2017-04-06 16:09:07 +00:00
|
|
|
#!/usr/bin/python
|
|
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
#
|
|
|
|
|
# (c) 2017, Yanis Guenane <yanis+ansible@guenane.org>
|
2017-07-29 07:20:36 +00:00
|
|
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
|
|
|
|
|
|
|
|
from __future__ import absolute_import, division, print_function
|
|
|
|
|
__metaclass__ = type
|
|
|
|
|
|
2017-04-06 16:09:07 +00:00
|
|
|
|
2017-04-06 17:16:50 +00:00
|
|
|
ANSIBLE_METADATA = {'metadata_version': '1.0',
|
|
|
|
|
'status': ['preview'],
|
|
|
|
|
'supported_by': 'community'}
|
|
|
|
|
|
2017-04-06 16:09:07 +00:00
|
|
|
|
|
|
|
|
DOCUMENTATION = '''
|
|
|
|
|
---
|
|
|
|
|
module: openssl_csr
|
|
|
|
|
author: "Yanis Guenane (@Spredzy)"
|
2017-04-17 19:46:12 +00:00
|
|
|
version_added: "2.4"
|
2017-04-06 16:09:07 +00:00
|
|
|
short_description: Generate OpenSSL Certificate Signing Request (CSR)
|
|
|
|
|
description:
|
|
|
|
|
- "This module allows one to (re)generates OpenSSL certificate signing requests.
|
|
|
|
|
It uses the pyOpenSSL python library to interact with openssl. This module support
|
|
|
|
|
the subjectAltName extension. Note: At least one of commonName or subjectAltName must
|
2017-07-19 12:47:23 +00:00
|
|
|
be specified. This module uses file common arguments to specify generated file permissions."
|
2017-04-06 16:09:07 +00:00
|
|
|
requirements:
|
|
|
|
|
- "python-pyOpenSSL"
|
|
|
|
|
options:
|
|
|
|
|
state:
|
|
|
|
|
required: false
|
|
|
|
|
default: "present"
|
|
|
|
|
choices: [ present, absent ]
|
|
|
|
|
description:
|
|
|
|
|
- Whether the certificate signing request should exist or not, taking action if the state is different from what is stated.
|
|
|
|
|
digest:
|
|
|
|
|
required: false
|
|
|
|
|
default: "sha256"
|
|
|
|
|
description:
|
|
|
|
|
- Digest used when signing the certificate signing request with the private key
|
|
|
|
|
privatekey_path:
|
|
|
|
|
required: true
|
|
|
|
|
description:
|
|
|
|
|
- Path to the privatekey to use when signing the certificate signing request
|
2017-07-19 10:02:29 +00:00
|
|
|
privatekey_passphrase:
|
|
|
|
|
required: false
|
|
|
|
|
description:
|
|
|
|
|
- The passphrase for the privatekey.
|
|
|
|
|
version_added: "2.4"
|
2017-04-06 16:09:07 +00:00
|
|
|
version:
|
|
|
|
|
required: false
|
|
|
|
|
default: 3
|
|
|
|
|
description:
|
|
|
|
|
- Version of the certificate signing request
|
|
|
|
|
force:
|
|
|
|
|
required: false
|
|
|
|
|
default: False
|
|
|
|
|
choices: [ True, False ]
|
|
|
|
|
description:
|
|
|
|
|
- Should the certificate signing request be forced regenerated by this ansible module
|
|
|
|
|
path:
|
|
|
|
|
required: true
|
|
|
|
|
description:
|
|
|
|
|
- Name of the folder in which the generated OpenSSL certificate signing request will be written
|
|
|
|
|
subjectAltName:
|
|
|
|
|
required: false
|
|
|
|
|
description:
|
2017-06-12 06:55:19 +00:00
|
|
|
- SAN extension to attach to the certificate signing request
|
2017-04-06 16:09:07 +00:00
|
|
|
countryName:
|
|
|
|
|
required: false
|
|
|
|
|
aliases: [ 'C' ]
|
|
|
|
|
description:
|
|
|
|
|
- countryName field of the certificate signing request subject
|
|
|
|
|
stateOrProvinceName:
|
|
|
|
|
required: false
|
|
|
|
|
aliases: [ 'ST' ]
|
|
|
|
|
description:
|
|
|
|
|
- stateOrProvinceName field of the certificate signing request subject
|
|
|
|
|
localityName:
|
|
|
|
|
required: false
|
|
|
|
|
aliases: [ 'L' ]
|
|
|
|
|
description:
|
|
|
|
|
- localityName field of the certificate signing request subject
|
|
|
|
|
organizationName:
|
|
|
|
|
required: false
|
|
