Backport/2.5/38386 (#38462)

* openssl_certificate: Handle dump() in check_mode (#38386)

Currently, when ones run the module in check_mode it tries to retrieve
values from the actual certificate generated in the generate() function.

Since in check_mode we call dump() without calling generate(), self.cert
is None, leading to self.cert.get_notBefore(), self.cert.get_notAfter()
and self.cert.get_serial_number() raising an error.

>  NoneType' object has no attribute 'get_notBefore'

The solution is to have two way to handle dump() method, whether its run
in check_mode=True or check_mode=False leading to different way the
information is retrieved.
(cherry picked from commit 99497ce54c)
This commit is contained in:
John R Barker 2018-04-09 09:49:09 +01:00 committed by GitHub
parent 57931804ed
commit 4f0389ad4e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 34 additions and 10 deletions

View file

@ -0,0 +1,2 @@
bugfixes:
- openssl_certificate - Handle dump() in check_mode https://github.com/ansible/ansible/pull/38386

View file

@ -423,6 +423,7 @@ class SelfSignedCertificate(Certificate):
self.notAfter = module.params['selfsigned_notAfter']
self.digest = module.params['selfsigned_digest']
self.version = module.params['selfsigned_version']
self.serial_number = randint(1000, 99999)
self.csr = crypto_utils.load_certificate_request(self.csr_path)
self.privatekey = crypto_utils.load_privatekey(
self.privatekey_path, self.privatekey_passphrase
@ -442,7 +443,7 @@ class SelfSignedCertificate(Certificate):
if not self.check(module, perms_required=False) or self.force:
cert = crypto.X509()
cert.set_serial_number(randint(1000, 99999))
cert.set_serial_number(self.serial_number)
if self.notBefore:
cert.set_notBefore(self.notBefore)
else:
@ -474,18 +475,30 @@ class SelfSignedCertificate(Certificate):
if module.set_fs_attributes_if_different(file_args, False):
self.changed = True
def dump(self):
def dump(self, check_mode=False):
result = {
'changed': self.changed,
'filename': self.path,
'privatekey': self.privatekey_path,
'csr': self.csr_path,
'notBefore': self.cert.get_notBefore(),
'notAfter': self.cert.get_notAfter(),
'serial_number': self.cert.get_serial_number(),
'csr': self.csr_path
}
if check_mode:
now = datetime.datetime.utcnow()
ten = now.replace(now.year + 10)
result.update({
'notBefore': self.notBefore if self.notBefore else now.strftime("%Y%m%d%H%M%SZ"),
'notAfter': self.notAfter if self.notAfter else ten.strftime("%Y%m%d%H%M%SZ"),
'serial_number': self.serial_number,
})
else:
result.update({
'notBefore': self.cert.get_notBefore(),
'notAfter': self.cert.get_notAfter(),
'serial_number': self.cert.get_serial_number(),
})
return result
@ -708,7 +721,7 @@ class AssertOnlyCertificate(Certificate):
return parent_check and assertonly_check
def dump(self):
def dump(self, check_mode=False):
result = {
'changed': self.changed,
@ -773,7 +786,7 @@ class AcmeCertificate(Certificate):
if module.set_fs_attributes_if_different(file_args, False):
self.changed = True
def dump(self):
def dump(self, check_mode=False):
result = {
'changed': self.changed,
@ -859,7 +872,7 @@ def main():
if module.params['state'] == 'present':
if module.check_mode:
result = certificate.dump()
result = certificate.dump(check_mode=True)
result['changed'] = module.params['force'] or not certificate.check(module)
module.exit_json(**result)
@ -870,7 +883,7 @@ def main():
else:
if module.check_mode:
result = certificate.dump()
result = certificate.dump(check_mode=True)
result['changed'] = os.path.exists(module.params['path'])
module.exit_json(**result)

View file

@ -28,6 +28,15 @@
selfsigned_digest: sha256
register: selfsigned_certificate_idempotence
- name: Generate selfsigned certificate (check mode)
openssl_certificate:
path: '{{ output_dir }}/cert.pem'
csr_path: '{{ output_dir }}/csr.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
provider: selfsigned
selfsigned_digest: sha256
check_mode: yes
- name: Check selfsigned certificate
openssl_certificate:
path: '{{ output_dir }}/cert.pem'