community.crypto/plugins/action/openssl_privatekey_pipe.py

# -*- coding: utf-8 -*-

# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later

from __future__ import absolute_import, division, print_function
__metaclass__ = type


import base64

from ansible.module_utils.common.text.converters import to_native, to_bytes

from ansible_collections.community.crypto.plugins.plugin_utils.action_module import ActionModuleBase

from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
    OpenSSLObjectError,
)

from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.privatekey import (
    select_backend,
    get_privatekey_argument_spec,
)


class PrivateKeyModule(object):
    def __init__(self, module, module_backend):
        self.module = module
        self.module_backend = module_backend
        self.check_mode = module.check_mode
        self.changed = False
        self.return_current_key = module.params['return_current_key']

        if module.params['content'] is not None:
            if module.params['content_base64']:
                try:
                    data = base64.b64decode(module.params['content'])
                except Exception as e:
                    module.fail_json(msg='Cannot decode Base64 encoded data: {0}'.format(e))
            else:
                data = to_bytes(module.params['content'])
            module_backend.set_existing(data)

    def generate(self, module):
        """Generate a keypair."""

        if self.module_backend.needs_regeneration():
            # Regenerate
            if not self.check_mode:
                self.module_backend.generate_private_key()
                privatekey_data = self.module_backend.get_private_key_data()
                self.privatekey_bytes = privatekey_data
            else:
                self.module.deprecate(
                    'Check mode support for openssl_privatekey_pipe will change in community.crypto 3.0.0'
                    ' to behave the same as without check mode. You can get that behavior right now'
                    ' by adding `check_mode: false` to the openssl_privatekey_pipe task. If you think this'
                    ' breaks your use-case of this module, please create an issue in the'
                    ' community.crypto repository',
                    version='3.0.0',
                    collection_name='community.crypto',
                )
            self.changed = True
        elif self.module_backend.needs_conversion():
            # Convert
            if not self.check_mode:
                self.module_backend.convert_private_key()
                privatekey_data = self.module_backend.get_private_key_data()
                self.privatekey_bytes = privatekey_data
            else:
                self.module.deprecate(
                    'Check mode support for openssl_privatekey_pipe will change in community.crypto 3.0.0'
                    ' to behave the same as without check mode. You can get that behavior right now'
                    ' by adding `check_mode: false` to the openssl_privatekey_pipe task. If you think this'
                    ' breaks your use-case of this module, please create an issue in the'
                    ' community.crypto repository',
                    version='3.0.0',
                    collection_name='community.crypto',
                )
            self.changed = True

    def dump(self):
        """Serialize the object into a dictionary."""
        result = self.module_backend.dump(include_key=self.changed or self.return_current_key)
        result['changed'] = self.changed
        return result


class ActionModule(ActionModuleBase):
    @staticmethod
    def setup_module():
        argument_spec = get_privatekey_argument_spec()
        argument_spec.argument_spec.update(dict(
            content=dict(type='str', no_log=True),
            content_base64=dict(type='bool', default=False),
            return_current_key=dict(type='bool', default=False),
        ))
        return argument_spec, dict(
            supports_check_mode=True,
        )

    @staticmethod
    def run_module(module):
        backend, module_backend = select_backend(
            module=module,
            backend=module.params['select_crypto_backend'],
        )

        try:
            private_key = PrivateKeyModule(module, module_backend)
            private_key.generate(module)
            result = private_key.dump()
            if private_key.return_current_key:
                # In case the module's input (`content`) is returned as `privatekey`:
                # Since `content` is no_log=True, `privatekey`'s value will get replaced by
                # VALUE_SPECIFIED_IN_NO_LOG_PARAMETER. To avoid this, we remove the value of
                # `content` from module.no_log_values. Since we explicitly set
                # `module.no_log = True`, this should be safe.
                module.no_log = True
                try:
                    module.no_log_values.remove(module.params['content'])
                except KeyError:
                    pass
                module.params['content'] = 'ANSIBLE_NO_LOG_VALUE'
            module.exit_json(**result)
        except OpenSSLObjectError as exc:
            module.fail_json(msg=to_native(exc))
Refactor openssl_privatekey module, move add openssl_privatekey_pipe module (#119) * Move disk-independent parts of openssl_privatekey to module_utils and doc_fragments. * Improve documentation. * Add openssl_privatekey_pipe module. * Fallback in case no fingerprints are returned. * Prevent no_log=True for content to stop module from working correctly. * Forgot version_added. * Update copyright. All the interesting code is no longer in this file anyway. * Remove file arguments. * Add framework for action modules. * Convert openssl_privatekey_pipe to action plugin. * Linting. * Bump version. * Add return_current_key option. * Add no_log to examples. * Remove preparation for potential later extensibility (easy to re-add when needed). * Fix deprecation version in docs. * Use new ArgumentSpec object for AnsibleActionModule as well. 2020-10-28 20:52:54 +00:00			`# -- coding: utf-8 --`

