mirror of
				https://github.com/ansible-collections/community.general.git
				synced 2025-10-26 13:56:09 -07:00 
			
		
		
		
	* fix wrong certificate alias used when importing pkcs12, modify error output, stdout is more relevant than stderr
* add changelog fragment
* fix changelog fragment
(cherry picked from commit 8f083d5d85)
Co-authored-by: absynth76 <58172580+absynth76@users.noreply.github.com>
		
	
			
		
			
				
	
	
		
			532 lines
		
	
	
	
		
			18 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
			
		
		
	
	
			532 lines
		
	
	
	
		
			18 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
| #!/usr/bin/python
 | |
| # -*- coding: utf-8 -*-
 | |
| 
 | |
| # Copyright: (c) 2013, RSD Services S.A
 | |
| # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
 | |
| 
 | |
| from __future__ import absolute_import, division, print_function
 | |
| __metaclass__ = type
 | |
| 
 | |
| DOCUMENTATION = r'''
 | |
| ---
 | |
| module: java_cert
 | |
| 
 | |
| short_description: Uses keytool to import/remove key from java keystore (cacerts)
 | |
| description:
 | |
|   - This is a wrapper module around keytool, which can be used to import/remove
 | |
|     certificates from a given java keystore.
 | |
| options:
 | |
|   cert_url:
 | |
|     description:
 | |
|       - Basic URL to fetch SSL certificate from.
 | |
|       - One of C(cert_url) or C(cert_path) is required to load certificate.
 | |
|     type: str
 | |
|   cert_port:
 | |
|     description:
 | |
|       - Port to connect to URL.
 | |
|       - This will be used to create server URL:PORT.
 | |
|     type: int
 | |
|     default: 443
 | |
|   cert_path:
 | |
|     description:
 | |
|       - Local path to load certificate from.
 | |
|       - One of C(cert_url) or C(cert_path) is required to load certificate.
 | |
|     type: path
 | |
|   cert_alias:
 | |
|     description:
 | |
|       - Imported certificate alias.
 | |
|       - The alias is used when checking for the presence of a certificate in the keystore.
 | |
|     type: str
 | |
|   trust_cacert:
 | |
|     description:
 | |
|       - Trust imported cert as CAcert.
 | |
|     type: bool
 | |
|     default: False
 | |
|     version_added: '0.2.0'
 | |
|   pkcs12_path:
 | |
|     description:
 | |
|       - Local path to load PKCS12 keystore from.
 | |
|     type: path
 | |
|   pkcs12_password:
 | |
|     description:
 | |
|       - Password for importing from PKCS12 keystore.
 | |
|     type: str
 | |
|     default: ''
 | |
|   pkcs12_alias:
 | |
|     description:
 | |
|       - Alias in the PKCS12 keystore.
 | |
|     type: str
 | |
|   keystore_path:
 | |
|     description:
 | |
|       - Path to keystore.
 | |
|     type: path
 | |
|   keystore_pass:
 | |
|     description:
 | |
|       - Keystore password.
 | |
|     type: str
 | |
|     required: true
 | |
|   keystore_create:
 | |
|     description:
 | |
|       - Create keystore if it does not exist.
 | |
|     type: bool
 | |
|     default: false
 | |
|   keystore_type:
 | |
|     description:
 | |
|       - Keystore type (JCEKS, JKS).
 | |
|     type: str
 | |
|   executable:
 | |
|     description:
 | |
|       - Path to keytool binary if not used we search in PATH for it.
 | |
|     type: str
 | |
|     default: keytool
 | |
|   state:
 | |
|     description:
 | |
|       - Defines action which can be either certificate import or removal.
 | |
|       - When state is present, the certificate will always idempotently be inserted
 | |
|         into the keystore, even if there already exists a cert alias that is different.
 | |
|     type: str
 | |
|     choices: [ absent, present ]
 | |
|     default: present
 | |
| requirements: [openssl, keytool]
 | |
| author:
 | |
| - Adam Hamsik (@haad)
