community.crypto/plugins/module_utils/acme/utils.py

# -*- coding: utf-8 -*-

# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# Copyright (c) 2021 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later

from __future__ import absolute_import, division, print_function
__metaclass__ = type


import base64
import datetime
import re
import textwrap
import traceback

from ansible.module_utils.common.text.converters import to_native
from ansible.module_utils.six.moves.urllib.parse import unquote

from ansible_collections.community.crypto.plugins.module_utils.acme.errors import ModuleFailException

from ansible_collections.community.crypto.plugins.module_utils.crypto.math import convert_int_to_bytes

from ansible_collections.community.crypto.plugins.module_utils.time import get_now_datetime


def nopad_b64(data):
    return base64.urlsafe_b64encode(data).decode('utf8').replace("=", "")


def der_to_pem(der_cert):
    '''
    Convert the DER format certificate in der_cert to a PEM format certificate and return it.
    '''
    return """-----BEGIN CERTIFICATE-----\n{0}\n-----END CERTIFICATE-----\n""".format(
        "\n".join(textwrap.wrap(base64.b64encode(der_cert).decode('utf8'), 64)))


def pem_to_der(pem_filename=None, pem_content=None):
    '''
    Load PEM file, or use PEM file's content, and convert to DER.

    If PEM contains multiple entities, the first entity will be used.
    '''
    certificate_lines = []
    if pem_content is not None:
        lines = pem_content.splitlines()
    elif pem_filename is not None:
        try:
            with open(pem_filename, "rt") as f:
                lines = list(f)
        except Exception as err:
            raise ModuleFailException("cannot load PEM file {0}: {1}".format(pem_filename, to_native(err)), exception=traceback.format_exc())
    else:
        raise ModuleFailException('One of pem_filename and pem_content must be provided')
    header_line_count = 0
    for line in lines:
        if line.startswith('-----'):
            header_line_count += 1
            if header_line_count == 2:
                # If certificate file contains other certs appended
                # (like intermediate certificates), ignore these.
                break
            continue
        certificate_lines.append(line.strip())
    return base64.b64decode(''.join(certificate_lines))


def process_links(info, callback):
    '''
    Process link header, calls callback for every link header with the URL and relation as options.

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Link
    '''
    if 'link' in info:
        link = info['link']
        for url, relation in re.findall(r'<([^>]+)>;\s*rel="(\w+)"', link):
            callback(unquote(url), relation)


def parse_retry_after(value, relative_with_timezone=True, now=None):
    '''
    Parse the value of a Retry-After header and return a timestamp.

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Retry-After
    '''
    # First try a number of seconds
    try:
        delta = datetime.timedelta(seconds=int(value))
        if now is None:
            now = get_now_datetime(relative_with_timezone)
        return now + delta
    except ValueError:
        pass

    try:
        return datetime.datetime.strptime(value, '%a, %d %b %Y %H:%M:%S GMT')
    except ValueError:
        pass

    raise ValueError('Cannot parse Retry-After header value %s' % repr(value))


def compute_cert_id(
    backend,
    cert_info=None,
    cert_filename=None,
    cert_content=None,
    none_if_required_information_is_missing=False,
):
    # Obtain certificate info if not provided
    if cert_info is None:
        cert_info = backend.get_cert_information(cert_filename=cert_filename, cert_content=cert_content)

    # Convert Authority Key Identifier to string
    if cert_info.authority_key_identifier is None:
        if none_if_required_information_is_missing:
            return None
        raise ModuleFailException('Certificate has no Authority Key Identifier extension')
    aki = to_native(base64.urlsafe_b64encode(cert_info.authority_key_identifier)).replace('=', '')

    # Convert serial number to string
    serial_bytes = convert_int_to_bytes(cert_info.serial_number)
    if ord(serial_bytes[:1]) >= 128:
        serial_bytes = b'\x00' + serial_bytes
    serial = to_native(base64.urlsafe_b64encode(serial_bytes)).replace('=', '')

