#!/usr/bin/python # -*- coding: utf-8 -*- # Copyright (c) 2016 Michael Gruener # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) # SPDX-License-Identifier: GPL-3.0-or-later from __future__ import absolute_import, division, print_function __metaclass__ = type DOCUMENTATION = ''' --- module: acme_certificate_deactivate_authz author: "Felix Fontein (@felixfontein)" version_added: 2.20.0 short_description: Deactivate all authz for an ACME v2 order description: - "Deactivate all authentication objects (authz) for an ACME v2 order, which effectively deactivates (invalidates) the order itself." - "Authentication objects are bound to an account key and remain valid for a certain amount of time, and can be used to issue certificates without having to re-authenticate the domain. This can be a security concern." - "Another reason to use this module is to deactivate an order whose processing failed when using O(community.crypto.acme_certificate#module:include_renewal_cert_id)." seealso: - module: community.crypto.acme_certificate extends_documentation_fragment: - community.crypto.acme.basic - community.crypto.acme.account - community.crypto.attributes - community.crypto.attributes.actiongroup_acme attributes: check_mode: support: full diff_mode: support: none options: order_uri: description: - The ACME v2 order to deactivate. - Can be obtained from RV(community.crypto.acme_certificate#module:order_uri). type: str required: true ''' EXAMPLES = r''' - name: Deactivate all authzs for an order community.crypto.acme_certificate_deactivate_authz: account_key_content: "{{ account_private_key }}" order_uri: "{{ certificate_result.order_uri }}" ''' RETURN = '''#''' from ansible_collections.community.crypto.plugins.module_utils.acme.acme import ( create_backend, create_default_argspec, ACMEClient, ) from ansible_collections.community.crypto.plugins.module_utils.acme.account import ( ACMEAccount, ) from ansible_collections.community.crypto.plugins.module_utils.acme.errors import ( ModuleFailException, ) from ansible_collections.community.crypto.plugins.module_utils.acme.orders import ( Order, ) def main(): argument_spec = create_default_argspec() argument_spec.update_argspec( order_uri=dict(type='str', required=True), ) module = argument_spec.create_ansible_module(supports_check_mode=True) if module.params['acme_version'] == 1: module.fail_json('The module does not support acme_version=1') backend = create_backend(module, False) try: client = ACMEClient(module, backend) account = ACMEAccount(client) dummy, account_data = account.setup_account(allow_creation=False) if account_data is None: raise ModuleFailException(msg='Account does not exist or is deactivated.') order = Order.from_url(client, module.params['order_uri']) order.load_authorizations(client) changed = False for authz in order.authorizations.values(): if not authz.can_deactivate(): continue changed = True if module.check_mode: continue try: authz.deactivate(client) except Exception: # ignore errors pass if authz.status != 'deactivated': module.warn(warning='Could not deactivate authz object {0}.'.format(authz.url)) module.exit_json(changed=changed) except ModuleFailException as e: e.do_fail(module) if __name__ == '__main__': main()