 | |
| '''
 | |
| 
 | |
| EXAMPLES = r'''
 | |
| - name: Import SSL certificate from google.com to a given cacerts keystore
 | |
|   community.general.java_cert:
 | |
|     cert_url: google.com
 | |
|     cert_port: 443
 | |
|     keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts
 | |
|     keystore_pass: changeit
 | |
|     state: present
 | |
| 
 | |
| - name: Remove certificate with given alias from a keystore
 | |
|   community.general.java_cert:
 | |
|     cert_url: google.com
 | |
|     keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts
 | |
|     keystore_pass: changeit
 | |
|     executable: /usr/lib/jvm/jre7/bin/keytool
 | |
|     state: absent
 | |
| 
 | |
| - name: Import trusted CA from SSL certificate
 | |
|   community.general.java_cert:
 | |
|     cert_path: /opt/certs/rootca.crt
 | |
|     keystore_path: /tmp/cacerts
 | |
|     keystore_pass: changeit
 | |
|     keystore_create: yes
 | |
|     state: present
 | |
|     cert_alias: LE_RootCA
 | |
|     trust_cacert: True
 | |
| 
 | |
| - name: Import SSL certificate from google.com to a keystore, create it if it doesn't exist
 | |
|   community.general.java_cert:
 | |
|     cert_url: google.com
 | |
|     keystore_path: /tmp/cacerts
 | |
|     keystore_pass: changeit
 | |
|     keystore_create: yes
 | |
|     state: present
 | |
| 
 | |
| - name: Import a pkcs12 keystore with a specified alias, create it if it doesn't exist
 | |
|   community.general.java_cert:
 | |
|     pkcs12_path: "/tmp/importkeystore.p12"
 | |
|     cert_alias: default
 | |
|     keystore_path: /opt/wildfly/standalone/configuration/defaultkeystore.jks
 | |
|     keystore_pass: changeit
 | |
|     keystore_create: yes
 | |
|     state: present
 | |
| 
 | |
| - name: Import SSL certificate to JCEKS keystore
 | |
|   community.general.java_cert:
 | |
|     pkcs12_path: "/tmp/importkeystore.p12"
 | |
|     pkcs12_alias: default
 | |
|     pkcs12_password: somepass
 | |
|     cert_alias: default
 | |
|     keystore_path: /opt/someapp/security/keystore.jceks
 | |
|     keystore_type: "JCEKS"
 | |
|     keystore_pass: changeit
 | |
|     keystore_create: yes
 | |
|     state: present
 | |
| '''
 | |
| 
 | |
| RETURN = r'''
 | |
| msg:
 | |
|   description: Output from stdout of keytool command after execution of given command.
 | |
|   returned: success
 | |
|   type: str
 | |
|   sample: "Module require existing keystore at keystore_path '/tmp/test/cacerts'"
 | |
| 
 | |
| rc:
 | |
|   description: Keytool command execution return value.
 | |
|   returned: success
 | |
|   type: int
 | |
|   sample: "0"
 | |
| 
 | |
| cmd:
 | |
|   description: Executed command to get action done.
 | |
|   returned: success
 | |
|   type: str
 | |
|   sample: "keytool -importcert -noprompt -keystore"
 | |
| '''
 | |
| 
 | |
| import os
 | |
| import tempfile
 | |
| import random
 | |
| import string
 | |
| import re
 | |
| 
 | |
| 
 | |
| # import module snippets
 | |
| from ansible.module_utils.basic import AnsibleModule
 | |
| from ansible.module_utils.six.moves.urllib.parse import urlparse
 | |
| from ansible.module_utils.six.moves.urllib.request import getproxies
 | |
| 
 | |
| 
 | |
| def _get_keystore_type_keytool_parameters(keystore_type):
 | |
|     ''' Check that custom keystore is presented in parameters '''
 | |
|     if keystore_type:
 | |
|         return ["-storetype", keystore_type]
 | |
|     return []
 | |
| 
 | |
| 
 | |
| def _check_cert_present(module, executable, keystore_path, keystore_pass, alias, keystore_type):
 | |
|     ''' Check if certificate with alias is present in keystore
 | |
|         located at keystore_path '''
 | |
|     test_cmd = [
 | |
|         executable,
 | |
|         "-list",
 | |