Move licenses to LICENSES/, use SPDX-License-Identifier, mention all licenses in galaxy.yml (#491) * Add SPDX license identifiers, mention all licenses in galaxy.yml. * Add default copyright headers. * Add headers for documents. * Fix/add more copyright statements. * Add copyright / license info for vendored code. * Add extra sanity test. * Add changelog fragment. * Comment PSF-2.0 license out in galaxy.yml for now. * Remove colon after 'Copyright'. * Avoid colon after 'Copyright' in lint script. * Mention correct filename. * Add BSD-3-Clause. * Improve lint script. * Update README. * Symlinks... 2022-07-21 05:27:26 +00:00			`# Copyright (c) 2020, Felix Fontein <felix@fontein.de>`
			`# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)`
			`# SPDX-License-Identifier: GPL-3.0-or-later`
Refactor openssl_privatekey module, move add openssl_privatekey_pipe module (#119) * Move disk-independent parts of openssl_privatekey to module_utils and doc_fragments. * Improve documentation. * Add openssl_privatekey_pipe module. * Fallback in case no fingerprints are returned. * Prevent no_log=True for content to stop module from working correctly. * Forgot version_added. * Update copyright. All the interesting code is no longer in this file anyway. * Remove file arguments. * Add framework for action modules. * Convert openssl_privatekey_pipe to action plugin. * Linting. * Bump version. * Add return_current_key option. * Add no_log to examples. * Remove preparation for potential later extensibility (easy to re-add when needed). * Fix deprecation version in docs. * Use new ArgumentSpec object for AnsibleActionModule as well. 2020-10-28 20:52:54 +00:00
			`from __future__ import absolute_import, division, print_function`
			`__metaclass__ = type`


			`import base64`

Replace ansible.module_utils._text by ansible.module_utils.common.text.converters. (#253) 2021-06-26 11:45:28 +00:00			`from ansible.module_utils.common.text.converters import to_native, to_bytes`
Refactor openssl_privatekey module, move add openssl_privatekey_pipe module (#119) * Move disk-independent parts of openssl_privatekey to module_utils and doc_fragments. * Improve documentation. * Add openssl_privatekey_pipe module. * Fallback in case no fingerprints are returned. * Prevent no_log=True for content to stop module from working correctly. * Forgot version_added. * Update copyright. All the interesting code is no longer in this file anyway. * Remove file arguments. * Add framework for action modules. * Convert openssl_privatekey_pipe to action plugin. * Linting. * Bump version. * Add return_current_key option. * Add no_log to examples. * Remove preparation for potential later extensibility (easy to re-add when needed). * Fix deprecation version in docs. * Use new ArgumentSpec object for AnsibleActionModule as well. 2020-10-28 20:52:54 +00:00
Move action_module from module_utils to plugin_utils (#134) * Move action_module from module_utils to plugin_utils. * ci_complete 2020-11-03 08:21:35 +00:00			`from ansible_collections.community.crypto.plugins.plugin_utils.action_module import ActionModuleBase`
Refactor openssl_privatekey module, move add openssl_privatekey_pipe module (#119) * Move disk-independent parts of openssl_privatekey to module_utils and doc_fragments. * Improve documentation. * Add openssl_privatekey_pipe module. * Fallback in case no fingerprints are returned. * Prevent no_log=True for content to stop module from working correctly. * Forgot version_added. * Update copyright. All the interesting code is no longer in this file anyway. * Remove file arguments. * Add framework for action modules. * Convert openssl_privatekey_pipe to action plugin. * Linting. * Bump version. * Add return_current_key option. * Add no_log to examples. * Remove preparation for potential later extensibility (easy to re-add when needed). * Fix deprecation version in docs. * Use new ArgumentSpec object for AnsibleActionModule as well. 2020-10-28 20:52:54 +00:00
			`from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (`
			`OpenSSLObjectError,`
			`)`

			`from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.privatekey import (`
			`select_backend,`
			`get_privatekey_argument_spec,`
			`)`


			`class PrivateKeyModule(object):`
			`def __init__(self, module, module_backend):`
			`self.module = module`
			`self.module_backend = module_backend`
			`self.check_mode = module.check_mode`
			`self.changed = False`
			`self.return_current_key = module.params['return_current_key']`

			`if module.params['content'] is not None:`
			`if module.params['content_base64']:`
			`try:`
			`data = base64.b64decode(module.params['content'])`
			`except Exception as e:`
			`module.fail_json(msg='Cannot decode Base64 encoded data: {0}'.format(e))`
			`else:`
			`data = to_bytes(module.params['content'])`
			`module_backend.set_existing(data)`

