openssl_pkcs12: Add a check for parsed pkcs12 files (#145)

* openssl_pkcs12: Add a check for parsed pkcs12 files Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de> * Add changelog fragment Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de> * openssl_pkcs12: Report changed state when a pkcs12 file is dumped Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de> * Add a basic test for dumping a pkcs12 file Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de> * Update changelog fragment Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de> * Add test for dumped pkcs12 file in check mode Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>
2020-11-23 09:14:45 +01:00 · 2020-11-23 09:14:45 +01:00 · 86b39733e1
parent 94b23d62db
commit 86b39733e1
4 changed files with 33 additions and 0 deletions
--- a/changelogs/fragments/145-add-check-for-parsed-pkcs12-files.yml
+++ b/changelogs/fragments/145-add-check-for-parsed-pkcs12-files.yml
@ -0,0 +1,2 @@
+bugfixes:
+ - openssl_pkcs12 - report the correct state when ``action`` is ``parse`` (https://github.com/ansible-collections/community.crypto/issues/143).
--- a/plugins/modules/openssl_pkcs12.py
+++ b/plugins/modules/openssl_pkcs12.py
@ -302,6 +302,17 @@ class Pkcs(OpenSSLObject):
                        return False
                elif bool(self.pkcs12.get_friendlyname()) != bool(pkcs12_friendly_name):
                    return False
+        elif module.params['action'] == 'parse' and os.path.exists(self.src) and os.path.exists(self.path):
+            try:
+                pkey, cert, other_certs, friendly_name = self.parse()
+            except crypto.Error:
+                return False
+            expected_content = to_bytes(
+                ''.join([to_native(pem) for pem in [pkey, cert] + other_certs if pem is not None])
+            )
+            dumped_content = load_file_if_exists(self.path, ignore_errors=True)
+            if expected_content != dumped_content:
+                return False
        else:
            return False

@ -448,6 +459,7 @@ def main():
                    pkey, cert, other_certs, friendly_name = pkcs12.parse()
                    dump_content = ''.join([to_native(pem) for pem in [pkey, cert] + other_certs if pem is not None])
                    pkcs12.write(module, to_bytes(dump_content))
+                    changed = True

            file_args = module.load_file_common_arguments(module.params)
            if module.set_fs_attributes_if_different(file_args, changed):
--- a/tests/integration/targets/openssl_pkcs12/tasks/impl.yml
+++ b/tests/integration/targets/openssl_pkcs12/tasks/impl.yml
@ -88,6 +88,22 @@
      path: '{{ output_dir }}/ansible_parse.pem'
      action: parse
      state: present
+    register: p12_dumped
+  - name: Dump PKCS#12 file again, idempotency
+    openssl_pkcs12:
+      src: '{{ output_dir }}/ansible.p12'
+      path: '{{ output_dir }}/ansible_parse.pem'
+      action: parse
+      state: present
+    register: p12_dumped_idempotency
+  - name: Dump PKCS#12, check mode
+    openssl_pkcs12:
+      src: '{{ output_dir }}/ansible.p12'
+      path: '{{ output_dir }}/ansible_parse.pem'
+      action: parse
+      state: present
+    check_mode: true
+    register: p12_dumped_check_mode
  - name: Generate PKCS#12 file with multiple certs
    openssl_pkcs12:
      path: '{{ output_dir }}/ansible_multi_certs.p12'
--- a/tests/integration/targets/openssl_pkcs12/tests/validate.yml
+++ b/tests/integration/targets/openssl_pkcs12/tests/validate.yml
@ -20,8 +20,11 @@
      - p12_validate_no_pkey.stdout_lines[-1] == '-----END CERTIFICATE-----'
      - p12_force.changed
      - p12_force_and_mode.mode == '0644' and p12_force_and_mode.changed
+      - p12_dumped.changed
      - not p12_standard_idempotency.changed
      - not p12_multiple_certs_idempotency.changed
+      - not p12_dumped_idempotency.changed
+      - not p12_dumped_check_mode.changed
      - "'www.' in p12_validate_multi_certs.stdout"
      - "'www2.' in p12_validate_multi_certs.stdout"
      - "'www3.' in p12_validate_multi_certs.stdout"