|         "-keystore",
 | |
|         keystore_path,
 | |
|         "-alias",
 | |
|         alias,
 | |
|         "-rfc"
 | |
|     ]
 | |
|     test_cmd += _get_keystore_type_keytool_parameters(keystore_type)
 | |
| 
 | |
|     (check_rc, stdout, dummy) = module.run_command(test_cmd, data=keystore_pass, check_rc=False)
 | |
|     if check_rc == 0:
 | |
|         return (True, stdout)
 | |
|     return (False, '')
 | |
| 
 | |
| 
 | |
| def _get_certificate_from_url(module, executable, url, port, pem_certificate_output):
 | |
|     remote_cert_pem_chain = _download_cert_url(module, executable, url, port)
 | |
|     with open(pem_certificate_output, 'w') as f:
 | |
|         f.write(remote_cert_pem_chain)
 | |
| 
 | |
| 
 | |
| def _get_first_certificate_from_x509_file(module, pem_certificate_file, pem_certificate_output, openssl_bin):
 | |
|     """ Read a X509 certificate chain file and output the first certificate in the list """
 | |
|     extract_cmd = [
 | |
|         openssl_bin,
 | |
|         "x509",
 | |
|         "-in",
 | |
|         pem_certificate_file,
 | |
|         "-out",
 | |
|         pem_certificate_output
 | |
|     ]
 | |
|     (extract_rc, dummy, extract_stderr) = module.run_command(extract_cmd, check_rc=False)
 | |
| 
 | |
|     if extract_rc != 0:
 | |
|         # trying der encoded file
 | |
|         extract_cmd += ["-inform", "der"]
 | |
|         (extract_rc, dummy, extract_stderr) = module.run_command(extract_cmd, check_rc=False)
 | |
| 
 | |
|         if extract_rc != 0:
 | |
|             # this time it's a real failure
 | |
|             module.fail_json(msg="Internal module failure, cannot extract certificate, error: %s" % extract_stderr,
 | |
|                              rc=extract_rc, cmd=extract_cmd)
 | |
| 
 | |
|     return extract_rc
 | |
| 
 | |
| 
 | |
| def _get_digest_from_x509_file(module, pem_certificate_file, openssl_bin):
 | |
|     """ Read a X509 certificate file and output sha256 digest using openssl """
 | |
|     # cleanup file before to compare
 | |
|     (dummy, tmp_certificate) = tempfile.mkstemp()
 | |
|     module.add_cleanup_file(tmp_certificate)
 | |
|     _get_first_certificate_from_x509_file(module, pem_certificate_file, tmp_certificate, openssl_bin)
 | |
|     dgst_cmd = [
 | |
|         openssl_bin,
 | |
|         "dgst",
 | |
|         "-r",
 | |
|         "-sha256",
 | |
|         tmp_certificate
 | |
|     ]
 | |
|     (dgst_rc, dgst_stdout, dgst_stderr) = module.run_command(dgst_cmd, check_rc=False)
 | |
| 
 | |
|     if dgst_rc != 0:
 | |
|         module.fail_json(msg="Internal module failure, cannot compute digest for certificate, error: %s" % dgst_stderr,
 | |
|                          rc=dgst_rc, cmd=dgst_cmd)
 | |
| 
 | |
|     return dgst_stdout.split(' ')[0]
 | |
| 
 | |
| 
 | |
| def _export_public_cert_from_pkcs12(module, executable, pkcs_file, alias, password, dest):
 | |
|     """ Runs keytools to extract the public cert from a PKCS12 archive and write it to a file. """
 | |
|     export_cmd = [
 | |
|         executable,
 | |
|         "-list",
 | |
|         "-keystore",
 | |
|         pkcs_file,
 | |
|         "-alias",
 | |
|         alias,
 | |
|         "-storetype",
 | |
|         "pkcs12",
 | |
|         "-rfc"
 | |
|     ]
 | |
|     (export_rc, export_stdout, export_err) = module.run_command(export_cmd, data=password, check_rc=False)
 | |
| 
 | |
|     if export_rc != 0:
 | |
|         module.fail_json(msg="Internal module failure, cannot extract public certificate from pkcs12, error: %s" % export_stdout,
 | |
|                          rc=export_rc)
 | |
| 
 | |
|     with open(dest, 'w') as f:
 | |
|         f.write(export_stdout)
 | |
| 
 | |
| 
 | |
| def get_proxy_settings(scheme='https'):
