[2.7] openssl_certificate, fixed has_expired to check the cert expiration date (#53203)

* Type error in openssl_certificate (#47508) * Fixed #47505: Type error in openssl_certificate * Use to_bytes instead of str.encode in SelfSignedCertificate. Updates #47508 * Use to_bytes instead of str.encode in OwnCACertificate * Added integration tests for openssl_certificate: selfsigned_not_before/after and ownca_not_before/after (cherry picked from commit 5b1c68579d) * openssl_certificate, fixed has_expired to check the cert expiration date (#53168) (cherry picked from commit d5d92e4a70) * Use fixed timestamp in past instead of relative time (relative times are a feature of devel). * Add changelog for #47508.
6 years ago · 597db1dc28
parent 59beb460d8
commit 597db1dc28
9 changed files with 132 additions and 12 deletions
--- a/changelogs/fragments/47508-openssl_certificate-fix-not-before-after.yml
+++ b/changelogs/fragments/47508-openssl_certificate-fix-not-before-after.yml
@ -0,0 +1,2 @@
+bugfixes:
+- "openssl_certificate - fix Python 3 string/bytes problems for `notBefore`/`notAfter` for self-signed and ownCA providers."
--- a/changelogs/fragments/openssl_certificate_fix_has_expired.yml
+++ b/changelogs/fragments/openssl_certificate_fix_has_expired.yml
@ -0,0 +1,2 @@
+bugfixes:
+  - openssl_certificate - ``has_expired`` correctly checks if the certificate is expired or not
--- a/lib/ansible/modules/crypto/openssl_certificate.py
+++ b/lib/ansible/modules/crypto/openssl_certificate.py
@ -179,10 +179,11 @@ options:
        version_added: "2.5"

    has_expired:
-        default: False
-        type: bool
        description:
-            - Checks if the certificate is expired/not expired at the time the module is executed.
+            - Checks if the certificate is expired/not expired at the time the module is executed. This only applies to
+              the C(assertonly) provider.
+        type: bool
+        default: no

    version:
        description:
@ -521,11 +522,11 @@ class SelfSignedCertificate(Certificate):
            cert = crypto.X509()
            cert.set_serial_number(self.serial_number)
            if self.notBefore:
-                cert.set_notBefore(self.notBefore)
+                cert.set_notBefore(to_bytes(self.notBefore))
            else:
                cert.gmtime_adj_notBefore(0)
            if self.notAfter:
-                cert.set_notAfter(self.notAfter)
+                cert.set_notAfter(to_bytes(self.notAfter))
            else:
                # If no NotAfter specified, expire in
                # 10 years. 315360000 is 10 years in seconds.
@ -618,11 +619,11 @@ class OwnCACertificate(Certificate):
            cert = crypto.X509()
            cert.set_serial_number(self.serial_number)
            if self.notBefore:
-                cert.set_notBefore(self.notBefore.encode())
+                cert.set_notBefore(to_bytes(self.notBefore))
            else:
                cert.gmtime_adj_notBefore(0)
            if self.notAfter:
-                cert.set_notAfter(self.notAfter.encode())
+                cert.set_notAfter(to_bytes(self.notAfter))
            else:
                # If no NotAfter specified, expire in
                # 10 years. 315360000 is 10 years in seconds.
@ -763,11 +764,18 @@ class AssertOnlyCertificate(Certificate):
                    )

        def _validate_has_expired():
-            if self.has_expired:
-                if self.has_expired != self.cert.has_expired():
-                    self.message.append(
-                        'Certificate expiration check failed (certificate expiration is %s, expected %s)' % (self.cert.has_expired(), self.has_expired)
-                    )
+            # The following 3 lines are the same as the current PyOpenSSL code for cert.has_expired().
+            # Older version of PyOpenSSL have a buggy implementation,
+            # to avoid issues with those we added the code from a more recent release here.
+
+            time_string = to_native(self.cert.get_notAfter())
+            not_after = datetime.datetime.strptime(time_string, "%Y%m%d%H%M%SZ")
+            cert_expired = not_after < datetime.datetime.utcnow()
+
+            if self.has_expired != cert_expired:
+                self.message.append(
+                    'Certificate expiration check failed (certificate expiration is %s, expected %s)' % (cert_expired, self.has_expired)
+                )

        def _validate_version():
            if self.version:
--- a/test/integration/targets/openssl_certificate/tasks/expired.yml
+++ b/test/integration/targets/openssl_certificate/tasks/expired.yml
@ -0,0 +1,39 @@
+---
+- name: Generate privatekey
+  openssl_privatekey:
+    path: '{{ output_dir }}/has_expired_privatekey.pem'
+
+- name: Generate CSR
+  openssl_csr:
+    path: '{{ output_dir }}/has_expired_csr.csr'
+    privatekey_path: '{{ output_dir }}/has_expired_privatekey.pem'
+    subject:
+      commonName: www.example.com
+
+- name: Generate expired selfsigned certificate
+  openssl_certificate:
+    path: '{{ output_dir }}/has_expired_cert.pem'
+    csr_path: '{{ output_dir }}/has_expired_csr.csr'
+    privatekey_path: '{{ output_dir }}/has_expired_privatekey.pem'
+    provider: selfsigned
+    selfsigned_digest: sha256
+    selfsigned_not_after: "20181231000000Z"
+
+- name: "Check task fails because cert is expired (has_expired: false)"
+  openssl_certificate:
+    provider: assertonly
+    path: "{{ output_dir }}/has_expired_cert.pem"
+    has_expired: false
+  ignore_errors: true
+  register: expired_cert_check
+
+- name: Ensure previous task failed
+  assert:
+    that: expired_cert_check is failed
+
+- name: "Check expired cert check is ignored (has_expired: true)"
+  openssl_certificate:
+    provider: assertonly
+    path: "{{ output_dir }}/has_expired_cert.pem"
+    has_expired: true
+  register: expired_cert_skip
--- a/test/integration/targets/openssl_certificate/tasks/main.yml
+++ b/test/integration/targets/openssl_certificate/tasks/main.yml
@ -1,5 +1,7 @@
 - block:

