From 943888b9553bca40b18c3922f508645d09f53392 Mon Sep 17 00:00:00 2001
From: Chris Trufan <31186388+ctrufan@users.noreply.github.com>
Date: Sat, 7 Sep 2019 01:58:25 -0400
Subject: [PATCH] Fixes to ecs_certificate cert chain for #61738 (#61858)

* Fixes to ecs_certificate cert chain for #61738

* Added changelog fragment

* Fixes to ecs_certificate for cleaner join, and better integration test

* Fix integration test formatting

* End cert chain with a \n

* Update changelogs/fragments/61738-ecs-certificate-invalid-chain.yaml

Co-Authored-By: Felix Fontein <felix@fontein.de>

* Update main.yml
---
 .../fragments/61738-ecs-certificate-invalid-chain.yaml |  2 ++
 lib/ansible/modules/crypto/entrust/ecs_certificate.py  | 10 ++++++----
 .../integration/targets/ecs_certificate/tasks/main.yml | 10 ++++++++++
 test/integration/targets/ecs_certificate/vars/main.yml |  1 +
 4 files changed, 19 insertions(+), 4 deletions(-)
 create mode 100644 changelogs/fragments/61738-ecs-certificate-invalid-chain.yaml

diff --git a/changelogs/fragments/61738-ecs-certificate-invalid-chain.yaml b/changelogs/fragments/61738-ecs-certificate-invalid-chain.yaml
new file mode 100644
index 00000000000..6643e9d231b
--- /dev/null
+++ b/changelogs/fragments/61738-ecs-certificate-invalid-chain.yaml
@@ -0,0 +1,2 @@
+bugfixes:
+  - ecs_certificate - Fix formatting of contents of ``full_chain_path``.
diff --git a/lib/ansible/modules/crypto/entrust/ecs_certificate.py b/lib/ansible/modules/crypto/entrust/ecs_certificate.py
index b681b5ae3e6..23085a73b58 100644
--- a/lib/ansible/modules/crypto/entrust/ecs_certificate.py
+++ b/lib/ansible/modules/crypto/entrust/ecs_certificate.py
@@ -768,17 +768,19 @@ class EcsCertificate(object):
                     if self.backup:
                         self.backup_file = module.backup_local(self.path)
                     crypto_utils.write_file(module, to_bytes(self.cert_details.get('endEntityCert')))
-                    if self.full_chain_path:
+                    if self.full_chain_path and self.cert_details.get('chainCerts'):
                         if self.backup:
                             self.backup_full_chain_file = module.backup_local(self.full_chain_path)
-                        crypto_utils.write_file(module, to_bytes(self.cert_details.get('chainCerts')), path=self.full_chain_path)
+                        chain_string = '\n'.join(self.cert_details.get('chainCerts')) + '\n'
+                        crypto_utils.write_file(module, to_bytes(chain_string), path=self.full_chain_path)
                     self.changed = True
         # If there is no certificate present in path but a tracking ID was specified, save it to disk
         elif not os.path.exists(self.path) and self.tracking_id:
             if not module.check_mode:
                 crypto_utils.write_file(module, to_bytes(self.cert_details.get('endEntityCert')))
-                if self.full_chain_path:
-                    crypto_utils.write_file(module, to_bytes(self.cert_details.get('chainCerts')), path=self.full_chain_path)
+                if self.full_chain_path and self.cert_details.get('chainCerts'):
+                    chain_string = '\n'.join(self.cert_details.get('chainCerts')) + '\n'
+                    crypto_utils.write_file(module, to_bytes(chain_string), path=self.full_chain_path)
             self.changed = True
 
     def dump(self):
diff --git a/test/integration/targets/ecs_certificate/tasks/main.yml b/test/integration/targets/ecs_certificate/tasks/main.yml
index b313d56014d..9cc9b8cf099 100644
--- a/test/integration/targets/ecs_certificate/tasks/main.yml
+++ b/test/integration/targets/ecs_certificate/tasks/main.yml
@@ -169,6 +169,7 @@
   - name: Test a request with all of the various optional possible fields populated
     ecs_certificate:
       path: '{{ example4_cert_path }}'
+      full_chain_path: '{{ example4_full_chain_path }}'
       csr: '{{ csr_path }}'
       subject_alt_name: '{{ example4_subject_alt_name }}'
       eku: '{{ example4_eku }}'
@@ -198,6 +199,15 @@
         - example4_result.tracking_id > 0
         - example4_result.serial_number is string
 
+  # For bug 61738, verify that the full chain is valid
+  - name: Verify that the full chain path can be successfully imported
+    command: openssl verify "{{ example4_full_chain_path }}"
+    register: openssl_result
+
+  - assert:
+      that:
+         - "' OK' in openssl_result.stdout_lines[0]"
+
   always:
     - name: clean-up temporary folder
       file:
diff --git a/test/integration/targets/ecs_certificate/vars/main.yml b/test/integration/targets/ecs_certificate/vars/main.yml
index b08ec552be0..8e617618497 100644
--- a/test/integration/targets/ecs_certificate/vars/main.yml
+++ b/test/integration/targets/ecs_certificate/vars/main.yml
@@ -49,3 +49,4 @@ example4_custom_fields:
   email2: sales@ansible.testcertificates.com
   dropdown2: Dropdown 2 Value 1
 example4_cert_expiry: 2020-08-15
+example4_full_chain_path: '{{ tmpdir_path }}/issuedcert_2_chain.pem'