Revert "Fix documentation. (#751)"
Revert "ACME modules: simplify code, refactor argspec handling code, move csr/csr_content to own docs fragment (#750)"
Revert "Refactor and extend argument spec helper, use for ACME modules (#749)"
Revert "Avoid exception if certificate has no AKI in acme_certificate. (#748)"
Revert "ACME: improve acme_certificate docs, include cert_id in acme_certificate_renewal_info return value (#747)"
Revert "Add acme_certificate_renewal_info module (#746)"
Revert "Refactor time code, add tests, fix bug when parsing absolute timestamps that omit seconds (#745)"
Revert "Add tests for acme_certificate_deactivate_authz module. (#744)"
Revert "Create acme_certificate_deactivate_authz module (#741)"
Revert "acme_certificate: allow to request renewal of a certificate according to ARI (#739)"
Revert "Implement basic acme_ari_info module. (#732)"
Revert "Add function for retrieval of ARI information. (#738)"
Revert "acme module utils: add functions for parsing Retry-After header values and computation of ARI certificate IDs (#737)"
Revert "Implement certificate information retrieval code in the ACME backends. (#736)"
Revert "Split up the default acme docs fragment to allow modules ot not need account data. (#735)"
This reverts commits 5e59c5261e, aa82575a78,
f3c9cb7a8a, f82b335916, 553ab45f46,
59606d48ad, 0a15be1017, 9501a28a93,
d906914737, 33d278ad8f, 6d4fc589ae,
9614b09f7a, af5f4b57f8, c6fbe58382,
and afe7f7522c.
* Fix time idempotence.
* Lint and add changelog fragment.
* Add tests.
* Make sure 'ignore_timestamps: false' is passed for time idempotence tests; pass right private key for OwnCA tests
* Use community.dns.quote_txt filter instead of regex replace to quote TXT entry value.
* Fix documentation of acme_certificate's challenge_data return value.
* Also return cert_id from acme_certificate_renewal_info module.
* The cert ID cannot be computed if the certificate has no AKI.
This happens with older Pebble versions, which are used when
testing against older ansible-core/-base/Ansible versions.
* Fix AKI extraction for older OpenSSL versions.
* Allow to provide cert_info object to get_renewal_info().
* Add acme_certificate_renewal_info module.
* Allow to provide value for 'now'.
* Actually append msg_append.
* Fix bug in module timestamp param parsing, and add tests.
* luks_device: fix remove_keyslot not working when set to 0
* luks_device: fix module outputting 'ok' when trying to add a key that is already present in another keyslot
* luks_device: fix breaking unit tests
* luks_device: Duplicate key test case code cleanup
* luks_device: Fix testing of LUKS passphrases when only testing one key slot
* luks_device: Fix testing of LUKS passphrases when only testing one key slot
* luks_device: Add changelog fragment for PR #710
* luks_device: Update changlog fragment
* add allow discard option for luks devices
* Add allow_discards to perfomance tests
* Fix version for luks devices doc
* Update plugins/modules/luks_device.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* add changelog fragment
* Update changelogs/fragments/693-allow-discards.yaml
Co-authored-by: Felix Fontein <felix@fontein.de>
* added allow_discards to the persistently stored option list
* allow_discards works with not only luks2 containers
* Update plugins/modules/luks_device.py
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* luks_device: add support for keyslots
* luks_device: replace python3 format strings with python2 format strings, remove print statements
* luks_device: add missing copyright information in keyslot integration test files
* luks_device: updated failing unit tests for keyslot support
* luks_device: improve detection of luks version
* luks_device: Update documentation on keyslot parameters, minor code improvements
* luks_device: improve validation of keyslot parameters, fix tests for systems that do not support luks2
* luks_device: correct spelling and errors in documentation and output, check all possible locations for LUKS2 header
* Check return code on ssh(-keygen) invocations.
* openssh_cert: only check for errors if certificate should be present and module is not in check mode.
* Handle rc check for _get_private_key().
* Add changelog fragment.
* Only pass -o for comment updating when necessary.
* Now fails if comment cannot be updated.
This was silently ignored in the past.
* Avoid failing operation.
* Add gpg_fingerprint lookup.
* Work around problems on some CI targets.
* Use get_bin_path to find the gpg executable. Document that we need it.
* Improve and test error handling.
* Refactor (potentially) common code to module_utils and plugin_utils.
This will be useful to create a filter version of this, and further lookups, filters, and modules.
* Do not create a keyring when there isn't one.
* Fixups.
* Fix description.
* More fixes for lookup.
* Also add a gpg_fingerprint filter.
* Improve formulation.
Co-authored-by: Sandra McCann <samccann@redhat.com>
---------
Co-authored-by: Sandra McCann <samccann@redhat.com>
* Always generate a new key pair if the private key doesn't exist (#597)
This commit updates `KeypairBackend._should_generate()` to first check
if the original private key named by the `path` argument exists, and
return True if it does not. This brings the code in line with
the documentation, which says that a new key will always be generated if
the key file doesn't already exist.
As an alternative to the approach implemented here, I also considered
only modifying the condition in the `fail` branch of the if statement,
but I thought that would not map as cleanly to the behavior specified in
the documentation, so doing it the way I did should make it easier to
check that the code is doing the right thing just by looking at it.
I also considered doing something to make the logic more similar to
`PrivateKeyBackend.needs_regeneration()` (the openssl version of this
functionality), because the two are supposed to be acting the same way,
but I thought that'd be going beyond the scope of just fixing this bug.
If it'd be useful to make both methods work the same way, someone can
refactor the code in a future commit.
* Test different regenerate values with nonexistent keys
This commit changes the test task that generates new keys to use each of
the different values for the `regenerate` argument, which will ensure
that the module is capable of generating a key when no previous key
exists regardless of the value of `regenerate`. Previously, the task
would always run with the `partial_idempotence` value, and that obscured
a bug (#597) that would occur when it was set to `fail`. The bug was
fixed in the previous commit.
* Show timings with devel, and skip everything else.
* Move to other group.
* Try smaller SSH key size (i.e. make tests run faster).
* Add implicit size that now must be explicit.
* Change group of luks_device.
* Revert "Show timings with devel, and skip everything else."
This reverts commit 7b73f7e4d7.
* Update CI scripts to be more close to the ones in ansible-core.
* Extend CI matrix.
* Mark more VMs.
* Revert "Mark more VMs."
This reverts commit 8bc79af636.
* Disable alpine VMs for get_certificate due to httptester problems.
* Improve retrieval of cryptsetup version.
* ACME 'emulator' won't work on Alpine either.
* Improve luks test setup.
* Make sure wipefs is installed on Alpine.
* dmsetup (from device-mapper) is used by the tests.
* Fix bcrypt install failure handling.
* String, not float.
* openssl_privatekey_convert is not an action module.
* Update Python info.
* Try out which VMs can be used by now.
* Enable ACME tests on all VMs but Alpine; update comment.
* Adjust acme-tiny shebang.
* Remove new entries from CI matrix.
The issuer_uri is retrieved from the Authority Information Access field the same way as the OCSP responder URI is.
Handling is exactly the same since they reside in the same OID space and have the same data type.
Tests have also been added based on the integration test certificates.
Signed-off-by: benaryorg <binary@benary.org>
Signed-off-by: benaryorg <binary@benary.org>
Felix Fontein
Steffen Gufler
0x00ace
David Zaslavsky
Katze
Andrew Pantuso