mirror of https://github.com/ansible/ansible.git
Add simple module to import/delete ssl certificate from/to java keystore (#20274)
* Add simple module to import/delete ssl certificate from/to java keystore. * add diff/check mode support, fix reported issues and simplify decision logic * Fix build by adding new line at the end of file. * Some updates to module requested PR review * Add simple executable parameter * Fix build errorpull/19530/head
parent
e5b990a55a
commit
6cf8318468
@ -0,0 +1,281 @@
|
||||
#!/usr/bin/python
|
||||
#
|
||||
# (c) 2013, RSD Services S.A
|
||||
#
|
||||
# This file is part of Ansible
|
||||
#
|
||||
# Ansible is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Ansible is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
ANSIBLE_METADATA = {'status': ['preview'],
|
||||
'supported_by': 'community',
|
||||
'version': '1.0'}
|
||||
|
||||
DOCUMENTATION = '''
|
||||
---
|
||||
module: java_cert
|
||||
version_added: '2.3'
|
||||
short_description: Uses keytool to import/remove key from java keystore(cacerts)
|
||||
description:
|
||||
- This is a wrapper module around keytool. Which can be used to import/remove
|
||||
certificates from a given java keystore.
|
||||
options:
|
||||
cert_url:
|
||||
description:
|
||||
- Basic URL to fetch SSL certificate from. One of cert_url or cert_path is required to load certificate.
|
||||
cert_port:
|
||||
description:
|
||||
- Port to connect to URL. This will be used to create server URL:PORT
|
||||
default: 443
|
||||
cert_path:
|
||||
description:
|
||||
- Local path to load certificate from. One of cert_url or cert_path is required to load certificate.
|
||||
cert_alias:
|
||||
description:
|
||||
- Imported certificate alias.
|
||||
keystore_path:
|
||||
description:
|
||||
- Path to keystore.
|
||||
keystore_pass:
|
||||
description:
|
||||
- Keystore password.
|
||||
required: true
|
||||
keystore_create:
|
||||
description:
|
||||
- Create keystore if it doesn't exist
|
||||
executable:
|
||||
description:
|
||||
- Path to keytool binary if not used we search in PATH for it.
|
||||
default: keytool
|
||||
state:
|
||||
description:
|
||||
- Defines action which can be either certificate import or removal.
|
||||
choices: [ 'present', 'absent' ]
|
||||
default: present
|
||||
|
||||
author: Adam Hamsik @haad
|
||||
'''
|
||||
|
||||
EXAMPLES = '''
|
||||
# Import SSL certificate from google.com to a given cacerts keystore
|
||||
java_cert:
|
||||
cert_url: google.com
|
||||
cert_port: 443
|
||||
keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts
|
||||
keystore_pass: changeit
|
||||
state: present
|
||||
|
||||
# Remove certificate with given alias from a keystore
|
||||
java_cert:
|
||||
cert_url: google.com
|
||||
keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts
|
||||
keystore_pass: changeit
|
||||
executable: /usr/lib/jvm/jre7/bin/keytool
|
||||
state: absent
|
||||
|
||||
# Import SSL certificate from google.com to a keystore,
|
||||
# create it if it doesn't exist
|
||||
java_cert:
|
||||
cert_url: google.com
|
||||
keystore_path: /tmp/cacerts
|
||||
keystore_pass: changeit
|
||||
keystore_create: yes
|
||||
state: present
|
||||
'''
|
||||
|
||||
RETURN = '''
|
||||
msg:
|
||||
description: Output from stdout of keytool command after execution of given command.
|
||||
returned: success
|
||||
type: string
|
||||
sample: "Module require existing keystore at keystore_path '/tmp/test/cacerts'"
|
||||
|
||||
rc:
|
||||
description: Keytool command execution return value
|
||||
returned: success
|
||||
type: int
|
||||
sample: "0"
|
||||
|
||||
cmd:
|
||||
description: Executed command to get action done
|
||||
returned: success
|
||||
type: string
|
||||
sample: "keytool -importcert -noprompt -keystore"
|
||||
'''
|
||||
|
||||
import os
|
||||
|
||||
# import module snippets
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
|
||||
def check_cert_present(module, executable, keystore_path, keystore_pass, alias):
|
||||
''' Check if certificate with alias is present in keystore
|
||||
located at keystore_path '''
|
||||
test_cmd = ("%s -noprompt -list -keystore '%s' -storepass '%s' "
|
||||
"-alias '%s'")%(executable, keystore_path, keystore_pass, alias)
|
||||
|
||||
(check_rc, _, _) = module.run_command(test_cmd)
|
||||
if check_rc == 0:
|
||||
return True
|
||||
return False
|
||||
|
||||
def import_cert_url(module, executable, url, port, keystore_path, keystore_pass, alias):
|
||||
''' Import certificate from URL into keystore located at keystore_path '''
|
||||
fetch_cmd = ("%s -printcert -rfc -sslserver %s:%d")%(executable, url, port)
|
||||
import_cmd = ("%s -importcert -noprompt -keystore '%s' "
|
||||
"-storepass '%s' -alias '%s'")%(executable, keystore_path,
|
||||
keystore_pass, alias)
|
||||
|
||||
if module.check_mode:
|
||||
module.exit_json(changed=True)