|
|
|
aliases: [ 'O' ]
|
|
|
|
|
description:
|
|
|
|
|
- organizationName field of the certificate signing request subject
|
2017-07-19 09:17:45 +00:00
|
|
|
organizationalUnitName:
|
2017-04-06 16:09:07 +00:00
|
|
|
required: false
|
|
|
|
|
aliases: [ 'OU' ]
|
|
|
|
|
description:
|
2017-07-19 09:17:45 +00:00
|
|
|
- organizationalUnitName field of the certificate signing request subject
|
2017-04-06 16:09:07 +00:00
|
|
|
commonName:
|
|
|
|
|
required: false
|
|
|
|
|
aliases: [ 'CN' ]
|
|
|
|
|
description:
|
|
|
|
|
- commonName field of the certificate signing request subject
|
|
|
|
|
emailAddress:
|
|
|
|
|
required: false
|
|
|
|
|
aliases: [ 'E' ]
|
|
|
|
|
description:
|
|
|
|
|
- emailAddress field of the certificate signing request subject
|
|
|
|
|
'''
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
EXAMPLES = '''
|
|
|
|
|
# Generate an OpenSSL Certificate Signing Request
|
|
|
|
|
- openssl_csr:
|
|
|
|
|
path: /etc/ssl/csr/www.ansible.com.csr
|
|
|
|
|
privatekey_path: /etc/ssl/private/ansible.com.pem
|
|
|
|
|
commonName: www.ansible.com
|
|
|
|
|
|
2017-07-19 10:02:29 +00:00
|
|
|
# Generate an OpenSSL Certificate Signing Request with a
|
|
|
|
|
# passphrase protected private key
|
|
|
|
|
- openssl_csr:
|
|
|
|
|
path: /etc/ssl/csr/www.ansible.com.csr
|
|
|
|
|
privatekey_path: /etc/ssl/private/ansible.com.pem
|
|
|
|
|
privatekey_passphrase: ansible
|
|
|
|
|
commonName: www.ansible.com
|
|
|
|
|
|
2017-06-12 06:55:19 +00:00
|
|
|
# Generate an OpenSSL Certificate Signing Request with Subject information
|
2017-04-06 16:09:07 +00:00
|
|
|
- openssl_csr:
|
|
|
|
|
path: /etc/ssl/csr/www.ansible.com.csr
|
|
|
|
|
privatekey_path: /etc/ssl/private/ansible.com.pem
|
|
|
|
|
countryName: FR
|
|
|
|
|
organizationName: Ansible
|
|
|
|
|
emailAddress: jdoe@ansible.com
|
|
|
|
|
commonName: www.ansible.com
|
|
|
|
|
|
|
|
|
|
# Generate an OpenSSL Certificate Signing Request with subjectAltName extension
|
|
|
|
|
- openssl_csr:
|
|
|
|
|
path: /etc/ssl/csr/www.ansible.com.csr
|
|
|
|
|
privatekey_path: /etc/ssl/private/ansible.com.pem
|
|
|
|
|
subjectAltName: 'DNS:www.ansible.com,DNS:m.ansible.com'
|
|
|
|
|
|
|
|
|
|
# Force re-generate an OpenSSL Certificate Signing Request
|
|
|
|
|
- openssl_csr:
|
|
|
|
|
path: /etc/ssl/csr/www.ansible.com.csr
|
|
|
|
|
privatekey_path: /etc/ssl/private/ansible.com.pem
|
|
|
|
|
force: True
|
|
|
|
|
commonName: www.ansible.com
|
|
|
|
|
'''
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
RETURN = '''
|
|
|
|
|
csr:
|
|
|
|
|
description: Path to the generated Certificate Signing Request
|
2017-04-26 14:56:13 +00:00
|
|
|
returned: changed or success
|
2017-04-06 16:09:07 +00:00
|
|
|
type: string
|
|
|
|
|
sample: /etc/ssl/csr/www.ansible.com.csr
|
|
|
|
|
subject:
|
|
|
|
|
description: A dictionnary of the subject attached to the CSR
|
2017-04-26 14:56:13 +00:00
|
|
|
returned: changed or success
|
2017-04-06 16:09:07 +00:00
|
|
|
type: list
|
|
|
|
|
sample: {'CN': 'www.ansible.com', 'O': 'Ansible'}
|
|
|
|
|
subjectAltName:
|
|
|
|
|
description: The alternative names this CSR is valid for
|
2017-04-26 14:56:13 +00:00
|
|
|
returned: changed or success
|
2017-04-06 16:09:07 +00:00
|
|
|
type: string
|
|
|
|
|
sample: 'DNS:www.ansible.com,DNS:m.ansible.com'
|
|
|
|
|
'''
|
|
|
|
|
|
2017-04-06 17:41:18 +00:00
|
|
|
import errno
|
|
|
|
|
import os
|
2017-04-06 16:09:07 +00:00
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
from OpenSSL import crypto
|
|
|
|
|
except ImportError:
|
|
|
|
|
pyopenssl_found = False
|
|
|
|
|
else:
|
|
|
|