			`def generate(self, module):`
			`"""Generate a keypair."""`

			`if self.module_backend.needs_regeneration():`
			`# Regenerate`
			`if not self.check_mode:`
			`self.module_backend.generate_private_key()`
			`privatekey_data = self.module_backend.get_private_key_data()`
			`self.privatekey_bytes = privatekey_data`
Deprecate check mode behavior of pipe modules. (#714) 2024-02-25 16:00:37 +00:00			`else:`
			`self.module.deprecate(`
			`'Check mode support for openssl_privatekey_pipe will change in community.crypto 3.0.0'`
			`' to behave the same as without check mode. You can get that behavior right now'`
			' by adding `check_mode: false` to the openssl_privatekey_pipe task. If you think this'
			`' breaks your use-case of this module, please create an issue in the'`
			`' community.crypto repository',`
			`version='3.0.0',`
			`collection_name='community.crypto',`
			`)`
Refactor openssl_privatekey module, move add openssl_privatekey_pipe module (#119) * Move disk-independent parts of openssl_privatekey to module_utils and doc_fragments. * Improve documentation. * Add openssl_privatekey_pipe module. * Fallback in case no fingerprints are returned. * Prevent no_log=True for content to stop module from working correctly. * Forgot version_added. * Update copyright. All the interesting code is no longer in this file anyway. * Remove file arguments. * Add framework for action modules. * Convert openssl_privatekey_pipe to action plugin. * Linting. * Bump version. * Add return_current_key option. * Add no_log to examples. * Remove preparation for potential later extensibility (easy to re-add when needed). * Fix deprecation version in docs. * Use new ArgumentSpec object for AnsibleActionModule as well. 2020-10-28 20:52:54 +00:00			`self.changed = True`
			`elif self.module_backend.needs_conversion():`
			`# Convert`
			`if not self.check_mode:`
			`self.module_backend.convert_private_key()`
			`privatekey_data = self.module_backend.get_private_key_data()`
			`self.privatekey_bytes = privatekey_data`
Deprecate check mode behavior of pipe modules. (#714) 2024-02-25 16:00:37 +00:00			`else:`
			`self.module.deprecate(`
			`'Check mode support for openssl_privatekey_pipe will change in community.crypto 3.0.0'`
			`' to behave the same as without check mode. You can get that behavior right now'`
			' by adding `check_mode: false` to the openssl_privatekey_pipe task. If you think this'
			`' breaks your use-case of this module, please create an issue in the'`
			`' community.crypto repository',`
			`version='3.0.0',`
			`collection_name='community.crypto',`
			`)`
Refactor openssl_privatekey module, move add openssl_privatekey_pipe module (#119) * Move disk-independent parts of openssl_privatekey to module_utils and doc_fragments. * Improve documentation. * Add openssl_privatekey_pipe module. * Fallback in case no fingerprints are returned. * Prevent no_log=True for content to stop module from working correctly. * Forgot version_added. * Update copyright. All the interesting code is no longer in this file anyway. * Remove file arguments. * Add framework for action modules. * Convert openssl_privatekey_pipe to action plugin. * Linting. * Bump version. * Add return_current_key option. * Add no_log to examples. * Remove preparation for potential later extensibility (easy to re-add when needed). * Fix deprecation version in docs. * Use new ArgumentSpec object for AnsibleActionModule as well. 2020-10-28 20:52:54 +00:00			`self.changed = True`

			`def dump(self):`
			`"""Serialize the object into a dictionary."""`
			`result = self.module_backend.dump(include_key=self.changed or self.return_current_key)`
			`result['changed'] = self.changed`
			`return result`


			`class ActionModule(ActionModuleBase):`
			`@staticmethod`
			`def setup_module():`
			`argument_spec = get_privatekey_argument_spec()`
			`argument_spec.argument_spec.update(dict(`
			`content=dict(type='str', no_log=True),`
			`content_base64=dict(type='bool', default=False),`
			`return_current_key=dict(type='bool', default=False),`
			`))`
			`return argument_spec, dict(`
			`supports_check_mode=True,`
			`)`

			`@staticmethod`
			`def run_module(module):`
			`backend, module_backend = select_backend(`
			`module=module,`
			`backend=module.params['select_crypto_backend'],`
			`)`

			`try:`
			`private_key = PrivateKeyModule(module, module_backend)`
			`private_key.generate(module)`
			`result = private_key.dump()`
			`if private_key.return_current_key:`
			# In case the module's input (`content`) is returned as `privatekey`:
			# Since `content` is no_log=True, `privatekey`'s value will get replaced by
			`# VALUE_SPECIFIED_IN_NO_LOG_PARAMETER. To avoid this, we remove the value of`
			# `content` from module.no_log_values. Since we explicitly set
			# `module.no_log = True`, this should be safe.
			`module.no_log = True`
			`try:`
			`module.no_log_values.remove(module.params['content'])`
			`except KeyError:`
			`pass`
			`module.params['content'] = 'ANSIBLE_NO_LOG_VALUE'`
			`module.exit_json(**result)`
			`except OpenSSLObjectError as exc:`
			`module.fail_json(msg=to_native(exc))`