04-07 19:31:58 +02:00 · 2021-04-07 19:31:58 +02:00 · 40ce0f995b
commit 40ce0f995b
parent 7145204594
7 changed files with 496 additions and 111 deletions
--- a/tests/integration/targets/java_cert/defaults/main.yml
+++ b/tests/integration/targets/java_cert/defaults/main.yml
@ -1,3 +1,13 @@
 ---
 test_pkcs12_path: testpkcs.p12
-test_keystore_path: keystore.jks
+test_keystore_path: keystore.jks
+test_keystore2_path: "{{ output_dir }}/keystore2.jks"
+test_keystore2_password: changeit
+test_cert_path: "{{ output_dir }}/cert.pem"
+test_key_path: "{{ output_dir }}/key.pem"
+test_cert2_path: "{{ output_dir }}/cert2.pem"
+test_key2_path: "{{ output_dir }}/key2.pem"
+test_pkcs_path: "{{ output_dir }}/cert.p12"
+test_pkcs2_path: "{{ output_dir }}/cert2.p12"
+test_ssl: setupSSLServer.py
+test_ssl_port: 21500
--- a/tests/integration/targets/java_cert/files/setupSSLServer.py
+++ b/tests/integration/targets/java_cert/files/setupSSLServer.py
@ -0,0 +1,20 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+import ssl
+import os
+import sys
+
+root_dir = sys.argv[1]
+port = int(sys.argv[2])
+
+try:
+    from BaseHTTPServer import HTTPServer
+    from SimpleHTTPServer import SimpleHTTPRequestHandler
+except ModuleNotFoundError:
+    from http.server import HTTPServer, SimpleHTTPRequestHandler
+
+httpd = HTTPServer(('localhost', port), SimpleHTTPRequestHandler)
+httpd.socket = ssl.wrap_socket(httpd.socket, server_side=True,
+                               certfile=os.path.join(root_dir, 'cert.pem'),
+                               keyfile=os.path.join(root_dir, 'key.pem'))
+httpd.handle_request()
--- a/tests/integration/targets/java_cert/meta/main.yml
+++ b/tests/integration/targets/java_cert/meta/main.yml
@ -1,2 +1,3 @@
 dependencies:
  - setup_java_keytool
+  - setup_openssl
--- a/tests/integration/targets/java_cert/tasks/main.yml
+++ b/tests/integration/targets/java_cert/tasks/main.yml
@ -11,15 +11,16 @@

    - name: import pkcs12
      java_cert:
-         pkcs12_path: "{{output_dir}}/{{ test_pkcs12_path }}"
-         pkcs12_password: changeit
-         pkcs12_alias: default
-         cert_alias: default
-         keystore_path: "{{output_dir}}/{{ test_keystore_path }}"
-         keystore_pass: changeme_keystore
-         keystore_create: yes
-         state: present
+        pkcs12_path: "{{output_dir}}/{{ test_pkcs12_path }}"
+        pkcs12_password: changeit
+        pkcs12_alias: default
+        cert_alias: default
+        keystore_path: "{{output_dir}}/{{ test_keystore_path }}"
+        keystore_pass: changeme_keystore
+        keystore_create: yes
+        state: present
      register: result_success
+
    - name: verify success
      assert:
        that:
@ -27,14 +28,14 @@

    - name: import pkcs12 with wrong password
      java_cert:
-         pkcs12_path: "{{output_dir}}/{{ test_pkcs12_path }}"
-         pkcs12_password: wrong_pass
-         pkcs12_alias: default
-         cert_alias: default_new
-         keystore_path: "{{output_dir}}/{{ test_keystore_path }}"
-         keystore_pass: changeme_keystore
-         keystore_create: yes
-         state: present
+        pkcs12_path: "{{output_dir}}/{{ test_pkcs12_path }}"
+        pkcs12_password: wrong_pass
+        pkcs12_alias: default
+        cert_alias: default_new
+        keystore_path: "{{output_dir}}/{{ test_keystore_path }}"
+        keystore_pass: changeme_keystore