    # Compose cert ID
    return '{aki}.{serial}'.format(aki=aki, serial=serial)
ACME modules refactor (#187) * Move acme.py to acme/__init__.py to prepare splitup. * Began moving generic code out. * Creating backends. * Update unit tests. * Move remaining new code out. * Use new interface. * Rewrite module init code. * Add changelog. * Add BackendException for crypto backend errors. * Improve / uniformize ACME error reporting. * Create ACMELegacyAccount for backwards compatibility. * Split up ACMEAccount into ACMEClient and ACMEAccount. * Move get_keyauthorization into module_utils.acme.challenges. * Improve error handling. * Move challenge and authorization handling code into module_utils. * Add split_identifier helper. * Move order code into module_utils. * Move ACME v2 certificate handling code to module_utils. * Fix/move ACME v1 certificate retrieval to module_utils as well. * Refactor alternate chain handling code by splitting it up into simpler functions. * Make chain matcher creation part of backend. 2021-03-21 08:40:25 +00:00			`# -- coding: utf-8 --`

Move licenses to LICENSES/, use SPDX-License-Identifier, mention all licenses in galaxy.yml (#491) * Add SPDX license identifiers, mention all licenses in galaxy.yml. * Add default copyright headers. * Add headers for documents. * Fix/add more copyright statements. * Add copyright / license info for vendored code. * Add extra sanity test. * Add changelog fragment. * Comment PSF-2.0 license out in galaxy.yml for now. * Remove colon after 'Copyright'. * Avoid colon after 'Copyright' in lint script. * Mention correct filename. * Add BSD-3-Clause. * Improve lint script. * Update README. * Symlinks... 2022-07-21 05:27:26 +00:00			`# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>`
			`# Copyright (c) 2021 Felix Fontein <felix@fontein.de>`
			`# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)`
			`# SPDX-License-Identifier: GPL-3.0-or-later`
ACME modules refactor (#187) * Move acme.py to acme/__init__.py to prepare splitup. * Began moving generic code out. * Creating backends. * Update unit tests. * Move remaining new code out. * Use new interface. * Rewrite module init code. * Add changelog. * Add BackendException for crypto backend errors. * Improve / uniformize ACME error reporting. * Create ACMELegacyAccount for backwards compatibility. * Split up ACMEAccount into ACMEClient and ACMEAccount. * Move get_keyauthorization into module_utils.acme.challenges. * Improve error handling. * Move challenge and authorization handling code into module_utils. * Add split_identifier helper. * Move order code into module_utils. * Move ACME v2 certificate handling code to module_utils. * Fix/move ACME v1 certificate retrieval to module_utils as well. * Refactor alternate chain handling code by splitting it up into simpler functions. * Make chain matcher creation part of backend. 2021-03-21 08:40:25 +00:00
			`from __future__ import absolute_import, division, print_function`
			`__metaclass__ = type`


			`import base64`
Revert "Revert all non-bugfixes merged since the last release." This reverts commit 82251c2d80230b77887f6a229d93ee8e1c08ae74. 2024-05-11 15:05:03 +00:00			`import datetime`
ACME modules refactor (#187) * Move acme.py to acme/__init__.py to prepare splitup. * Began moving generic code out. * Creating backends. * Update unit tests. * Move remaining new code out. * Use new interface. * Rewrite module init code. * Add changelog. * Add BackendException for crypto backend errors. * Improve / uniformize ACME error reporting. * Create ACMELegacyAccount for backwards compatibility. * Split up ACMEAccount into ACMEClient and ACMEAccount. * Move get_keyauthorization into module_utils.acme.challenges. * Improve error handling. * Move challenge and authorization handling code into module_utils. * Add split_identifier helper. * Move order code into module_utils. * Move ACME v2 certificate handling code to module_utils. * Fix/move ACME v1 certificate retrieval to module_utils as well. * Refactor alternate chain handling code by splitting it up into simpler functions. * Make chain matcher creation part of backend. 2021-03-21 08:40:25 +00:00			`import re`
			`import textwrap`
			`import traceback`

