Currently when we make up the return value, we take values based of the
parameters rather than the generated openssl_certificate itself.
This commits returns the actual certificate values making it all time
accurate.
* allow multiple values per key in name fields in openssl_certificate
* check correct side of comparison
* trigger only on lists
* add subject parameter to openssl_csr
* fix key: value mapping not skipping None elements
* temporary fix for undefined "subject" field
* fix iteration over subject entries
* fix docs
* quote sample string
* allow csr with only subject defined
* fix integration test
* look up NIDs before comparing, add hidden _strict params
* deal with empty issuer/subject fields
* adapt integration tests
* also normalize output from pyopenssl
* fix issue with _sanitize_inputs
* don't convert empty lists
* workaround for pyopenssl limitations
* properly encode the input to the txt2nid function
* another to_bytes fix
* make subject, commonname and subjecAltName completely optional
* don't compare hashes of keys in openssl_csr integration tests
* add integration test for old API in openssl_csr
* compare keys directly in certificate and publickey integration tests
* fix typo
Currently the check() method for idempotence only assumes the public
key is under the form of a PEM file when its not always the case.
The module openssl_publickey allows one to generate OpenSSH format
publickey. This leads to idempotence not being detected.
Removing 'md5' checksum checking as simply comparing current and desired publickey does the expected job.
Signed-off-by: Satyajit Bulage <sbulage@redhat.com>
All crypto modules uses file common arguments to specify generated file
permissions. This commits aims to add the extends_documentation_fragment
in the doc so it is automatically stated.
Currently during the check phase, the code considers the file to be
a public key if the file exist - which is not necessarily true.
This commits aims to ensure that the file is actually a publickey else
returns false for the check.
keyUsage and extendedKeyUsage are currently statically limited via a
static dict defined in modules_utils/crypto.py. If one specify a value
that isn't in there, idempotency won't work.
Instead of having static dict, we uses keyUsage and extendedKyeUsage
values OpenSSL NID and compare those rather than comparing strings.
Fixes: https://github.com/ansible/ansible/issues/30316
Current openssl_certificate is mistakenly taking its derivating its
version number from the csr version number.
Thos two fields are completly unrelated and hence the version number of
the certificate should be able to be directly specified (via
selfsigned_version parameter).
* openssl_certificate: Fix parameter assertion in Python3
Parameter assertion in Python3 is broken. pyOpenSSL get_X() functions
returns b'' type string and tries to compare it with '' string, leading
to failure.
The error mentionned above has been fixed by sanitizing the inputs from
a user to the assert only backend.
Also, this error was hidden by the fact that the improper check method
was called in the generate() functions.
* Add simple integration test for openssl_certificate
* remove subject == issuer assertion
* run integration tests only on supported hosts
* change min supported version to 0.15.x
* Add test for more CSR fields
* also convert dict members to bytes
* fix version_compare
* openssl_{csr, certificate}: Fail if pyOpenSSL <= 0.15
Previous 0.13 pyOpenSSL was a C-binding, and required the parameter
passed to add_extention to be in ASN.1. This has changed with the move
to 0.14 and it is now all pythong and string based.
Previous the 0.15 release, the `get_extensions()` method didn't exist,
since the modules rely heavily on it we ensure pyOpenSSL version is at
last 0.15.0.
* check pyopenssl version in openssl_csr integration test
This commit aims to add the openssl_certificate module.
This module allows a user to manage openssl certificates.
This module implement the notion of backend provider, making this module
extensible to anyone wish as long as a provider is coded for it.
The current three providers are the following:
* selfsigned: Allows a user to self signed a certificate
* acme: Allow a user to generate acme-based CA challenges certificate.
(As of this writing this targets letsencrypt)
* assertonly: Allow a user to assert the characteristic of her SSL
certificate
Co-Authored-By: Markus Teufelberger <mteufelberger+ansible@mgit.at>
* openssl_privatekey: Extend test coverage
Extend the coverage of the integration test for the module
openssl_privatekey.
New tests have been added:
* passphrase
* idempotence
* removal
Co-Authored-By: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr>
* openssl_publickey: Extend test coverage
Extend the coverage on the integration test for the module
openssl_publickey.
New tests have been added:
* OpenSSH format
* passphrase
* idempotence
* removal
When comparing expected and current value for keyUsage and
extendedKeyUsage current behavior is not deterministic.
As we compare two arrays, based on the order the value have been
specified, False might be returned when the two arrays actually matches.
In order to have a deterministic comparison we compare sets rather than
arrays.
Allow user to mark the x509v3 extensions as critical, by specifying the
$extension_critical boolean, where $extension is the name of the
extension.
Currently this module supports only 3 differents x509v3 extensions:
* keyUsage
* extendedKeyUsage
* subjectAtlName
There are more to come.
* openssl_csr: make subjectAltNames a list
* csr module now uses the new standard way to build openssl crypto modules
* add check functions for subject and subjectAltNames
* added support for keyUsage and extendedKeyUsage
* check if CSR signature is correct (aka the privatekey belongs to the CSR)
* fixes for first PR review
* fixes for second PR review
* openssl_csr: there is no need to pass on privatekey as it can be accessed directly
* openssl_csr: documentation fixes
The OpenSSLObject class has been merged[1]. This commit makes the
openssl_publickey rely on this class and standardize the way openssl
module should be written.
[1] #26945
The OpenSSLObject class has been merged[1]. This commit makes the
openssl_privatekey rely on this class and standardize the way openssl
module should be written.
Co-Authored-By: Christian Pointner <cpointner@mgit.at>
[1] https://github.com/ansible/ansible/pull/26945
Crypto namespace contains the openssl modules. It has no integration
testing as of now.
This commits aims to add integration tests for the crypto namespace.
This will make it easier to spot breaking changes in the future.
This tests currently apply to:
* openssl_privatekey
* openssl_publickey
* openssl_csr
Public key can be extracted extracted in different format from
the PEM formatted RSA pair.
This commit allows the user to specify the format s/he wants to generate
the public key:
* PEM
* OpenSSH
* openssl_publickey: Allow one to specify file permission
Allow a user to specify file permissions on the generated publickey via
the file module common arguments.
* openssl: Add documentation regarding file_common_args
Add documentation for those modules to let the user know that he can
rely on file_common_args to specify file permissions.
The commit was started before 2.3 was branched, but was only merged once
2.3 was actually branched. This leads to documentation stating this
module is new in 2.3 when it will be actually new in 2.4
Changes to the metadata format were approved here:
https://github.com/ansible/proposals/issues/54
* Update documentation to the new metadata format
* Changes to metadata-tool to account for new metadata
* Add GPL license header
* Add upgrade subcommand to upgrade metadata version
* Change default metadata to the new format
* Fix exclusion of non-modules from the metadata report
* Fix ansible-doc for new module metadata
* Exclude metadata version from ansible-doc output
* Fix website docs generation for the new metadata
* Update metadata schema in valiate-modules test
* Update the metadata in all modules to the new version
* Update validate-modules
* Validates ANSIBLE_METADATA
* Ensures imports happen after documentation vars
* Some pep8 cleanup
* Clean up some left over unneeded code
* Update modules for new module guidelines and validate-modules checks
* Update imports for ec2_vpc_route_table and ec2_vpc_nat_gateway
MarkusTeufelberger
Yanis Guenane
Abhijeet Kasurde
Thom Wiggers
Satyajit Bulage
Christian Pointner
René Moser
Toshio Kuratomi
Yanis Guenane
Christian Pointner
Andrea Tartaglia
Matt Martz
Matt Clay
James Cammarata