openssl_certificate: fix state=absent (#54298)

* Fix state=absent.

* Add changelog.
This commit is contained in:
Felix Fontein 2019-03-25 13:07:28 +01:00 committed by Martin Krizek
parent afca42bc6d
commit 534c833bb3
2 changed files with 78 additions and 59 deletions

View file

@ -0,0 +1,2 @@
bugfixes:
- "openssl_certificate - fix ``state=absent``."

View file

@ -691,6 +691,18 @@ class Certificate(crypto_utils.OpenSSLObject):
return True return True
def dump(self, check_mode=False):
# Use only for absent
result = {
'changed': self.changed,
'filename': self.path,
'privatekey': self.privatekey_path,
'csr': self.csr_path
}
return result
class SelfSignedCertificateCryptography(Certificate): class SelfSignedCertificateCryptography(Certificate):
"""Generate the self-signed certificate, using the cryptography backend""" """Generate the self-signed certificate, using the cryptography backend"""
@ -1841,72 +1853,77 @@ def main():
add_file_common_args=True, add_file_common_args=True,
) )
if module.params['provider'] != 'assertonly' and module.params['csr_path'] is None: if module.params['state'] == 'absent':
module.fail_json(msg='csr_path is required when provider is not assertonly') # backend doesn't matter
certificate = Certificate(module, 'cryptography')
base_dir = os.path.dirname(module.params['path']) or '.' else:
if not os.path.isdir(base_dir): if module.params['provider'] != 'assertonly' and module.params['csr_path'] is None:
module.fail_json( module.fail_json(msg='csr_path is required when provider is not assertonly')
name=base_dir,
msg='The directory %s does not exist or the file is not a directory' % base_dir
)
provider = module.params['provider'] base_dir = os.path.dirname(module.params['path']) or '.'
if not os.path.isdir(base_dir):
module.fail_json(
name=base_dir,
msg='The directory %s does not exist or the file is not a directory' % base_dir
)
backend = module.params['select_crypto_backend'] provider = module.params['provider']
if backend == 'auto':
# Detect what backend we can use
can_use_cryptography = CRYPTOGRAPHY_FOUND and CRYPTOGRAPHY_VERSION >= LooseVersion(MINIMAL_CRYPTOGRAPHY_VERSION)
can_use_pyopenssl = PYOPENSSL_FOUND and PYOPENSSL_VERSION >= LooseVersion(MINIMAL_PYOPENSSL_VERSION)
# If cryptography is available we'll use it backend = module.params['select_crypto_backend']
if can_use_cryptography:
backend = 'cryptography'
elif can_use_pyopenssl:
backend = 'pyopenssl'
if module.params['selfsigned_version'] == 2 or module.params['ownca_version'] == 2:
module.warn('crypto backend forced to pyopenssl. The cryptography library does not support v2 certificates')
backend = 'pyopenssl'
# Fail if no backend has been found
if backend == 'auto': if backend == 'auto':
module.fail_json(msg=("Can't detect none of the required Python libraries " # Detect what backend we can use
"cryptography (>= {0}) or PyOpenSSL (>= {1})").format( can_use_cryptography = CRYPTOGRAPHY_FOUND and CRYPTOGRAPHY_VERSION >= LooseVersion(MINIMAL_CRYPTOGRAPHY_VERSION)
MINIMAL_CRYPTOGRAPHY_VERSION, can_use_pyopenssl = PYOPENSSL_FOUND and PYOPENSSL_VERSION >= LooseVersion(MINIMAL_PYOPENSSL_VERSION)
MINIMAL_PYOPENSSL_VERSION))
if backend == 'pyopenssl': # If cryptography is available we'll use it
if not PYOPENSSL_FOUND: if can_use_cryptography:
module.fail_json(msg=missing_required_lib('pyOpenSSL'), exception=PYOPENSSL_IMP_ERR) backend = 'cryptography'
if module.params['provider'] in ['selfsigned', 'ownca', 'assertonly']: elif can_use_pyopenssl:
try: backend = 'pyopenssl'
getattr(crypto.X509Req, 'get_extensions')
except AttributeError:
module.fail_json(msg='You need to have PyOpenSSL>=0.15')
if provider == 'selfsigned': if module.params['selfsigned_version'] == 2 or module.params['ownca_version'] == 2:
certificate = SelfSignedCertificate(module) module.warn('crypto backend forced to pyopenssl. The cryptography library does not support v2 certificates')
elif provider == 'acme': backend = 'pyopenssl'
certificate = AcmeCertificate(module, 'pyopenssl')
elif provider == 'ownca': # Fail if no backend has been found
certificate = OwnCACertificate(module) if backend == 'auto':
else: module.fail_json(msg=("Can't detect none of the required Python libraries "
certificate = AssertOnlyCertificate(module) "cryptography (>= {0}) or PyOpenSSL (>= {1})").format(
elif backend == 'cryptography': MINIMAL_CRYPTOGRAPHY_VERSION,
if not CRYPTOGRAPHY_FOUND: MINIMAL_PYOPENSSL_VERSION))
module.fail_json(msg=missing_required_lib('cryptography'), exception=CRYPTOGRAPHY_IMP_ERR)
if module.params['selfsigned_version'] == 2 or module.params['ownca_version'] == 2: if backend == 'pyopenssl':
module.fail_json(msg='The cryptography backend does not support v2 certificates, ' if not PYOPENSSL_FOUND:
'use select_crypto_backend=pyopenssl for v2 certificates') module.fail_json(msg=missing_required_lib('pyOpenSSL'), exception=PYOPENSSL_IMP_ERR)
if provider == 'selfsigned': if module.params['provider'] in ['selfsigned', 'ownca', 'assertonly']:
certificate = SelfSignedCertificateCryptography(module) try:
elif provider == 'acme': getattr(crypto.X509Req, 'get_extensions')
certificate = AcmeCertificate(module, 'cryptography') except AttributeError:
elif provider == 'ownca': module.fail_json(msg='You need to have PyOpenSSL>=0.15')
certificate = OwnCACertificateCryptography(module)
else: if provider == 'selfsigned':
certificate = AssertOnlyCertificateCryptography(module) certificate = SelfSignedCertificate(module)
elif provider == 'acme':
certificate = AcmeCertificate(module, 'pyopenssl')
elif provider == 'ownca':
certificate = OwnCACertificate(module)
else:
certificate = AssertOnlyCertificate(module)
elif backend == 'cryptography':
if not CRYPTOGRAPHY_FOUND:
module.fail_json(msg=missing_required_lib('cryptography'), exception=CRYPTOGRAPHY_IMP_ERR)
if module.params['selfsigned_version'] == 2 or module.params['ownca_version'] == 2:
module.fail_json(msg='The cryptography backend does not support v2 certificates, '
'use select_crypto_backend=pyopenssl for v2 certificates')
if provider == 'selfsigned':
certificate = SelfSignedCertificateCryptography(module)
elif provider == 'acme':
certificate = AcmeCertificate(module, 'cryptography')
elif provider == 'ownca':
certificate = OwnCACertificateCryptography(module)
else:
certificate = AssertOnlyCertificateCryptography(module)
if module.params['state'] == 'present': if module.params['state'] == 'present':