Commit Graph

7 Commits (affbab8e3f6038297346c30f83dddd6f3e334eab)

Author SHA1 Message Date
John R Barker 4f0389ad4e
Backport/2.5/38386 (#38462)
* openssl_certificate: Handle dump() in check_mode (#38386)

Currently, when ones run the module in check_mode it tries to retrieve
values from the actual certificate generated in the generate() function.

Since in check_mode we call dump() without calling generate(), self.cert
is None, leading to self.cert.get_notBefore(), self.cert.get_notAfter()
and self.cert.get_serial_number() raising an error.

>  NoneType' object has no attribute 'get_notBefore'

The solution is to have two way to handle dump() method, whether its run
in check_mode=True or check_mode=False leading to different way the
information is retrieved.
(cherry picked from commit 99497ce54c)
7 years ago
Yanis Guenane a724b8e722 openssl_certificate: Return self.cert.get_VALUES() (#33970)
Currently when we make up the return value, we take values based of the
parameters rather than the generated openssl_certificate itself.

This commits returns the actual certificate values making it all time
accurate.
7 years ago
MarkusTeufelberger 9ea1b18ff7 Allow multiple values per key in name fields in openssl_certificate/csr (#30338)
* allow multiple values per key in name fields in openssl_certificate

* check correct side of comparison

* trigger only on lists

* add subject parameter to openssl_csr

* fix key: value mapping not skipping None elements

* temporary fix for undefined "subject" field

* fix iteration over subject entries

* fix docs

* quote sample string

* allow csr with only subject defined

* fix integration test

* look up NIDs before comparing, add hidden _strict params

* deal with empty issuer/subject fields

* adapt integration tests

* also normalize output from pyopenssl

* fix issue with _sanitize_inputs

* don't convert empty lists

* workaround for pyopenssl limitations

* properly encode the input to the txt2nid function

* another to_bytes fix

* make subject, commonname and subjecAltName completely optional

* don't compare hashes of keys in openssl_csr integration tests

* add integration test for old API in openssl_csr

* compare keys directly in certificate and publickey integration tests

* fix typo
7 years ago
Matt Martz 4fe08441be Deprecate tests used as filters (#32361)
* Warn on tests used as filters

* Update docs, add aliases for tests that fit more gramatically with test syntax

* Fix rst formatting

* Add successful filter, alias of success

* Remove renamed_deprecation, it was overkill

* Make directory alias for is_dir

* Update tests to use proper jinja test syntax

* Update additional documentation, living outside of YAML files, to reflect proper jinja test syntax

* Add conversion script, porting guide updates, and changelog updates

* Update newly added uses of tests as filters

* No underscore variable

* Convert recent tests as filter changes to win_stat

* Fix some changes related to rebasing a few integration tests

* Make tests_as_filters_warning explicitly accept the name of the test, instead of inferring the name

* Add test for tests_as_filters_warning

* Update tests as filters in newly added/modified tests

* Address recent changes to several integration tests

* Address recent changes in cs_vpc
7 years ago
Yanis Guenane 0648e339a7 openssl: remove static dict for keyUsage (#30339)
keyUsage and extendedKeyUsage are currently statically limited via a
static dict defined in modules_utils/crypto.py. If one specify a value
that isn't in there, idempotency won't work.

Instead of having static dict, we uses keyUsage and extendedKyeUsage
values OpenSSL NID and compare those rather than comparing strings.

Fixes: https://github.com/ansible/ansible/issues/30316
7 years ago
Yanis Guenane 3e4a306a42 openssl_certificate: Correctly set the version (#30314)
Current openssl_certificate is mistakenly taking its derivating its
version number from the csr version number.

Thos two fields are completly unrelated and hence the version number of
the certificate should be able to be directly specified (via
selfsigned_version parameter).
7 years ago
MarkusTeufelberger 2186b04934 Add simple integration test for openssl_certificate (#29038)
* openssl_certificate: Fix parameter assertion in Python3

Parameter assertion in Python3 is broken. pyOpenSSL get_X() functions
returns b'' type string and tries to compare it with '' string, leading
to failure.

The error mentionned above has been fixed by sanitizing the inputs from
a user to the assert only backend.

Also, this error was hidden by the fact that the improper check method
was called in the generate() functions.

* Add simple integration test for openssl_certificate

* remove subject == issuer assertion

* run integration tests only on supported hosts

* change min supported version to 0.15.x

* Add test for more CSR fields

* also convert dict members to bytes

* fix version_compare

* openssl_{csr, certificate}: Fail if pyOpenSSL <= 0.15

Previous 0.13 pyOpenSSL was a C-binding, and required the parameter
passed to add_extention to be in ASN.1. This has changed with the move
to 0.14 and it is now all pythong and string based.

Previous the 0.15 release, the `get_extensions()` method didn't exist,
since the modules rely heavily on it we ensure pyOpenSSL version is at
last 0.15.0.

* check pyopenssl version in openssl_csr integration test
7 years ago