Replace ansible.module_utils._text by ansible.module_utils.common.text.converters. (#253) 2021-06-26 11:45:28 +00:00			`from ansible.module_utils.common.text.converters import to_native`
ACME modules refactor (#187) * Move acme.py to acme/__init__.py to prepare splitup. * Began moving generic code out. * Creating backends. * Update unit tests. * Move remaining new code out. * Use new interface. * Rewrite module init code. * Add changelog. * Add BackendException for crypto backend errors. * Improve / uniformize ACME error reporting. * Create ACMELegacyAccount for backwards compatibility. * Split up ACMEAccount into ACMEClient and ACMEAccount. * Move get_keyauthorization into module_utils.acme.challenges. * Improve error handling. * Move challenge and authorization handling code into module_utils. * Add split_identifier helper. * Move order code into module_utils. * Move ACME v2 certificate handling code to module_utils. * Fix/move ACME v1 certificate retrieval to module_utils as well. * Refactor alternate chain handling code by splitting it up into simpler functions. * Make chain matcher creation part of backend. 2021-03-21 08:40:25 +00:00			`from ansible.module_utils.six.moves.urllib.parse import unquote`

			`from ansible_collections.community.crypto.plugins.module_utils.acme.errors import ModuleFailException`

Revert "Revert all non-bugfixes merged since the last release." This reverts commit 82251c2d80230b77887f6a229d93ee8e1c08ae74. 2024-05-11 15:05:03 +00:00			`from ansible_collections.community.crypto.plugins.module_utils.crypto.math import convert_int_to_bytes`

			`from ansible_collections.community.crypto.plugins.module_utils.time import get_now_datetime`

ACME modules refactor (#187) * Move acme.py to acme/__init__.py to prepare splitup. * Began moving generic code out. * Creating backends. * Update unit tests. * Move remaining new code out. * Use new interface. * Rewrite module init code. * Add changelog. * Add BackendException for crypto backend errors. * Improve / uniformize ACME error reporting. * Create ACMELegacyAccount for backwards compatibility. * Split up ACMEAccount into ACMEClient and ACMEAccount. * Move get_keyauthorization into module_utils.acme.challenges. * Improve error handling. * Move challenge and authorization handling code into module_utils. * Add split_identifier helper. * Move order code into module_utils. * Move ACME v2 certificate handling code to module_utils. * Fix/move ACME v1 certificate retrieval to module_utils as well. * Refactor alternate chain handling code by splitting it up into simpler functions. * Make chain matcher creation part of backend. 2021-03-21 08:40:25 +00:00
			`def nopad_b64(data):`
			`return base64.urlsafe_b64encode(data).decode('utf8').replace("=", "")`


			`def der_to_pem(der_cert):`
			`'''`
			`Convert the DER format certificate in der_cert to a PEM format certificate and return it.`
			`'''`
			`return """-----BEGIN CERTIFICATE-----\n{0}\n-----END CERTIFICATE-----\n""".format(`
			`"\n".join(textwrap.wrap(base64.b64encode(der_cert).decode('utf8'), 64)))`


			`def pem_to_der(pem_filename=None, pem_content=None):`
			`'''`
			`Load PEM file, or use PEM file's content, and convert to DER.`

			`If PEM contains multiple entities, the first entity will be used.`
			`'''`
			`certificate_lines = []`
			`if pem_content is not None:`
			`lines = pem_content.splitlines()`
			`elif pem_filename is not None:`
			`try:`
			`with open(pem_filename, "rt") as f:`
			`lines = list(f)`
			`except Exception as err:`
			`raise ModuleFailException("cannot load PEM file {0}: {1}".format(pem_filename, to_native(err)), exception=traceback.format_exc())`
			`else:`
			`raise ModuleFailException('One of pem_filename and pem_content must be provided')`
			`header_line_count = 0`
			`for line in lines:`
			`if line.startswith('-----'):`
			`header_line_count += 1`
			`if header_line_count == 2:`
			`# If certificate file contains other certs appended`
			`# (like intermediate certificates), ignore these.`
			`break`
			`continue`
			`certificate_lines.append(line.strip())`
			`return base64.b64decode(''.join(certificate_lines))`


