x509_certificate: fix time idempotence (#754)

* Fix time idempotence.

* Lint and add changelog fragment.

* Add tests.

* Make sure 'ignore_timestamps: false' is passed for time idempotence tests; pass right private key for OwnCA tests

changelogs/fragments/754-x509_certificate-time.yml

@@ -0,0 +1,3 @@
+bugfixes:
+  - "x509_certificate - since community.crypto 2.19.0 the module was no longer idempotent with respect to ``not_before`` and ``not_after`` times.
+     This is now fixed (https://github.com/ansible-collections/community.crypto/issues/753, https://github.com/ansible-collections/community.crypto/pull/754)."

plugins/module_utils/crypto/module_backends/certificate_entrust.py

@@ -47,7 +47,12 @@ class EntrustCertificateBackend(CertificateBackend):
     def __init__(self, module, backend):
         super(EntrustCertificateBackend, self).__init__(module, backend)
         self.trackingId = None
-        self.notAfter = get_relative_time_option(module.params['entrust_not_after'], 'entrust_not_after', backend=self.backend)
+        self.notAfter = get_relative_time_option(
+            module.params['entrust_not_after'],
+            'entrust_not_after',
+            backend=self.backend,
+            with_timezone=CRYPTOGRAPHY_TIMEZONE,
+        )
 
         if self.csr_content is None and self.csr_path is None:
             raise CertificateError(

plugins/module_utils/crypto/module_backends/certificate_ownca.py

@@ -26,6 +26,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
 )
 
 from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
+    CRYPTOGRAPHY_TIMEZONE,
     cryptography_compare_public_keys,
     cryptography_key_needs_digest_for_signing,
     cryptography_serial_number_of_cert,
@@ -62,8 +63,18 @@ class OwnCACertificateBackendCryptography(CertificateBackend):
 
         self.create_subject_key_identifier = module.params['ownca_create_subject_key_identifier']
         self.create_authority_key_identifier = module.params['ownca_create_authority_key_identifier']
-        self.notBefore = get_relative_time_option(module.params['ownca_not_before'], 'ownca_not_before', backend=self.backend)
-        self.notAfter = get_relative_time_option(module.params['ownca_not_after'], 'ownca_not_after', backend=self.backend)
+        self.notBefore = get_relative_time_option(
+            module.params['ownca_not_before'],
+            'ownca_not_before',
+            backend=self.backend,
+            with_timezone=CRYPTOGRAPHY_TIMEZONE,
+        )
+        self.notAfter = get_relative_time_option(
+            module.params['ownca_not_after'],
+            'ownca_not_after',
+            backend=self.backend,
+            with_timezone=CRYPTOGRAPHY_TIMEZONE,
+        )
         self.digest = select_message_digest(module.params['ownca_digest'])
         self.version = module.params['ownca_version']
         self.serial_number = x509.random_serial_number()

plugins/module_utils/crypto/module_backends/certificate_selfsigned.py

@@ -18,6 +18,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
 )
 
 from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
+    CRYPTOGRAPHY_TIMEZONE,
     cryptography_key_needs_digest_for_signing,
     cryptography_serial_number_of_cert,
     cryptography_verify_certificate_signature,
@@ -51,8 +52,18 @@ class SelfSignedCertificateBackendCryptography(CertificateBackend):
         super(SelfSignedCertificateBackendCryptography, self).__init__(module, 'cryptography')
 
         self.create_subject_key_identifier = module.params['selfsigned_create_subject_key_identifier']
-        self.notBefore = get_relative_time_option(module.params['selfsigned_not_before'], 'selfsigned_not_before', backend=self.backend)
-        self.notAfter = get_relative_time_option(module.params['selfsigned_not_after'], 'selfsigned_not_after', backend=self.backend)
+        self.notBefore = get_relative_time_option(
+            module.params['selfsigned_not_before'],
+            'selfsigned_not_before',
+            backend=self.backend,
+            with_timezone=CRYPTOGRAPHY_TIMEZONE,
+        )
+        self.notAfter = get_relative_time_option(
+            module.params['selfsigned_not_after'],
+            'selfsigned_not_after',
+            backend=self.backend,
+            with_timezone=CRYPTOGRAPHY_TIMEZONE,
+        )
         self.digest = select_message_digest(module.params['selfsigned_digest'])
         self.version = module.params['selfsigned_version']
         self.serial_number = x509.random_serial_number()