+    - import_tasks: expired.yml
+
    - import_tasks: selfsigned.yml

    - import_tasks: ownca.yml
--- a/test/integration/targets/openssl_certificate/tasks/ownca.yml
+++ b/test/integration/targets/openssl_certificate/tasks/ownca.yml
@ -116,4 +116,15 @@
    issuer:
      commonName: Example CA

+- name: Create ownca certificate with notBefore and notAfter
+  openssl_certificate:
+    provider: ownca
+    ownca_not_before: 20181023133742Z
+    ownca_not_after: 20191023133742Z
+    path: "{{ output_dir }}/ownca_cert3.pem"
+    csr_path: "{{ output_dir }}/csr.csr"
+    privatekey_path: "{{ output_dir }}/privatekey3.pem"
+    ownca_path: '{{ output_dir }}/ca_cert.pem'
+    ownca_privatekey_path: '{{ output_dir }}/ca_privatekey.pem'
+      
 - import_tasks: ../tests/validate_ownca.yml
--- a/test/integration/targets/openssl_certificate/tasks/selfsigned.yml
+++ b/test/integration/targets/openssl_certificate/tasks/selfsigned.yml
@ -114,4 +114,24 @@
      - ipsecUser
      - biometricInfo

+- name: Create private key 3
+  openssl_privatekey:
+    path: "{{ output_dir }}/privatekey3.pem"
+
+- name: Create CSR 3
+  openssl_csr:
+    subject:
+      CN: www.example.com
+    privatekey_path: "{{ output_dir }}/privatekey3.pem"
+    path: "{{ output_dir }}/csr3.pem"
+        
+- name: Create certificate3 with notBefore and notAfter
+  openssl_certificate:
+    provider: selfsigned
+    selfsigned_not_before: 20181023133742Z
+    selfsigned_not_after: 20191023133742Z
+    path: "{{ output_dir }}/cert3.pem"
+    csr_path: "{{ output_dir }}/csr3.pem"
+    privatekey_path: "{{ output_dir }}/privatekey3.pem"
+        
 - import_tasks: ../tests/validate_selfsigned.yml
--- a/test/integration/targets/openssl_certificate/tests/validate_ownca.yml
+++ b/test/integration/targets/openssl_certificate/tests/validate_ownca.yml
@ -47,3 +47,21 @@
  assert:
    that:
      - ownca_cert2_modulus.stdout == privatekey2_modulus.stdout
+
+- name: Validate owncal certificate3 (test - notBefore)
+  shell: 'openssl x509 -noout -in {{ output_dir }}/ownca_cert3.pem -text | grep "Not Before" | sed "s/.*: \(.*\) .*/\1/g"'
+  register: ownca_cert3_notBefore
+
+- name: Validate ownca certificate3 (test - notAfter)
+  shell: 'openssl x509 -noout -in {{ output_dir }}/ownca_cert3.pem -text | grep "Not After" | sed "s/.*: \(.*\) .*/\1/g"'
+  register: ownca_cert3_notAfter
+
+- name: Validate ownca certificate3 (assert - notBefore)
+  assert:
+    that:
+      - ownca_cert3_notBefore.stdout == 'Oct 23 13:37:42 2018'
+
+- name: Validate ownca certificate3 (assert - notAfter)
+  assert:
+    that:
+      - ownca_cert3_notAfter.stdout == 'Oct 23 13:37:42 2019'
--- a/test/integration/targets/openssl_certificate/tests/validate_selfsigned.yml
+++ b/test/integration/targets/openssl_certificate/tests/validate_selfsigned.yml
@ -50,3 +50,21 @@
  assert:
    that:
      - cert2_modulus.stdout == privatekey2_modulus.stdout
+
+- name: Validate certificate3 (test - notBefore)
+  shell: 'openssl x509 -noout -in {{ output_dir }}/cert3.pem -text | grep "Not Before" | sed "s/.*: \(.*\) .*/\1/g"'
+  register: cert3_notBefore
+
+- name: Validate certificate3 (test - notAfter)
+  shell: 'openssl x509 -noout -in {{ output_dir }}/cert3.pem -text | grep "Not After" | sed "s/.*: \(.*\) .*/\1/g"'
+  register: cert3_notAfter
+
+- name: Validate certificate3 (assert - notBefore)
+  assert:
+    that:
+      - cert3_notBefore.stdout == 'Oct 23 13:37:42 2018'
+
+- name: Validate certificate3 (assert - notAfter)
+  assert:
+    that:
+      - cert3_notAfter.stdout == 'Oct 23 13:37:42 2019'