Allowing to force account URI. (#44282)

pull/44293/head
Felix Fontein 6 years ago committed by René Moser
parent 6caf0e8149
commit cfba02bc3b

@ -514,7 +514,9 @@ class ACMEAccount(object):
self.key_content = module.params['account_key_content'] self.key_content = module.params['account_key_content']
self.directory = ACMEDirectory(module) self.directory = ACMEDirectory(module)
self.uri = None # Grab account URI from module parameters.
# Make sure empty string is treated as None.
self.uri = module.params.get('account_uri') or None
self._openssl_bin = module.get_bin_path('openssl', True) self._openssl_bin = module.get_bin_path('openssl', True)
@ -527,6 +529,9 @@ class ACMEAccount(object):
"alg": self.key_data['alg'], "alg": self.key_data['alg'],
"jwk": self.jwk, "jwk": self.jwk,
} }
if self.uri:
# Make sure self.jws_header is updated
self.set_account_uri(self.uri)
def get_keyauthorization(self, token): def get_keyauthorization(self, token):
''' '''
@ -709,6 +714,10 @@ class ACMEAccount(object):
changed = False changed = False
if self.uri is not None: if self.uri is not None:
new_account = False new_account = False
if not update_contact:
# Verify that the account key belongs to the URI.
# (If update_contact is True, this will be done below.)
self.get_account_data()
else: else:
new_account = self._new_reg( new_account = self._new_reg(
contact, contact,

@ -127,6 +127,7 @@ def main():
argument_spec=dict( argument_spec=dict(
account_key_src=dict(type='path', aliases=['account_key']), account_key_src=dict(type='path', aliases=['account_key']),
account_key_content=dict(type='str', no_log=True), account_key_content=dict(type='str', no_log=True),
account_uri=dict(required=False, type='str'),
acme_directory=dict(required=False, default='https://acme-staging.api.letsencrypt.org/directory', type='str'), acme_directory=dict(required=False, default='https://acme-staging.api.letsencrypt.org/directory', type='str'),
acme_version=dict(required=False, default=1, choices=[1, 2], type='int'), acme_version=dict(required=False, default=1, choices=[1, 2], type='int'),
validate_certs=dict(required=False, default=True, type='bool'), validate_certs=dict(required=False, default=True, type='bool'),

@ -869,6 +869,7 @@ def main():
argument_spec=dict( argument_spec=dict(
account_key_src=dict(type='path', aliases=['account_key']), account_key_src=dict(type='path', aliases=['account_key']),
account_key_content=dict(type='str', no_log=True), account_key_content=dict(type='str', no_log=True),
account_uri=dict(required=False, type='str'),
modify_account=dict(required=False, type='bool', default=True), modify_account=dict(required=False, type='bool', default=True),
acme_directory=dict(required=False, default='https://acme-staging.api.letsencrypt.org/directory', type='str'), acme_directory=dict(required=False, default='https://acme-staging.api.letsencrypt.org/directory', type='str'),
acme_version=dict(required=False, default=1, choices=[1, 2], type='int'), acme_version=dict(required=False, default=1, choices=[1, 2], type='int'),

@ -95,6 +95,7 @@ def main():
argument_spec=dict( argument_spec=dict(
account_key_src=dict(type='path', aliases=['account_key']), account_key_src=dict(type='path', aliases=['account_key']),
account_key_content=dict(type='str', no_log=True), account_key_content=dict(type='str', no_log=True),
account_uri=dict(required=False, type='str'),
acme_directory=dict(required=False, default='https://acme-staging.api.letsencrypt.org/directory', type='str'), acme_directory=dict(required=False, default='https://acme-staging.api.letsencrypt.org/directory', type='str'),
acme_version=dict(required=False, default=1, choices=[1, 2], type='int'), acme_version=dict(required=False, default=1, choices=[1, 2], type='int'),
validate_certs=dict(required=False, default=True, type='bool'), validate_certs=dict(required=False, default=True, type='bool'),

@ -46,6 +46,12 @@ options:
Ansible in the process of moving the module with its argument to Ansible in the process of moving the module with its argument to
the node where it is executed." the node where it is executed."
version_added: "2.5" version_added: "2.5"
account_uri:
description:
- "If specified, assumes that the account URI is as given. If the
account key does not match this account, or an account with this
URI does not exist, the module fails."
version_added: "2.7"
acme_version: acme_version:
description: description:
- "The ACME version of the endpoint." - "The ACME version of the endpoint."

@ -47,6 +47,7 @@
acme_account: acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ output_dir }}/accountkey.pem" account_key_src: "{{ output_dir }}/accountkey.pem"
account_uri: "{{ account_created.account_uri }}"
acme_version: 2 acme_version: 2
acme_directory: https://{{ acme_host }}:14000/dir acme_directory: https://{{ acme_host }}:14000/dir
validate_certs: no validate_certs: no
@ -56,6 +57,19 @@
- mailto:example@example.com - mailto:example@example.com
register: account_modified_idempotent register: account_modified_idempotent
- name: Cannot access account with wrong URI
acme_account:
select_crypto_backend: "{{ select_crypto_backend }}"
account_key_src: "{{ output_dir }}/accountkey.pem"
account_uri: "{{ account_created.account_uri ~ '12345thisdoesnotexist' }}"
acme_version: 2
acme_directory: https://{{ acme_host }}:14000/dir
validate_certs: no
state: present
contact: []
ignore_errors: yes
register: account_modified_wrong_uri
- name: Clear contact email addresses - name: Clear contact email addresses
acme_account: acme_account:
select_crypto_backend: "{{ select_crypto_backend }}" select_crypto_backend: "{{ select_crypto_backend }}"

@ -22,6 +22,11 @@
- account_modified_idempotent is not changed - account_modified_idempotent is not changed
- account_modified_idempotent.account_uri is not none - account_modified_idempotent.account_uri is not none
- name: Make sure that with the wrong account URI, the account cannot be changed
assert:
that:
- account_modified_wrong_uri is failed
- name: Validate that email address was cleared - name: Validate that email address was cleared
assert: assert:
that: that:

@ -103,6 +103,7 @@
acme_directory: https://{{ acme_host }}:14000/dir acme_directory: https://{{ acme_host }}:14000/dir
validate_certs: no validate_certs: no
account_key: "{{ output_dir }}/{{ account_key }}.pem" account_key: "{{ output_dir }}/{{ account_key }}.pem"
account_uri: "{{ challenge_data.account_uri }}"
modify_account: "{{ modify_account }}" modify_account: "{{ modify_account }}"
csr: "{{ output_dir }}/{{ certificate_name }}.csr" csr: "{{ output_dir }}/{{ certificate_name }}.csr"
dest: "{{ output_dir }}/{{ certificate_name }}.pem" dest: "{{ output_dir }}/{{ certificate_name }}.pem"
@ -123,6 +124,7 @@
acme_directory: https://{{ acme_host }}:14000/dir acme_directory: https://{{ acme_host }}:14000/dir
validate_certs: no validate_certs: no
account_key_content: "{{ account_key_content }}" account_key_content: "{{ account_key_content }}"
account_uri: "{{ challenge_data.account_uri }}"
modify_account: "{{ modify_account }}" modify_account: "{{ modify_account }}"
csr: "{{ output_dir }}/{{ certificate_name }}.csr" csr: "{{ output_dir }}/{{ certificate_name }}.csr"
dest: "{{ output_dir }}/{{ certificate_name }}.pem" dest: "{{ output_dir }}/{{ certificate_name }}.pem"

Loading…
Cancel
Save