tests/integration/targets/x509_certificate/tasks/ownca.yml

@@ -249,11 +249,25 @@
     ownca_not_after: 20191023133742Z
     path: "{{ remote_tmp_dir }}/ownca_cert3.pem"
     csr_path: "{{ remote_tmp_dir }}/csr.csr"
-    privatekey_path: "{{ remote_tmp_dir }}/privatekey3.pem"
+    privatekey_path: "{{ remote_tmp_dir }}/privatekey.pem"
     ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
     ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
     select_crypto_backend: '{{ select_crypto_backend }}'
 
+- name: (OwnCA, {{select_crypto_backend}}) Create ownca certificate with notBefore and notAfter (idempotent)
+  x509_certificate:
+    provider: ownca
+    ownca_not_before: 20181023133742Z
+    ownca_not_after: 20191023133742Z
+    ignore_timestamps: false
+    path: "{{ remote_tmp_dir }}/ownca_cert3.pem"
+    csr_path: "{{ remote_tmp_dir }}/csr.csr"
+    privatekey_path: "{{ remote_tmp_dir }}/privatekey.pem"
+    ownca_path: '{{ remote_tmp_dir }}/ca_cert.pem'
+    ownca_privatekey_path: '{{ remote_tmp_dir }}/ca_privatekey.pem'
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: ownca_cert3_idem
+
 - name: (OwnCA, {{select_crypto_backend}}) Create ownca certificate with relative notBefore and notAfter
   x509_certificate:
     provider: ownca

tests/integration/targets/x509_certificate/tasks/selfsigned.yml

@@ -220,6 +220,18 @@
     privatekey_path: "{{ remote_tmp_dir }}/privatekey3.pem"
     select_crypto_backend: '{{ select_crypto_backend }}'
 
+- name: (Selfsigned, {{select_crypto_backend}}) Create certificate3 with notBefore and notAfter (idempotent)
+  x509_certificate:
+    provider: selfsigned
+    selfsigned_not_before: 20181023133742Z
+    selfsigned_not_after: 20191023133742Z
+    ignore_timestamps: false
+    path: "{{ remote_tmp_dir }}/cert3.pem"
+    csr_path: "{{ remote_tmp_dir }}/csr3.pem"
+    privatekey_path: "{{ remote_tmp_dir }}/privatekey3.pem"
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: cert3_selfsigned_idem
+
 - name: (Selfsigned, {{select_crypto_backend}}) Generate privatekey
   openssl_privatekey:
     path: '{{ remote_tmp_dir }}/privatekey_ecc.pem'

tests/integration/targets/x509_certificate/tests/validate_ownca.yml

@@ -98,6 +98,11 @@
     that:
       - ownca_cert3_notAfter.stdout == 'Oct 23 13:37:42 2019'
 
+- name: (OwnCA validation, {{select_crypto_backend}}) Validate idempotency
+  assert:
+    that:
+      - ownca_cert3_idem is not changed
+
 - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca ECC certificate (test - ownca certificate pubkey)
   shell: '{{ openssl_binary }} x509 -noout -pubkey -in {{ remote_tmp_dir }}/ownca_cert_ecc.pem'
   register: ownca_cert_ecc_pubkey

tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml

@@ -139,6 +139,11 @@
     that:
       - cert3_notAfter.stdout == 'Oct 23 13:37:42 2019'
 
+- name: (Selfsigned validation, {{select_crypto_backend}}) Validate idempotency
+  assert:
+    that:
+      - cert3_selfsigned_idem is not changed
+
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate ECC certificate (test - privatekey's pubkey)
   shell: '{{ openssl_binary }} ec -pubout -in {{ remote_tmp_dir }}/privatekey_ecc.pem'
   register: privatekey_ecc_pubkey