From 0d88ec241fd6c24cd6194b4fa477a8478c7e4cbd Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sun, 18 Aug 2019 20:48:34 +0200 Subject: [PATCH] openssl_certificate: fix idempotency (#60745) * Fix openssl_certificate idempotency. * Add changelog. * Add integration test. --- .../60745-openssl_certificate-idempotency.yml | 2 ++ .../modules/crypto/openssl_certificate.py | 3 ++- .../openssl_certificate/tasks/selfsigned.yml | 18 ++++++++++++++++++ .../tests/validate_selfsigned.yml | 5 +++++ 4 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 changelogs/fragments/60745-openssl_certificate-idempotency.yml diff --git a/changelogs/fragments/60745-openssl_certificate-idempotency.yml b/changelogs/fragments/60745-openssl_certificate-idempotency.yml new file mode 100644 index 00000000000..35766efedd0 --- /dev/null +++ b/changelogs/fragments/60745-openssl_certificate-idempotency.yml @@ -0,0 +1,2 @@ +bugfixes: +- "openssl_certificate - if both private key and CSR were specified, the idempotency check for ``selfsigned`` and ``ownca`` providers ignored the CSR." diff --git a/lib/ansible/modules/crypto/openssl_certificate.py b/lib/ansible/modules/crypto/openssl_certificate.py index a16ab4db2c3..b2499aadd7e 100644 --- a/lib/ansible/modules/crypto/openssl_certificate.py +++ b/lib/ansible/modules/crypto/openssl_certificate.py @@ -958,7 +958,8 @@ class Certificate(crypto_utils.OpenSSLObject): ) except crypto_utils.OpenSSLBadPassphraseError as exc: raise CertificateError(exc) - return self._validate_privatekey() + if not self._validate_privatekey(): + return False if self.csr_path: self.csr = crypto_utils.load_certificate_request(self.csr_path, backend=self.backend) diff --git a/test/integration/targets/openssl_certificate/tasks/selfsigned.yml b/test/integration/targets/openssl_certificate/tasks/selfsigned.yml index 0dbe4c4fb04..8e145197c7f 100644 --- a/test/integration/targets/openssl_certificate/tasks/selfsigned.yml +++ b/test/integration/targets/openssl_certificate/tasks/selfsigned.yml @@ -17,6 +17,13 @@ subject: commonName: www.example.com +- name: (Selfsigned, {{select_crypto_backend}}) Generate CSR + openssl_csr: + path: '{{ output_dir }}/csr_minimal_change.csr' + privatekey_path: '{{ output_dir }}/privatekey.pem' + subject: + commonName: www.example.org + - name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate openssl_certificate: path: '{{ output_dir }}/cert.pem' @@ -47,6 +54,17 @@ select_crypto_backend: '{{ select_crypto_backend }}' check_mode: yes +- name: (Selfsigned, {{select_crypto_backend}}) Generate selfsigned certificate (check mode, other CSR) + openssl_certificate: + path: '{{ output_dir }}/cert.pem' + csr_path: '{{ output_dir }}/csr_minimal_change.csr' + privatekey_path: '{{ output_dir }}/privatekey.pem' + provider: selfsigned + selfsigned_digest: sha256 + select_crypto_backend: '{{ select_crypto_backend }}' + check_mode: yes + register: selfsigned_certificate_csr_minimal_change + - name: (Selfsigned, {{select_crypto_backend}}) Check selfsigned certificate openssl_certificate: path: '{{ output_dir }}/cert.pem' diff --git a/test/integration/targets/openssl_certificate/tests/validate_selfsigned.yml b/test/integration/targets/openssl_certificate/tests/validate_selfsigned.yml index a357f7f8160..1c24effa11d 100644 --- a/test/integration/targets/openssl_certificate/tests/validate_selfsigned.yml +++ b/test/integration/targets/openssl_certificate/tests/validate_selfsigned.yml @@ -30,6 +30,11 @@ - selfsigned_certificate.notBefore == selfsigned_certificate_idempotence.notBefore - selfsigned_certificate.notAfter == selfsigned_certificate_idempotence.notAfter +- name: Make sure that changes in CSR are detected even if private key is specified + assert: + that: + - selfsigned_certificate_csr_minimal_change is changed + - block: - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate v2 (test - certificate version == 2) shell: 'openssl x509 -noout -in {{ output_dir}}/cert_v2.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"'