a-c-m
/
community.crypto
mirror of https://github.com/ansible-collections/community.crypto.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

acme_certificate - allow to select first certificate in chain. (#102)

pull/63/head
Felix Fontein 2020-08-15 21:50:09 +02:00 committed by GitHub
parent e4c12fa4e5
commit 2f59d44f9e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
changelogs/fragments/102-acme-certificate-select-chain-first.yml Normal file
View File

@ -0,0 +1,2 @@
minor_changes:
- "acme_certificate - allow new selector ``test_certificates: first`` for ``select_chain`` parameter (https://github.com/ansible-collections/community.crypto/pull/102)."

8
plugins/modules/acme_certificate.py
View File

@ -220,11 +220,13 @@ options:
- "Determines which certificates in the chain will be tested." - "Determines which certificates in the chain will be tested."
- "I(all) tests all certificates in the chain (excluding the leaf, which is - "I(all) tests all certificates in the chain (excluding the leaf, which is
identical in all chains)." identical in all chains)."
- "I(first) only tests the first certificate in the chain, i.e. the one which
signed the leaf."
- "I(last) only tests the last certificate in the chain, i.e. the one furthest - "I(last) only tests the last certificate in the chain, i.e. the one furthest
away from the leaf. Its issuer is the root certificate of this chain." away from the leaf. Its issuer is the root certificate of this chain."
type: str type: str
default: all default: all
choices: [last, all] choices: [first, last, all]
issuer: issuer:
description: description:
- "Allows to specify parts of the issuer of a certificate in the chain must - "Allows to specify parts of the issuer of a certificate in the chain must
@ -1003,6 +1005,8 @@ class ACMEClient(object):
''' '''
if criterium['test_certificates'] == 'last': if criterium['test_certificates'] == 'last':
chain = chain[-1:] chain = chain[-1:]
elif criterium['test_certificates'] == 'first':
chain = chain[:1]
for cert in chain: for cert in chain:
try: try:
x509 = cryptography.x509.load_pem_x509_certificate(to_bytes(cert), cryptography.hazmat.backends.default_backend()) x509 = cryptography.x509.load_pem_x509_certificate(to_bytes(cert), cryptography.hazmat.backends.default_backend())
@ -1183,7 +1187,7 @@ def main():
force=dict(type='bool', default=False), force=dict(type='bool', default=False),
retrieve_all_alternates=dict(type='bool', default=False), retrieve_all_alternates=dict(type='bool', default=False),
select_chain=dict(type='list', elements='dict', options=dict( select_chain=dict(type='list', elements='dict', options=dict(
test_certificates=dict(type='str', default='all', choices=['last', 'all']), test_certificates=dict(type='str', default='all', choices=['first', 'last', 'all']),
issuer=dict(type='dict'), issuer=dict(type='dict'),
subject=dict(type='dict'), subject=dict(type='dict'),
subject_key_identifier=dict(type='str'), subject_key_identifier=dict(type='str'),

2
tests/integration/targets/acme_certificate/tasks/impl.yml
View File

@ -251,7 +251,7 @@
# the first chain will be found, and we need a second condition to # the first chain will be found, and we need a second condition to
# make sure that the first condition actually works. (The second # make sure that the first condition actually works. (The second
# condition has been tested above.) # condition has been tested above.)
- test_certificates: last - test_certificates: first
subject_key_identifier: "{{ acme_intermediates[0].subject_key_identifier }}" subject_key_identifier: "{{ acme_intermediates[0].subject_key_identifier }}"
- test_certificates: last - test_certificates: last
issuer: "{{ acme_roots[1].subject }}" issuer: "{{ acme_roots[1].subject }}"