From a724b8e722d1ae5aa7e23f79311939e45c686220 Mon Sep 17 00:00:00 2001 From: Yanis Guenane Date: Mon, 18 Dec 2017 10:04:34 +0100 Subject: [PATCH] openssl_certificate: Return self.cert.get_VALUES() (#33970) Currently when we make up the return value, we take values based of the parameters rather than the generated openssl_certificate itself. This commits returns the actual certificate values making it all time accurate. --- lib/ansible/modules/crypto/openssl_certificate.py | 14 ++++++-------- .../targets/openssl_certificate/tasks/main.yml | 10 ++++++++++ .../targets/openssl_certificate/tests/validate.yml | 7 +++++++ 3 files changed, 23 insertions(+), 8 deletions(-) diff --git a/lib/ansible/modules/crypto/openssl_certificate.py b/lib/ansible/modules/crypto/openssl_certificate.py index 6261839e190..c28bac1b4b4 100644 --- a/lib/ansible/modules/crypto/openssl_certificate.py +++ b/lib/ansible/modules/crypto/openssl_certificate.py @@ -378,7 +378,6 @@ class SelfSignedCertificate(Certificate): def __init__(self, module): super(SelfSignedCertificate, self).__init__(module) - self.serial_number = randint(1000, 99999) self.notBefore = module.params['selfsigned_notBefore'] self.notAfter = module.params['selfsigned_notAfter'] self.digest = module.params['selfsigned_digest'] @@ -387,7 +386,6 @@ class SelfSignedCertificate(Certificate): self.privatekey = crypto_utils.load_privatekey( self.privatekey_path, self.privatekey_passphrase ) - self.cert = None def generate(self, module): @@ -403,7 +401,7 @@ class SelfSignedCertificate(Certificate): if not self.check(module, perms_required=False) or self.force: cert = crypto.X509() - cert.set_serial_number(self.serial_number) + cert.set_serial_number(randint(1000, 99999)) if self.notBefore: cert.set_notBefore(self.notBefore) else: @@ -420,11 +418,11 @@ class SelfSignedCertificate(Certificate): cert.add_extensions(self.csr.get_extensions()) cert.sign(self.privatekey, self.digest) - self.certificate = cert + self.cert = cert try: with open(self.path, 'wb') as cert_file: - cert_file.write(crypto.dump_certificate(crypto.FILETYPE_PEM, self.certificate)) + cert_file.write(crypto.dump_certificate(crypto.FILETYPE_PEM, self.cert)) except EnvironmentError as exc: raise CertificateError(exc) @@ -441,9 +439,9 @@ class SelfSignedCertificate(Certificate): 'filename': self.path, 'privatekey': self.privatekey_path, 'csr': self.csr_path, - 'notBefore': self.notBefore, - 'notAfter': self.notAfter, - 'serial_number': self.serial_number, + 'notBefore': self.cert.get_notBefore(), + 'notAfter': self.cert.get_notAfter(), + 'serial_number': self.cert.get_serial_number(), } return result diff --git a/test/integration/targets/openssl_certificate/tasks/main.yml b/test/integration/targets/openssl_certificate/tasks/main.yml index f60fe50df21..c049ef47e1b 100644 --- a/test/integration/targets/openssl_certificate/tasks/main.yml +++ b/test/integration/targets/openssl_certificate/tasks/main.yml @@ -17,6 +17,16 @@ privatekey_path: '{{ output_dir }}/privatekey.pem' provider: selfsigned selfsigned_digest: sha256 + register: selfsigned_certificate + + - name: Generate selfsigned certificate + openssl_certificate: + path: '{{ output_dir }}/cert.pem' + csr_path: '{{ output_dir }}/csr.csr' + privatekey_path: '{{ output_dir }}/privatekey.pem' + provider: selfsigned + selfsigned_digest: sha256 + register: selfsigned_certificate_idempotence - name: Check selfsigned certificate openssl_certificate: diff --git a/test/integration/targets/openssl_certificate/tests/validate.yml b/test/integration/targets/openssl_certificate/tests/validate.yml index 5e846c47f27..11343b65f51 100644 --- a/test/integration/targets/openssl_certificate/tests/validate.yml +++ b/test/integration/targets/openssl_certificate/tests/validate.yml @@ -16,6 +16,13 @@ - cert_modulus.stdout == privatekey_modulus.stdout - cert_version.stdout == '3' +- name: Validate certificate idempotence + assert: + that: + - selfsigned_certificate.serial_number == selfsigned_certificate_idempotence.serial_number + - selfsigned_certificate.notBefore == selfsigned_certificate_idempotence.notBefore + - selfsigned_certificate.notAfter == selfsigned_certificate_idempotence.notAfter + - name: Validate certificate v2 (test - certificate version == 2) shell: 'openssl x509 -noout -in {{ output_dir}}/cert_v2.pem -text | grep "Version" | sed "s/.*: \(.*\) .*/\1/g"' register: cert_v2_version