Allowing to force account URI. (#44282)

2025-05-08 02:01:31 -07:00 · 2018-08-17 07:43:38 +02:00 · 2018-08-17 07:43:38 +02:00 · cfba02bc3b
commit cfba02bc3b
parent 6caf0e8149
8 changed files with 40 additions and 1 deletions
--- a/lib/ansible/module_utils/acme.py
+++ b/lib/ansible/module_utils/acme.py
@ -514,7 +514,9 @@ class ACMEAccount(object):
        self.key_content = module.params['account_key_content']
        self.directory = ACMEDirectory(module)

-        self.uri = None
+        # Grab account URI from module parameters.
+        # Make sure empty string is treated as None.
+        self.uri = module.params.get('account_uri') or None

        self._openssl_bin = module.get_bin_path('openssl', True)

@ -527,6 +529,9 @@ class ACMEAccount(object):
                "alg": self.key_data['alg'],
                "jwk": self.jwk,
            }
+            if self.uri:
+                # Make sure self.jws_header is updated
+                self.set_account_uri(self.uri)

    def get_keyauthorization(self, token):
        '''
@ -709,6 +714,10 @@ class ACMEAccount(object):
        changed = False
        if self.uri is not None:
            new_account = False
+            if not update_contact:
+                # Verify that the account key belongs to the URI.
+                # (If update_contact is True, this will be done below.)
+                self.get_account_data()
        else:
            new_account = self._new_reg(
                contact,
--- a/lib/ansible/modules/crypto/acme/acme_account.py
+++ b/lib/ansible/modules/crypto/acme/acme_account.py
@ -127,6 +127,7 @@ def main():
        argument_spec=dict(
            account_key_src=dict(type='path', aliases=['account_key']),
            account_key_content=dict(type='str', no_log=True),
+            account_uri=dict(required=False, type='str'),
            acme_directory=dict(required=False, default='https://acme-staging.api.letsencrypt.org/directory', type='str'),
            acme_version=dict(required=False, default=1, choices=[1, 2], type='int'),
            validate_certs=dict(required=False, default=True, type='bool'),
--- a/lib/ansible/modules/crypto/acme/acme_certificate.py
+++ b/lib/ansible/modules/crypto/acme/acme_certificate.py
@ -869,6 +869,7 @@ def main():
        argument_spec=dict(
            account_key_src=dict(type='path', aliases=['account_key']),
            account_key_content=dict(type='str', no_log=True),
+            account_uri=dict(required=False, type='str'),
            modify_account=dict(required=False, type='bool', default=True),
            acme_directory=dict(required=False, default='https://acme-staging.api.letsencrypt.org/directory', type='str'),
            acme_version=dict(required=False, default=1, choices=[1, 2], type='int'),
--- a/lib/ansible/modules/crypto/acme/acme_certificate_revoke.py
+++ b/lib/ansible/modules/crypto/acme/acme_certificate_revoke.py
@ -95,6 +95,7 @@ def main():
        argument_spec=dict(
            account_key_src=dict(type='path', aliases=['account_key']),
            account_key_content=dict(type='str', no_log=True),
+            account_uri=dict(required=False, type='str'),
            acme_directory=dict(required=False, default='https://acme-staging.api.letsencrypt.org/directory', type='str'),
            acme_version=dict(required=False, default=1, choices=[1, 2], type='int'),
            validate_certs=dict(required=False, default=True, type='bool'),
--- a/lib/ansible/utils/module_docs_fragments/acme.py
+++ b/lib/ansible/utils/module_docs_fragments/acme.py
@ -46,6 +46,12 @@ options:
         Ansible in the process of moving the module with its argument to
         the node where it is executed."
    version_added: "2.5"
+  account_uri:
+    description:
+      - "If specified, assumes that the account URI is as given. If the
+         account key does not match this account, or an account with this
+         URI does not exist, the module fails."
+    version_added: "2.7"
  acme_version:
    description:
      - "The ACME version of the endpoint."