 | |
|     """ Returns a tuple containing (proxy_host, proxy_port). (False, False) if no proxy is found """
 | |
|     proxy_url = getproxies().get(scheme, '')
 | |
|     if not proxy_url:
 | |
|         return (False, False)
 | |
|     else:
 | |
|         parsed_url = urlparse(proxy_url)
 | |
|         if parsed_url.scheme:
 | |
|             (proxy_host, proxy_port) = parsed_url.netloc.split(':')
 | |
|         else:
 | |
|             (proxy_host, proxy_port) = parsed_url.path.split(':')
 | |
|         return (proxy_host, proxy_port)
 | |
| 
 | |
| 
 | |
| def build_proxy_options():
 | |
|     """ Returns list of valid proxy options for keytool """
 | |
|     (proxy_host, proxy_port) = get_proxy_settings()
 | |
|     no_proxy = os.getenv("no_proxy")
 | |
| 
 | |
|     proxy_opts = []
 | |
|     if proxy_host:
 | |
|         proxy_opts.extend(["-J-Dhttps.proxyHost=%s" % proxy_host, "-J-Dhttps.proxyPort=%s" % proxy_port])
 | |
| 
 | |
|         if no_proxy is not None:
 | |
|             # For Java's nonProxyHosts property, items are separated by '|',
 | |
|             # and patterns have to start with "*".
 | |
|             non_proxy_hosts = no_proxy.replace(',', '|')
 | |
|             non_proxy_hosts = re.sub(r'(^|\|)\.', r'\1*.', non_proxy_hosts)
 | |
| 
 | |
|             # The property name is http.nonProxyHosts, there is no
 | |
|             # separate setting for HTTPS.
 | |
|             proxy_opts.extend(["-J-Dhttp.nonProxyHosts=%s" % non_proxy_hosts])
 | |
|     return proxy_opts
 | |
| 
 | |
| 
 | |
| def _download_cert_url(module, executable, url, port):
 | |
|     """ Fetches the certificate from the remote URL using `keytool -printcert...`
 | |
|           The PEM formatted string is returned """
 | |
|     proxy_opts = build_proxy_options()
 | |
|     fetch_cmd = [executable, "-printcert", "-rfc", "-sslserver"] + proxy_opts + ["%s:%d" % (url, port)]
 | |
| 
 | |
|     # Fetch SSL certificate from remote host.
 | |
|     (fetch_rc, fetch_out, fetch_err) = module.run_command(fetch_cmd, check_rc=False)
 | |
| 
 | |
|     if fetch_rc != 0:
 | |
|         module.fail_json(msg="Internal module failure, cannot download certificate, error: %s" % fetch_err,
 | |
|                          rc=fetch_rc, cmd=fetch_cmd)
 | |
| 
 | |
|     return fetch_out
 | |
| 
 | |
| 
 | |
| def import_cert_path(module, executable, path, keystore_path, keystore_pass, alias, keystore_type, trust_cacert):
 | |
|     ''' Import certificate from path into keystore located on
 | |
|         keystore_path as alias '''
 | |
|     import_cmd = [
 | |
|         executable,
 | |
|         "-importcert",
 | |
|         "-noprompt",
 | |
|         "-keystore",
 | |
|         keystore_path,
 | |
|         "-file",
 | |
|         path,
 | |
|         "-alias",
 | |
|         alias
 | |
|     ]
 | |
|     import_cmd += _get_keystore_type_keytool_parameters(keystore_type)
 | |
| 
 | |
|     if trust_cacert:
 | |
|         import_cmd.extend(["-trustcacerts"])
 | |
| 
 | |
|     # Use local certificate from local path and import it to a java keystore
 | |
|     (import_rc, import_out, import_err) = module.run_command(import_cmd,
 | |
|                                                              data="%s\n%s" % (keystore_pass, keystore_pass),
 | |
|                                                              check_rc=False)
 | |
| 
 | |
|     diff = {'before': '\n', 'after': '%s\n' % alias}
 | |
|     if import_rc == 0:
 | |
|         module.exit_json(changed=True, msg=import_out,
 | |
|                          rc=import_rc, cmd=import_cmd, stdout=import_out,
 | |
|                          error=import_err, diff=diff)
 | |
|     else:
 | |