+        keystore_create: yes
+        state: present
      ignore_errors: true
      register: result_wrong_pass

@ -45,16 +46,62 @@

    - name: test fail on mutually exclusive params
      java_cert:
-         cert_path: ca.crt
-         pkcs12_path: "{{output_dir}}/{{ test_pkcs12_path }}"
-         cert_alias: default
-         keystore_path: "{{output_dir}}/{{ test_keystore_path }}"
-         keystore_pass: changeme_keystore
-         keystore_create: yes
-         state: present
+        cert_path: ca.crt
+        pkcs12_path: "{{output_dir}}/{{ test_pkcs12_path }}"
+        cert_alias: default
+        keystore_path: "{{output_dir}}/{{ test_keystore_path }}"
+        keystore_pass: changeme_keystore
+        keystore_create: yes
+        state: present
      ignore_errors: true
      register: result_excl_params
+
    - name: verify failed exclusive params
      assert:
        that:
        - result_excl_params is failed
+
+    - name: test fail on missing required params
+      java_cert:
+        keystore_path: "{{output_dir}}/{{ test_keystore_path }}"
+        keystore_pass: changeme_keystore
+        state: absent
+      ignore_errors: true
+      register: result_missing_required_param
+
+    - name: verify failed missing required params
+      assert:
+        that:
+        - result_missing_required_param is failed
+
+    - name: delete object based on cert_alias parameter
+      java_cert:
+        keystore_path: "{{output_dir}}/{{ test_keystore_path }}"
+        keystore_pass: changeme_keystore
+        cert_alias: default
+        state: absent
+      ignore_errors: true
+      register: result_alias_deleted
+
+    - name: verify object successfully deleted
+      assert:
+        that:
+        - result_alias_deleted is successful
+
+    - name: include extended test suite 
+      import_tasks: state_change.yml
+
+    - name: cleanup environment
+      file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - "{{ output_dir }}/{{ test_pkcs12_path }}"
+        - "{{ output_dir }}/{{ test_keystore_path }}"
+        - "{{ test_keystore2_path }}"
+        - "{{ test_cert_path }}"
+        - "{{ test_key_path }}"
+        - "{{ test_cert2_path }}"
+        - "{{ test_key2_path }}"
+        - "{{ test_pkcs_path }}"
+        - "{{ test_pkcs2_path }}"
--- a/tests/integration/targets/java_cert/tasks/state_change.yml
+++ b/tests/integration/targets/java_cert/tasks/state_change.yml
@ -0,0 +1,169 @@
+---
+- name: Generate the self signed cert used as a place holder to create the java keystore
+  command: openssl req -x509 -newkey rsa:4096 -keyout {{ test_key_path }} -out {{ test_cert_path }} -days 365 -nodes -subj '/CN=localhost'
+  args:
+    creates: "{{ test_key_path }}"
+
+- name: Create the test keystore
+  java_keystore:
+    name: placeholder
+    dest: "{{ test_keystore2_path }}"
+    password: "{{ test_keystore2_password }}"
+    private_key: "{{ lookup('file', '{{ test_key_path }}') }}"
+    certificate: "{{ lookup('file', '{{ test_cert_path }}') }}"
+
+- name: Generate the self signed cert we will use for testing
+  command: openssl req -x509 -newkey rsa:4096 -keyout '{{ test_key2_path }}' -out '{{ test_cert2_path }}' -days 365 -nodes -subj '/CN=localhost'
+  args:
+    creates: "{{ test_key2_path }}"
+
+- name: |
+    Import the newly created certificate. This is our main test.