			`def process_links(info, callback):`
			`'''`
			`Process link header, calls callback for every link header with the URL and relation as options.`
Revert "Revert all non-bugfixes merged since the last release." This reverts commit 82251c2d80230b77887f6a229d93ee8e1c08ae74. 2024-05-11 15:05:03 +00:00
			`https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Link`
ACME modules refactor (#187) * Move acme.py to acme/__init__.py to prepare splitup. * Began moving generic code out. * Creating backends. * Update unit tests. * Move remaining new code out. * Use new interface. * Rewrite module init code. * Add changelog. * Add BackendException for crypto backend errors. * Improve / uniformize ACME error reporting. * Create ACMELegacyAccount for backwards compatibility. * Split up ACMEAccount into ACMEClient and ACMEAccount. * Move get_keyauthorization into module_utils.acme.challenges. * Improve error handling. * Move challenge and authorization handling code into module_utils. * Add split_identifier helper. * Move order code into module_utils. * Move ACME v2 certificate handling code to module_utils. * Fix/move ACME v1 certificate retrieval to module_utils as well. * Refactor alternate chain handling code by splitting it up into simpler functions. * Make chain matcher creation part of backend. 2021-03-21 08:40:25 +00:00			`'''`
			`if 'link' in info:`
			`link = info['link']`
			`for url, relation in re.findall(r'<([^>]+)>;\s*rel="(\w+)"', link):`
			`callback(unquote(url), relation)`
Revert "Revert all non-bugfixes merged since the last release." This reverts commit 82251c2d80230b77887f6a229d93ee8e1c08ae74. 2024-05-11 15:05:03 +00:00

			`def parse_retry_after(value, relative_with_timezone=True, now=None):`
			`'''`
			`Parse the value of a Retry-After header and return a timestamp.`

			`https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Retry-After`
			`'''`
			`# First try a number of seconds`
			`try:`
			`delta = datetime.timedelta(seconds=int(value))`
			`if now is None:`
			`now = get_now_datetime(relative_with_timezone)`
			`return now + delta`
			`except ValueError:`
			`pass`

			`try:`
			`return datetime.datetime.strptime(value, '%a, %d %b %Y %H:%M:%S GMT')`
			`except ValueError:`
			`pass`

			`raise ValueError('Cannot parse Retry-After header value %s' % repr(value))`


			`def compute_cert_id(`
			`backend,`
			`cert_info=None,`
			`cert_filename=None,`
			`cert_content=None,`
			`none_if_required_information_is_missing=False,`
			`):`
			`# Obtain certificate info if not provided`
			`if cert_info is None:`
			`cert_info = backend.get_cert_information(cert_filename=cert_filename, cert_content=cert_content)`

			`# Convert Authority Key Identifier to string`
			`if cert_info.authority_key_identifier is None:`
			`if none_if_required_information_is_missing:`
			`return None`
			`raise ModuleFailException('Certificate has no Authority Key Identifier extension')`
			`aki = to_native(base64.urlsafe_b64encode(cert_info.authority_key_identifier)).replace('=', '')`

			`# Convert serial number to string`
			`serial_bytes = convert_int_to_bytes(cert_info.serial_number)`
			`if ord(serial_bytes[:1]) >= 128:`
			`serial_bytes = b'\x00' + serial_bytes`
			`serial = to_native(base64.urlsafe_b64encode(serial_bytes)).replace('=', '')`

			`# Compose cert ID`
			`return '{aki}.{serial}'.format(aki=aki, serial=serial)`