|         module.fail_json(msg=import_out, rc=import_rc, cmd=import_cmd)
 | |
| 
 | |
| 
 | |
| def delete_cert(module, executable, keystore_path, keystore_pass, alias, keystore_type, exit_after=True):
 | |
|     ''' Delete certificate identified with alias from keystore on keystore_path '''
 | |
|     del_cmd = [
 | |
|         executable,
 | |
|         "-delete",
 | |
|         "-noprompt",
 | |
|         "-keystore",
 | |
|         keystore_path,
 | |
|         "-alias",
 | |
|         alias
 | |
|     ]
 | |
| 
 | |
|     del_cmd += _get_keystore_type_keytool_parameters(keystore_type)
 | |
| 
 | |
|     # Delete SSL certificate from keystore
 | |
|     (del_rc, del_out, del_err) = module.run_command(del_cmd, data=keystore_pass, check_rc=True)
 | |
| 
 | |
|     if exit_after:
 | |
|         diff = {'before': '%s\n' % alias, 'after': None}
 | |
| 
 | |
|         module.exit_json(changed=True, msg=del_out,
 | |
|                          rc=del_rc, cmd=del_cmd, stdout=del_out,
 | |
|                          error=del_err, diff=diff)
 | |
| 
 | |
| 
 | |
| def test_keytool(module, executable):
 | |
|     ''' Test if keytool is actually executable or not '''
 | |
|     module.run_command("%s" % executable, check_rc=True)
 | |
| 
 | |
| 
 | |
| def test_keystore(module, keystore_path):
 | |
|     ''' Check if we can access keystore as file or not '''
 | |
|     if keystore_path is None:
 | |
|         keystore_path = ''
 | |
| 
 | |
|     if not os.path.exists(keystore_path) and not os.path.isfile(keystore_path):
 | |
|         # Keystore doesn't exist we want to create it
 | |
|         module.fail_json(changed=False, msg="Module require existing keystore at keystore_path '%s'" % keystore_path)
 | |
| 
 | |
| 
 | |
| def main():
 | |
|     argument_spec = dict(
 | |
|         cert_url=dict(type='str'),
 | |
|         cert_path=dict(type='path'),
 | |
|         pkcs12_path=dict(type='path'),
 | |
|         pkcs12_password=dict(type='str', no_log=True),
 | |
|         pkcs12_alias=dict(type='str'),
 | |
|         cert_alias=dict(type='str'),
 | |
|         cert_port=dict(type='int', default=443),
 | |
|         keystore_path=dict(type='path'),
 | |
|         keystore_pass=dict(type='str', required=True, no_log=True),
 | |
|         trust_cacert=dict(type='bool', default=False),
 | |
|         keystore_create=dict(type='bool', default=False),
 | |
|         keystore_type=dict(type='str'),
 | |
|         executable=dict(type='str', default='keytool'),
 | |
|         state=dict(type='str', default='present', choices=['absent', 'present']),
 | |
|     )
 | |
| 
 | |
|     module = AnsibleModule(
 | |
|         argument_spec=argument_spec,
 | |
|         required_if=[['state', 'present', ('cert_path', 'cert_url', 'pkcs12_path'), True],
 | |
|                      ['state', 'absent', ('cert_url', 'cert_alias'), True]],
 | |
|         required_together=[['keystore_path', 'keystore_pass']],
 | |
|         mutually_exclusive=[
 | |
|             ['cert_url', 'cert_path', 'pkcs12_path']
 | |
|         ],
 | |
|         supports_check_mode=True,
 | |
|     )
 | |
| 
 | |
|     url = module.params.get('cert_url')
 | |
|     path = module.params.get('cert_path')
 | |
|     port = module.params.get('cert_port')
 | |
| 
 | |
|     pkcs12_path = module.params.get('pkcs12_path')
 | |
|     pkcs12_pass = module.params.get('pkcs12_password', '')
 | |
|     pkcs12_alias = module.params.get('pkcs12_alias', '1')
 | |
| 
 | |
|     cert_alias = module.params.get('cert_alias') or url
 | |
|     trust_cacert = module.params.get('trust_cacert')
 | |
| 
 | |
|     keystore_path = module.params.get('keystore_path')
 | |
|     keystore_pass = module.params.get('keystore_pass')
 | |
|     keystore_create = module.params.get('keystore_create')