|
pyopenssl_found = True
|
|
|
|
|
|
2017-07-25 11:18:18 +00:00
|
|
|
from ansible.module_utils import crypto as crypto_utils
|
2017-04-06 17:41:18 +00:00
|
|
|
from ansible.module_utils.basic import AnsibleModule
|
2017-07-03 10:07:42 +00:00
|
|
|
from ansible.module_utils._text import to_native
|
2017-04-06 16:09:07 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
class CertificateSigningRequestError(Exception):
|
|
|
|
|
pass
|
|
|
|
|
|
2017-04-06 17:41:18 +00:00
|
|
|
|
2017-04-06 16:09:07 +00:00
|
|
|
class CertificateSigningRequest(object):
|
|
|
|
|
|
|
|
|
|
def __init__(self, module):
|
|
|
|
|
self.state = module.params['state']
|
|
|
|
|
self.digest = module.params['digest']
|
|
|
|
|
self.force = module.params['force']
|
|
|
|
|
self.subjectAltName = module.params['subjectAltName']
|
|
|
|
|
self.path = module.params['path']
|
|
|
|
|
self.privatekey_path = module.params['privatekey_path']
|
2017-07-19 10:02:29 +00:00
|
|
|
self.privatekey_passphrase = module.params['privatekey_passphrase']
|
2017-04-06 16:09:07 +00:00
|
|
|
self.version = module.params['version']
|
|
|
|
|
self.changed = True
|
|
|
|
|
self.request = None
|
|
|
|
|
self.privatekey = None
|
|
|
|
|
|
|
|
|
|
self.subject = {
|
|
|
|
|
'C': module.params['countryName'],
|
|
|
|
|
'ST': module.params['stateOrProvinceName'],
|
|
|
|
|
'L': module.params['localityName'],
|
|
|
|
|
'O': module.params['organizationName'],
|
|
|
|
|
'OU': module.params['organizationalUnitName'],
|
|
|
|
|
'CN': module.params['commonName'],
|
|
|
|
|
'emailAddress': module.params['emailAddress'],
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if self.subjectAltName is None:
|
|
|
|
|
self.subjectAltName = 'DNS:%s' % self.subject['CN']
|
|
|
|
|
|
2017-07-13 13:42:48 +00:00
|
|
|
self.subject = dict((k, v) for k, v in self.subject.items() if v)
|
2017-04-06 16:09:07 +00:00
|
|
|
|
|
|
|
|
def generate(self, module):
|
|
|
|
|
'''Generate the certificate signing request.'''
|
|
|
|
|
|
|
|
|
|
if not os.path.exists(self.path) or self.force:
|
|
|
|
|
req = crypto.X509Req()
|
|
|
|
|
req.set_version(self.version)
|
|
|
|
|
subject = req.get_subject()
|
2017-04-06 17:41:18 +00:00
|
|
|
for (key, value) in self.subject.items():
|
2017-04-06 16:09:07 +00:00
|
|
|
if value is not None:
|
|
|
|
|
setattr(subject, key, value)
|
|
|
|
|
|
|
|
|
|
if self.subjectAltName is not None:
|
2017-07-13 13:42:48 +00:00
|
|
|
req.add_extensions([crypto.X509Extension(b"subjectAltName", False, self.subjectAltName.encode('ascii'))])
|
2017-04-06 16:09:07 +00:00
|
|
|
|
2017-07-25 11:18:18 +00:00
|
|
|
self.privatekey = crypto_utils.load_privatekey(
|
|
|
|
|
self.privatekey_path,
|
|
|
|
|
self.privatekey_passphrase
|
|
|
|
|
)
|
|
|
|
|
|
2017-04-06 16:09:07 +00:00
|
|
|
req.set_pubkey(self.privatekey)
|
|
|
|
|
req.sign(self.privatekey, self.digest)
|
|
|
|
|
self.request = req
|
|
|
|
|
|
|
|
|
|
try:
|
2017-07-13 13:42:48 +00:00
|
|
|
csr_file = open(self.path, 'wb')
|
2017-04-06 16:09:07 +00:00
|
|
|
csr_file.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, self.request))
|
|
|
|
|
csr_file.close()
|
2017-07-03 10:07:42 +00:00
|
|
|
except (IOError, OSError) as exc:
|
|
|
|
|
raise CertificateSigningRequestError(exc)
|
2017-04-06 16:09:07 +00:00
|
|
|
else:
|
|
|
|
|
self.changed = False
|
|
|
|
|
|
|
|
|
|
file_args = module.load_file_common_arguments(module.params)
|
|
|
|
|
if module.set_fs_attributes_if_different(file_args, False):
|
|
|
|
|
self.changed = True
|
|
|
|
|
|
|
|
|
|
def remove(self):
|
|
|
|
|
'''Remove the Certificate Signing Request.'''