|
||||
|
||||
# Fetch SSL certificate from remote host.
|
||||
(_, fetch_out, _) = module.run_command(fetch_cmd, check_rc=True)
|
||||
|
||||
# Use remote certificate from remote host and import it to a java keystore
|
||||
(import_rc, import_out, import_err) = module.run_command(import_cmd,
|
||||
data=fetch_out,
|
||||
check_rc=False)
|
||||
diff = {'before': '\n', 'after': '%s\n'%alias}
|
||||
if import_rc == 0:
|
||||
return module.exit_json(changed=True, msg=import_out,
|
||||
rc=import_rc, cmd=import_cmd, stdout=import_out,
|
||||
diff=diff)
|
||||
else:
|
||||
return module.fail_json(msg=import_out, rc=import_rc, cmd=import_cmd,
|
||||
error=import_err)
|
||||
|
||||
def import_cert_path(module, executable, path, keystore_path, keystore_pass, alias):
|
||||
''' Import certificate from path into keystore located on
|
||||
keystore_path as alias '''
|
||||
import_cmd = ("%s -importcert -noprompt -keystore '%s' "
|
||||
"-storepass '%s' -file '%s' -alias '%s'")%(executable,
|
||||
keystore_path,
|
||||
keystore_pass,
|
||||
path, alias)
|
||||
|
||||
if module.check_mode:
|
||||
module.exit_json(changed=True)
|
||||
|
||||
# Use local certificate from local path and import it to a java keystore
|
||||
(import_rc, import_out, import_err) = module.run_command(import_cmd,
|
||||
check_rc=False)
|
||||
|
||||
diff = {'before': '\n', 'after': '%s\n'%alias}
|
||||
if import_rc == 0:
|
||||
return module.exit_json(changed=True, msg=import_out,
|
||||
rc=import_rc, cmd=import_cmd, stdout=import_out,
|
||||
error=import_err, diff=diff)
|
||||
else:
|
||||
return module.fail_json(msg=import_out, rc=import_rc, cmd=import_cmd)
|
||||
|
||||
def delete_cert(module, executable, keystore_path, keystore_pass, alias):
|
||||
''' Delete cerificate identified with alias from keystore on keystore_path '''
|
||||
del_cmd = ("%s -delete -keystore '%s' -storepass '%s' "
|
||||
"-alias '%s'")%(executable, keystore_path, keystore_pass, alias)
|
||||
|
||||
if module.check_mode:
|
||||
module.exit_json(changed=True)
|
||||
|
||||
# Delete SSL certificate from keystore
|
||||
(del_rc, del_out, del_err) = module.run_command(del_cmd, check_rc=True)
|
||||
|
||||
diff = {'before': '%s\n'%alias, 'after': None}
|
||||
|
||||
return module.exit_json(changed=True, msg=del_out,
|
||||
rc=del_rc, cmd=del_cmd, stdout=del_out,
|
||||
error=del_err, diff=diff)
|
||||
|
||||
def test_keytool(module, executable):
|
||||
''' Test if keytool is actuall executable or not '''
|
||||
test_cmd = "%s"%(executable)
|
||||
|
||||
module.run_command(test_cmd, check_rc=True)
|
||||
|
||||
def test_keystore(module, keystore_path):
|
||||
''' Check if we can access keystore as file or not '''
|
||||
if keystore_path is None:
|
||||
keystore_path = ''
|
||||
|
||||
if not os.path.exists(keystore_path) and not os.path.isfile(keystore_path):
|
||||
## Keystore doesn't exist we want to create it
|
||||
return module.fail_json(changed=False,
|
||||
msg="Module require existing keystore at keystore_path '%s'"
|
||||
%(keystore_path))
|
||||
|
||||
def main():
|
||||
argument_spec = dict(
|
||||
cert_url=dict(type='str'),
|
||||
cert_path=dict(type='str'),
|
||||
cert_alias=dict(type='str'),
|
||||
cert_port=dict(default='443', type='int'),
|
||||
keystore_path=dict(type='str'),
|
||||
keystore_pass=dict(required=True, type='str'),
|
||||
keystore_create=dict(default=False, type='bool'),
|
||||
executable=dict(default='keytool', type='str'),
|
||||
state=dict(default='present',
|
||||
choices=['present', 'absent'])
|
||||
)
|
||||
|
||||
module = AnsibleModule(
|
||||
argument_spec=argument_spec,
|
||||
required_one_of=[['cert_path', 'cert_url']],
|
||||
required_together=[['keystore_path', 'keystore_pass']],
|
||||
mutually_exclusive=[
|
||||
['cert_url', 'cert_path']
|
||||
],
|
||||
supports_check_mode=True,
|
||||
)
|
||||
|
||||
url = module.params.get('cert_url')
|
||||
path = module.params.get('cert_path')
|
||||
port = module.params.get('cert_port')
|
||||
cert_alias = module.params.get('cert_alias') or url
|
||||
|
||||
keystore_path = module.params.get('keystore_path')
|
||||
keystore_pass = module.params.get('keystore_pass')
|
||||
keystore_create = module.params.get('keystore_create')
|
||||
executable = module.params.get('executable')
|
||||
state = module.params.get('state')
|
||||
|
||||
if path and not cert_alias:
|
||||
module.fail_json(changed=False,
|
||||
msg="Using local path import from %s requires alias argument."
|
||||
%(keystore_path))
|
||||
|
||||
test_keytool(module, executable)
|
||||
|
||||
if not keystore_create:
|
||||
test_keystore(module, keystore_path)
|
||||
|
||||
cert_present = check_cert_present(module, executable, keystore_path,
|
||||
keystore_pass, cert_alias)
|
||||
|
||||
if state == 'absent':
|
||||
if cert_present:
|
||||
delete_cert(module, executable, keystore_path, keystore_pass, cert_alias)
|
||||
|
||||
elif state == 'present':
|
||||
if not cert_present:
|
||||
if path:
|
||||
import_cert_path(module, executable, path, keystore_path,
|
||||
keystore_pass, cert_alias)
|
||||
|
||||
if url:
|
||||
import_cert_url(module, executable, url, port, keystore_path,
|
||||
keystore_pass, cert_alias)
|
||||
|
||||
module.exit_json(changed=False)
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
Loading…
Reference in New Issue