 | |
|     keystore_type = module.params.get('keystore_type')
 | |
|     executable = module.params.get('executable')
 | |
|     state = module.params.get('state')
 | |
| 
 | |
|     # openssl dependency resolution
 | |
|     openssl_bin = module.get_bin_path('openssl', True)
 | |
| 
 | |
|     if path and not cert_alias:
 | |
|         module.fail_json(changed=False,
 | |
|                          msg="Using local path import from %s requires alias argument."
 | |
|                              % keystore_path)
 | |
| 
 | |
|     test_keytool(module, executable)
 | |
| 
 | |
|     if not keystore_create:
 | |
|         test_keystore(module, keystore_path)
 | |
| 
 | |
|     alias_exists, alias_exists_output = _check_cert_present(
 | |
|         module, executable, keystore_path, keystore_pass, cert_alias, keystore_type)
 | |
| 
 | |
|     (dummy, new_certificate) = tempfile.mkstemp()
 | |
|     (dummy, old_certificate) = tempfile.mkstemp()
 | |
|     module.add_cleanup_file(new_certificate)
 | |
|     module.add_cleanup_file(old_certificate)
 | |
| 
 | |
|     if state == 'absent' and alias_exists:
 | |
|         if module.check_mode:
 | |
|             module.exit_json(changed=True)
 | |
| 
 | |
|         # delete and exit
 | |
|         delete_cert(module, executable, keystore_path, keystore_pass, cert_alias, keystore_type)
 | |
| 
 | |
|     # dump certificate to enroll in the keystore on disk and compute digest
 | |
|     if state == 'present':
 | |
|         # The alias exists in the keystore so we must now compare the SHA256 hash of the
 | |
|         # public certificate already in the keystore, and the certificate we  are wanting to add
 | |
|         if alias_exists:
 | |
|             with open(old_certificate, "w") as f:
 | |
|                 f.write(alias_exists_output)
 | |
|             keystore_cert_digest = _get_digest_from_x509_file(module, old_certificate, openssl_bin)
 | |
| 
 | |
|         else:
 | |
|             keystore_cert_digest = ''
 | |
| 
 | |
|         if pkcs12_path:
 | |
|             # Extracting certificate with openssl
 | |
|             _export_public_cert_from_pkcs12(module, executable, pkcs12_path, pkcs12_alias, pkcs12_pass, new_certificate)
 | |
| 
 | |
|         elif path:
 | |
|             # Extracting the X509 digest is a bit easier. Keytool will print the PEM
 | |
|             # certificate to stdout so we don't need to do any transformations.
 | |
|             new_certificate = path
 | |
| 
 | |
|         elif url:
 | |
|             # Getting the X509 digest from a URL is the same as from a path, we just have
 | |
|             # to download the cert first
 | |
|             _get_certificate_from_url(module, executable, url, port, new_certificate)
 | |
| 
 | |
|         new_cert_digest = _get_digest_from_x509_file(module, new_certificate, openssl_bin)
 | |
| 
 | |
|         if keystore_cert_digest != new_cert_digest:
 | |
| 
 | |
|             if module.check_mode:
 | |
|                 module.exit_json(changed=True)
 | |
| 
 | |
|             if alias_exists:
 | |
|                 # The certificate in the keystore does not match with the one we want to be present
 | |
|                 # The existing certificate must first be deleted before we insert the correct one
 | |
|                 delete_cert(module, executable, keystore_path, keystore_pass, cert_alias, keystore_type, exit_after=False)
 | |
| 
 | |
|             import_cert_path(module, executable, new_certificate, keystore_path,
 | |
|                              keystore_pass, cert_alias, keystore_type, trust_cacert)
 | |
| 
 | |
|     module.exit_json(changed=False)
 | |
| 
 | |
| 
 | |
| if __name__ == "__main__":
 | |
|     main()
 |