2020-10-27 11:37:40 +00:00
|
|
|
#!/usr/bin/python
|
|
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
|
2022-07-21 05:27:26 +00:00
|
|
|
# Copyright (c) 2017, Yanis Guenane <yanis+ansible@guenane.org>
|
|
|
|
|
# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
|
|
|
|
|
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
|
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
2020-10-27 11:37:40 +00:00
|
|
|
|
|
|
|
|
from __future__ import absolute_import, division, print_function
|
|
|
|
|
__metaclass__ = type
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
DOCUMENTATION = r'''
|
|
|
|
|
---
|
|
|
|
|
module: openssl_csr_pipe
|
|
|
|
|
short_description: Generate OpenSSL Certificate Signing Request (CSR)
|
|
|
|
|
version_added: 1.3.0
|
|
|
|
|
description:
|
2022-01-10 12:05:09 +00:00
|
|
|
- "Please note that the module regenerates an existing CSR if it does not match the module's
|
2020-10-27 11:37:40 +00:00
|
|
|
options, or if it seems to be corrupt."
|
|
|
|
|
author:
|
2022-11-06 20:10:56 +00:00
|
|
|
- Yanis Guenane (@Spredzy)
|
|
|
|
|
- Felix Fontein (@felixfontein)
|
|
|
|
|
extends_documentation_fragment:
|
|
|
|
|
- community.crypto.attributes
|
|
|
|
|
- community.crypto.module_csr
|
|
|
|
|
attributes:
|
|
|
|
|
check_mode:
|
|
|
|
|
support: full
|
|
|
|
|
diff_mode:
|
|
|
|
|
support: full
|
2020-10-27 11:37:40 +00:00
|
|
|
options:
|
|
|
|
|
content:
|
|
|
|
|
description:
|
|
|
|
|
- The existing CSR.
|
|
|
|
|
type: str
|
|
|
|
|
seealso:
|
|
|
|
|
- module: community.crypto.openssl_csr
|
|
|
|
|
'''
|
|
|
|
|
|
|
|
|
|
EXAMPLES = r'''
|
|
|
|
|
- name: Generate an OpenSSL Certificate Signing Request
|
|
|
|
|
community.crypto.openssl_csr_pipe:
|
|
|
|
|
privatekey_path: /etc/ssl/private/ansible.com.pem
|
|
|
|
|
common_name: www.ansible.com
|
|
|
|
|
register: result
|
2023-05-15 19:41:18 +00:00
|
|
|
- name: Print CSR
|
|
|
|
|
ansible.builtin.debug:
|
2020-10-27 11:37:40 +00:00
|
|
|
var: result.csr
|
|
|
|
|
|
2020-11-24 16:21:52 +00:00
|
|
|
- name: Generate an OpenSSL Certificate Signing Request with an inline CSR
|
2020-10-27 11:37:40 +00:00
|
|
|
community.crypto.openssl_csr:
|
|
|
|
|
content: "{{ lookup('file', '/etc/ssl/csr/www.ansible.com.csr') }}"
|
|
|
|
|
privatekey_content: "{{ private_key_content }}"
|
|
|
|
|
common_name: www.ansible.com
|
|
|
|
|
register: result
|
|
|
|
|
- name: Store CSR
|
|
|
|
|
ansible.builtin.copy:
|
2020-11-24 16:21:52 +00:00
|
|
|
dest: /etc/ssl/csr/www.ansible.com.csr
|
2020-10-27 11:37:40 +00:00
|
|
|
content: "{{ result.csr }}"
|
|
|
|
|
when: result is changed
|
|
|
|
|
'''
|
|
|
|
|
|
|
|
|
|
RETURN = r'''
|
|
|
|
|
privatekey:
|
|
|
|
|
description:
|
|
|
|
|
- Path to the TLS/SSL private key the CSR was generated for
|
|
|
|
|
- Will be C(none) if the private key has been provided in I(privatekey_content).