+    If the java_cert has been updated properly, then this task will report changed each time
+    since the module will be comparing the hash of the certificate instead of validating that the alias
+    simply exists
+  java_cert:
+    cert_alias: test_cert
+    cert_path: "{{ test_cert2_path }}"
+    keystore_path: "{{ test_keystore2_path }}"
+    keystore_pass: "{{ test_keystore2_password }}"
+    state: present
+  register: result_x509_changed
+
+- name: Verify the x509 status has changed
+  assert:
+    that:
+      - result_x509_changed is changed
+
+- name: |
+    We also want to make sure that the status doesnt change if we import the same cert
+  java_cert:
+    cert_alias: test_cert
+    cert_path: "{{ test_cert2_path }}"
+    keystore_path: "{{ test_keystore2_path }}"
+    keystore_pass: "{{ test_keystore2_password }}"
+    state: present
+  register: result_x509_succeeded
+
+- name: Verify the x509 status is ok
+  assert:
+    that:
+      - result_x509_succeeded is succeeded
+
+- name: Create the pkcs12 archive from the test x509 cert
+  command: >
+    openssl pkcs12
+    -in {{ test_cert_path }}
+    -inkey {{ test_key_path }}
+    -export
+    -name test_pkcs12_cert
+    -out {{ test_pkcs_path }}
+    -passout pass:"{{ test_keystore2_password }}"
+
+- name: Create the pkcs12 archive from the certificate we will be trying to add to the keystore
+  command: >
+    openssl pkcs12
+    -in {{ test_cert2_path }}
+    -inkey {{ test_key2_path }}
+    -export
+    -name test_pkcs12_cert
+    -out {{ test_pkcs2_path }}
+    -passout pass:"{{ test_keystore2_password }}"
+
+- name: >
+    Ensure the original pkcs12 cert is in the keystore
+  java_cert:
+    cert_alias: test_pkcs12_cert
+    pkcs12_alias: test_pkcs12_cert
+    pkcs12_path: "{{ test_pkcs_path }}"
+    pkcs12_password: "{{ test_keystore2_password }}"
+    keystore_path: "{{ test_keystore2_path }}"
+    keystore_pass: "{{ test_keystore2_password }}"
+    state: present
+
+- name: |
+    Perform the same test, but we will now be testing the pkcs12 functionality
+    If we add a different pkcs12 cert with the same alias, we should have a chnaged result, NOT the same
+  java_cert:
+    cert_alias: test_pkcs12_cert
+    pkcs12_alias: test_pkcs12_cert
+    pkcs12_path: "{{ test_pkcs2_path }}"
+    pkcs12_password: "{{ test_keystore2_password }}"
+    keystore_path: "{{ test_keystore2_path }}"
+    keystore_pass: "{{ test_keystore2_password }}"
+    state: present
+  register: result_pkcs12_changed
+
+- name: Verify the pkcs12 status has changed
+  assert:
+    that:
+      - result_pkcs12_changed is changed
+
+- name: |
+    We are requesting the same cert now, so the status should show OK
+  java_cert:
+    cert_alias: test_pkcs12_cert
+    pkcs12_alias: test_pkcs12_cert
+    pkcs12_path: "{{ test_pkcs2_path }}"
+    pkcs12_password: "{{ test_keystore2_password }}"
+    keystore_path: "{{ test_keystore2_path }}"
+    keystore_pass: "{{ test_keystore2_password }}"
+  register: result_pkcs12_succeeded
+
+- name: Verify the pkcs12 status is ok
+  assert:
+    that:
+      - result_pkcs12_succeeded is succeeded
+
+- name: Copy the ssl server script
+  copy:
+    src: "setupSSLServer.py"
+    dest: "{{ output_dir }}"
+
+- name: Create an SSL server that we will use for testing URL imports
+  command: python {{ output_dir }}/setupSSLServer.py {{ output_dir }} {{ test_ssl_port }}
+  async: 10
+  poll: 0
+
+- name: |
+    Download the original cert.pem from our temporary server. The current cert should contain
+     cert2.pem. Importing this cert should return a status of changed
+  java_cert:
+    cert_alias: test_cert_localhost
+    cert_url: localhost
+    cert_port: "{{ test_ssl_port }}"
+    keystore_path: "{{ test_keystore2_path }}"
+    keystore_pass: "{{ test_keystore2_password }}"
+    state: present
+  register: result_url_changed
+
+- name: Verify that the url status is changed
+  assert:
+    that:
+      - result_url_changed is changed
+
+- name: Ensure we can remove the x509 cert
+  java_cert:
+    cert_alias: test_cert
+    keystore_path: "{{ test_keystore2_path }}"
+    keystore_pass: "{{ test_keystore2_password }}"
+    state: absent
+  register: result_x509_absent
+
+- name: Verify the x509 cert is absent
+  assert:
+    that:
+      - result_x509_absent is changed
+
+- name: Ensure we can remove the pkcs12 archive
+  java_cert:
+    cert_alias: test_pkcs12_cert
+    keystore_path: "{{ test_keystore2_path }}"
+    keystore_pass: "{{ test_keystore2_password }}"
+    state: absent
+  register: result_pkcs12_absent
+
+- name: Verify the pkcs12 archive is absent
+  assert:
+    that:
+      - result_pkcs12_absent is changed