From 2f59d44f9e535d588d10d4eb293b93bae1da3c65 Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Sat, 15 Aug 2020 21:50:09 +0200
Subject: [PATCH] acme_certificate - allow to select first certificate in
 chain. (#102)

---
 .../fragments/102-acme-certificate-select-chain-first.yml | 2 ++
 plugins/modules/acme_certificate.py                       | 8 ++++++--
 tests/integration/targets/acme_certificate/tasks/impl.yml | 2 +-
 3 files changed, 9 insertions(+), 3 deletions(-)
 create mode 100644 changelogs/fragments/102-acme-certificate-select-chain-first.yml

diff --git a/changelogs/fragments/102-acme-certificate-select-chain-first.yml b/changelogs/fragments/102-acme-certificate-select-chain-first.yml
new file mode 100644
index 00000000..208142f8
--- /dev/null
+++ b/changelogs/fragments/102-acme-certificate-select-chain-first.yml
@@ -0,0 +1,2 @@
+minor_changes:
+- "acme_certificate - allow new selector ``test_certificates: first`` for ``select_chain`` parameter (https://github.com/ansible-collections/community.crypto/pull/102)."
diff --git a/plugins/modules/acme_certificate.py b/plugins/modules/acme_certificate.py
index e8dd0af2..4cb958cb 100644
--- a/plugins/modules/acme_certificate.py
+++ b/plugins/modules/acme_certificate.py
@@ -220,11 +220,13 @@ options:
           - "Determines which certificates in the chain will be tested."
           - "I(all) tests all certificates in the chain (excluding the leaf, which is
              identical in all chains)."
+          - "I(first) only tests the first certificate in the chain, i.e. the one which
+             signed the leaf."
           - "I(last) only tests the last certificate in the chain, i.e. the one furthest
              away from the leaf. Its issuer is the root certificate of this chain."
         type: str
         default: all
-        choices: [last, all]
+        choices: [first, last, all]
       issuer:
         description:
           - "Allows to specify parts of the issuer of a certificate in the chain must
@@ -1003,6 +1005,8 @@ class ACMEClient(object):
         '''
         if criterium['test_certificates'] == 'last':
             chain = chain[-1:]
+        elif criterium['test_certificates'] == 'first':
+            chain = chain[:1]
         for cert in chain:
             try:
                 x509 = cryptography.x509.load_pem_x509_certificate(to_bytes(cert), cryptography.hazmat.backends.default_backend())
@@ -1183,7 +1187,7 @@ def main():
         force=dict(type='bool', default=False),
         retrieve_all_alternates=dict(type='bool', default=False),
         select_chain=dict(type='list', elements='dict', options=dict(
-            test_certificates=dict(type='str', default='all', choices=['last', 'all']),
+            test_certificates=dict(type='str', default='all', choices=['first', 'last', 'all']),
             issuer=dict(type='dict'),
             subject=dict(type='dict'),
             subject_key_identifier=dict(type='str'),
diff --git a/tests/integration/targets/acme_certificate/tasks/impl.yml b/tests/integration/targets/acme_certificate/tasks/impl.yml
index 7592f57e..6757ec2e 100644
--- a/tests/integration/targets/acme_certificate/tasks/impl.yml
+++ b/tests/integration/targets/acme_certificate/tasks/impl.yml
@@ -251,7 +251,7 @@
       # the first chain will be found, and we need a second condition to
       # make sure that the first condition actually works. (The second
       # condition has been tested above.)
-      - test_certificates: last
+      - test_certificates: first
         subject_key_identifier: "{{ acme_intermediates[0].subject_key_identifier }}"
       - test_certificates: last
         issuer: "{{ acme_roots[1].subject }}"