|
|
|
|
|
returned: changed or success
|
|
|
|
|
type: str
|
|
|
|
|
sample: /etc/ssl/private/ansible.com.pem
|
|
|
|
|
subject:
|
|
|
|
|
description: A list of the subject tuples attached to the CSR
|
|
|
|
|
returned: changed or success
|
|
|
|
|
type: list
|
|
|
|
|
elements: list
|
2022-08-04 18:02:56 +00:00
|
|
|
sample: [['CN', 'www.ansible.com'], ['O', 'Ansible']]
|
2020-10-27 11:37:40 +00:00
|
|
|
subjectAltName:
|
|
|
|
|
description: The alternative names this CSR is valid for
|
|
|
|
|
returned: changed or success
|
|
|
|
|
type: list
|
|
|
|
|
elements: str
|
|
|
|
|
sample: [ 'DNS:www.ansible.com', 'DNS:m.ansible.com' ]
|
|
|
|
|
keyUsage:
|
|
|
|
|
description: Purpose for which the public key may be used
|
|
|
|
|
returned: changed or success
|
|
|
|
|
type: list
|
|
|
|
|
elements: str
|
|
|
|
|
sample: [ 'digitalSignature', 'keyAgreement' ]
|
|
|
|
|
extendedKeyUsage:
|
|
|
|
|
description: Additional restriction on the public key purposes
|
|
|
|
|
returned: changed or success
|
|
|
|
|
type: list
|
|
|
|
|
elements: str
|
|
|
|
|
sample: [ 'clientAuth' ]
|
|
|
|
|
basicConstraints:
|
|
|
|
|
description: Indicates if the certificate belongs to a CA
|
|
|
|
|
returned: changed or success
|
|
|
|
|
type: list
|
|
|
|
|
elements: str
|
|
|
|
|
sample: ['CA:TRUE', 'pathLenConstraint:0']
|
|
|
|
|
ocsp_must_staple:
|
|
|
|
|
description: Indicates whether the certificate has the OCSP
|
|
|
|
|
Must Staple feature enabled
|
|
|
|
|
returned: changed or success
|
|
|
|
|
type: bool
|
|
|
|
|
sample: false
|
|
|
|
|
name_constraints_permitted:
|
|
|
|
|
description: List of permitted subtrees to sign certificates for.
|
|
|
|
|
returned: changed or success
|
|
|
|
|
type: list
|
|
|
|
|
elements: str
|
|
|
|
|
sample: ['email:.somedomain.com']
|
|
|
|
|
name_constraints_excluded:
|
|
|
|
|
description: List of excluded subtrees the CA cannot sign certificates for.
|
|
|
|
|
returned: changed or success
|
|
|
|
|
type: list
|
|
|
|
|
elements: str
|
|
|
|
|
sample: ['email:.com']
|
|
|
|
|
csr:
|
|
|
|
|
description: The (current or generated) CSR's content.
|
2020-11-24 16:21:52 +00:00
|
|
|
returned: changed or success
|
2020-10-27 11:37:40 +00:00
|
|
|
type: str
|
|
|
|
|
'''
|
|
|
|
|
|
2021-06-26 11:45:28 +00:00
|
|
|
from ansible.module_utils.common.text.converters import to_native
|
2020-10-27 11:37:40 +00:00
|
|
|
|
|
|
|
|
from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.csr import (
|
|
|
|
|
select_backend,
|
|
|
|
|
get_csr_argument_spec,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
|
|
|
|
|
OpenSSLObjectError,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class CertificateSigningRequestModule(object):
|
|
|
|
|
def __init__(self, module, module_backend):
|
|
|
|
|
self.check_mode = module.check_mode
|
|
|
|
|
self.module_backend = module_backend
|
|
|
|
|
self.changed = False
|
|
|
|
|
if module.params['content'] is not None:
|
|
|
|
|
self.module_backend.set_existing(module.params['content'].encode('utf-8'))
|
|
|
|
|
|
|
|
|
|
def generate(self, module):
|
|
|
|
|
'''Generate the certificate signing request.'''
|
|
|
|
|
if self.module_backend.needs_regeneration():
|
|
|
|
|
if not self.check_mode:
|
|
|
|
|
self.module_backend.generate_csr()
|
|
|
|
|
self.changed = True
|
|
|
|
|
|
|
|
|
|
def dump(self):
|
|
|
|
|
'''Serialize the object into a dictionary.'''
|
|
|
|
|
result = self.module_backend.dump(include_csr=True)
|
|
|
|
|
result.update({
|
|
|
|
|
'changed': self.changed,
|
|
|
|
|
})
|
|
|
|
|
return result
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def main():
|
|
|
|
|
argument_spec = get_csr_argument_spec()
|
|
|
|
|
argument_spec.argument_spec.update(dict(
|
|
|
|
|
content=dict(type='str'),
|
|
|
|
|
))
|
|
|
|
|
module = argument_spec.create_ansible_module(
|
|
|
|
|
supports_check_mode=True,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
try:
|
2023-01-02 14:52:59 +00:00
|
|
|
backend = module.params['select_crypto_backend']
|
|
|
|
|
backend, module_backend = select_backend(module, backend)
|
|
|
|
|
|
2020-10-27 11:37:40 +00:00
|
|
|
csr = CertificateSigningRequestModule(module, module_backend)
|
|
|
|
|
csr.generate(module)
|
|
|
|
|
result = csr.dump()
|
|
|
|
|
module.exit_json(**result)
|
|
|
|
|
except OpenSSLObjectError as exc:
|
|
|
|
|
module.fail_json(msg=to_native(exc))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == "__main__":
|
|
|
|
|
main()
|