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
os.remove(self.path)
|
2017-07-03 10:07:42 +00:00
|
|
|
except OSError as exc:
|
|
|
|
|
if exc.errno != errno.ENOENT:
|
|
|
|
|
raise CertificateSigningRequestError(exc)
|
2017-04-06 16:09:07 +00:00
|
|
|
else:
|
|
|
|
|
self.changed = False
|
|
|
|
|
|
|
|
|
|
def dump(self):
|
2017-06-12 06:55:19 +00:00
|
|
|
'''Serialize the object into a dictionary.'''
|
2017-04-06 16:09:07 +00:00
|
|
|
|
|
|
|
|
result = {
|
|
|
|
|
'csr': self.path,
|
|
|
|
|
'subject': self.subject,
|
|
|
|
|
'subjectAltName': self.subjectAltName,
|
|
|
|
|
'changed': self.changed
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return result
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def main():
|
|
|
|
|
module = AnsibleModule(
|
2017-04-06 17:41:18 +00:00
|
|
|
argument_spec=dict(
|
2017-04-06 16:09:07 +00:00
|
|
|
state=dict(default='present', choices=['present', 'absent'], type='str'),
|
|
|
|
|
digest=dict(default='sha256', type='str'),
|
|
|
|
|
privatekey_path=dict(require=True, type='path'),
|
2017-07-19 10:02:29 +00:00
|
|
|
privatekey_passphrase=dict(type='str', no_log=True),
|
2017-04-06 16:09:07 +00:00
|
|
|
version=dict(default='3', type='int'),
|
|
|
|
|
force=dict(default=False, type='bool'),
|
|
|
|
|
subjectAltName=dict(aliases=['subjectAltName'], type='str'),
|
|
|
|
|
path=dict(required=True, type='path'),
|
|
|
|
|
countryName=dict(aliases=['C'], type='str'),
|
|
|
|
|
stateOrProvinceName=dict(aliases=['ST'], type='str'),
|
|
|
|
|
localityName=dict(aliases=['L'], type='str'),
|
|
|
|
|
organizationName=dict(aliases=['O'], type='str'),
|
|
|
|
|
organizationalUnitName=dict(aliases=['OU'], type='str'),
|
|
|
|
|
commonName=dict(aliases=['CN'], type='str'),
|
|
|
|
|
emailAddress=dict(aliases=['E'], type='str'),
|
|
|
|
|
),
|
2017-04-06 17:41:18 +00:00
|
|
|
add_file_common_args=True,
|
|
|
|
|
supports_check_mode=True,
|
2017-04-06 16:09:07 +00:00
|
|
|
required_one_of=[['commonName', 'subjectAltName']],
|
|
|
|
|
)
|
|
|
|
|
|
2017-07-13 13:42:48 +00:00
|
|
|
if not pyopenssl_found:
|
|
|
|
|
module.fail_json(msg='the python pyOpenSSL module is required')
|
|
|
|
|
|
2017-04-06 16:09:07 +00:00
|
|
|
path = module.params['path']
|
|
|
|
|
base_dir = os.path.dirname(module.params['path'])
|
|
|
|
|
|
|
|
|
|
if not os.path.isdir(base_dir):
|
|
|
|
|
module.fail_json(name=path, msg='The directory %s does not exist' % path)
|
|
|
|
|
|
|
|
|
|
csr = CertificateSigningRequest(module)
|
|
|
|
|
|
|
|
|
|
if module.params['state'] == 'present':
|
|
|
|
|
|
|
|
|
|
if module.check_mode:
|
|
|
|
|
result = csr.dump()
|
|
|
|
|
result['changed'] = module.params['force'] or not os.path.exists(path)
|
|
|
|
|
module.exit_json(**result)
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
csr.generate(module)
|
2017-07-03 10:07:42 +00:00
|
|
|
except CertificateSigningRequestError as exc:
|
|
|
|
|
module.fail_json(msg=to_native(exc))
|
2017-04-06 16:09:07 +00:00
|
|
|
|
|
|
|
|
else:
|
|
|
|
|
|
|
|
|
|
if module.check_mode:
|
|
|
|
|
result = csr.dump()
|
|
|
|
|
result['changed'] = os.path.exists(path)
|
|
|
|
|
module.exit_json(**result)
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
csr.remove()
|
2017-07-03 10:07:42 +00:00
|
|
|
except CertificateSigningRequestError as exc:
|
|
|
|
|
module.fail_json(msg=to_native(exc))
|
2017-04-06 16:09:07 +00:00
|
|
|
|
|
|
|
|
result = csr.dump()
|
|
|
|
|
|
|
|
|
|
module.exit_json(**result)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == "__main__":
|
|
|
|
|
main()
|
