wbrawner/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

java_cert role pkcs12 import (#24616)

Browse source 
* java_cert pkcs12 import

* documentation and formatting

* update examples

* update examples #2

* integration tests

* integration tests #2

* added aliases.txt

* renamed aliases

* bugfix

* empty it alieses
This commit is contained in:
tmarlok88 2017-08-22 09:45:30 +02:00 committed by Dag Wieers
parent 6d015294c2
commit 982e322287
5 changed files with 144 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

112
lib/ansible/modules/system/java_cert.py
View file

@ -34,6 +34,20 @@ options:
cert_alias: cert_alias:
description: description:
- Imported certificate alias. - Imported certificate alias.
pkcs12_path:
description:
- Local path to load PKCS12 keystore from.
version_added: "2.4"
pkcs12_password:
description:
- Password for importing from PKCS12 keystore.
default: ''
version_added: "2.4"
pkcs12_alias:
description:
- Alias in the PKCS12 keystore.
default: 1
version_added: "2.4"
keystore_path: keystore_path:
description: description:
- Path to keystore. - Path to keystore.
@ -58,30 +72,38 @@ author: Adam Hamsik @haad
''' '''
EXAMPLES = ''' EXAMPLES = '''
# Import SSL certificate from google.com to a given cacerts keystore - name: Import SSL certificate from google.com to a given cacerts keystore
java_cert: java_cert:
cert_url: google.com cert_url: google.com
cert_port: 443 cert_port: 443
keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts
keystore_pass: changeit keystore_pass: changeit
state: present state: present
# Remove certificate with given alias from a keystore - name: Remove certificate with given alias from a keystore
java_cert: java_cert:
cert_url: google.com cert_url: google.com
keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts
keystore_pass: changeit keystore_pass: changeit
executable: /usr/lib/jvm/jre7/bin/keytool executable: /usr/lib/jvm/jre7/bin/keytool
state: absent state: absent
# Import SSL certificate from google.com to a keystore, - name: Import SSL certificate from google.com to a keystore, create it if it doesn't exist
# create it if it doesn't exist java_cert:
java_cert: cert_url: google.com
cert_url: google.com keystore_path: /tmp/cacerts
keystore_path: /tmp/cacerts keystore_pass: changeit
keystore_pass: changeit keystore_create: yes
keystore_create: yes state: present
state: present
- name: Import a pkcs12 keystore with a specified alias, create it if it doesn't exist
java_cert:
pkcs12_path: "/tmp/importkeystore.p12"
cert_alias: default
keystore_path: /opt/wildfly/standalone/configuration/defaultkeystore.jks
keystore_pass: changeit
keystore_create: yes
state: present
''' '''
RETURN = ''' RETURN = '''
@ -170,6 +192,30 @@ def import_cert_path(module, executable, path, keystore_path, keystore_pass, ali
else: else:
return module.fail_json(msg=import_out, rc=import_rc, cmd=import_cmd) return module.fail_json(msg=import_out, rc=import_rc, cmd=import_cmd)
def import_pkcs12_path(module, executable, path, keystore_path, keystore_pass, pkcs12_pass, pkcs12_alias, alias):
''' Import pkcs12 from path into keystore located on
keystore_path as alias '''
import_cmd = ("%s -importkeystore -noprompt -destkeystore '%s' -srcstoretype PKCS12 "
"-deststorepass '%s' -destkeypass '%s' -srckeystore '%s' -srcstorepass '%s' "
"-srcalias '%s' -destalias '%s'") % (executable, keystore_path, keystore_pass,
keystore_pass, path, pkcs12_pass, pkcs12_alias, alias)
if module.check_mode:
module.exit_json(changed=True)
# Use local certificate from local path and import it to a java keystore
(import_rc, import_out, import_err) = module.run_command(import_cmd,
check_rc=False)
diff = {'before': '\n', 'after': '%s\n'%alias}
if import_rc == 0:
return module.exit_json(changed=True, msg=import_out,
rc=import_rc, cmd=import_cmd, stdout=import_out,
error=import_err, diff=diff)
else:
return module.fail_json(msg=import_out, rc=import_rc, cmd=import_cmd)
def delete_cert(module, executable, keystore_path, keystore_pass, alias): def delete_cert(module, executable, keystore_path, keystore_pass, alias):
''' Delete certificate identified with alias from keystore on keystore_path ''' ''' Delete certificate identified with alias from keystore on keystore_path '''
del_cmd = ("%s -delete -keystore '%s' -storepass '%s' " del_cmd = ("%s -delete -keystore '%s' -storepass '%s' "
@ -202,15 +248,18 @@ def test_keystore(module, keystore_path):
## Keystore doesn't exist we want to create it ## Keystore doesn't exist we want to create it
return module.fail_json(changed=False, return module.fail_json(changed=False,
msg="Module require existing keystore at keystore_path '%s'" msg="Module require existing keystore at keystore_path '%s'"
%(keystore_path)) % (keystore_path))
def main(): def main():
argument_spec = dict( argument_spec = dict(
cert_url=dict(type='str'), cert_url=dict(type='str'),
cert_path=dict(type='str'), cert_path=dict(type='path'),
pkcs12_path=dict(type='path'),
pkcs12_password=dict(type='str', no_log=True),
pkcs12_alias=dict(type='str'),
cert_alias=dict(type='str'), cert_alias=dict(type='str'),
cert_port=dict(default='443', type='int'), cert_port=dict(default='443', type='int'),
keystore_path=dict(type='str'), keystore_path=dict(type='path'),
keystore_pass=dict(required=True, type='str', no_log=True), keystore_pass=dict(required=True, type='str', no_log=True),
keystore_create=dict(default=False, type='bool'), keystore_create=dict(default=False, type='bool'),
executable=dict(default='keytool', type='str'), executable=dict(default='keytool', type='str'),
@ -220,10 +269,10 @@ def main():
module = AnsibleModule( module = AnsibleModule(
argument_spec=argument_spec, argument_spec=argument_spec,
required_one_of=[['cert_path', 'cert_url']], required_one_of=[['cert_path', 'cert_url', 'pkcs12_path']],
required_together=[['keystore_path', 'keystore_pass']], required_together=[['keystore_path', 'keystore_pass']],
mutually_exclusive=[ mutually_exclusive=[
['cert_url', 'cert_path'] ['cert_url', 'cert_path', 'pkcs12_path']
], ],
supports_check_mode=True, supports_check_mode=True,
) )
@ -231,6 +280,11 @@ def main():
url = module.params.get('cert_url') url = module.params.get('cert_url')
path = module.params.get('cert_path') path = module.params.get('cert_path')
port = module.params.get('cert_port') port = module.params.get('cert_port')
pkcs12_path = module.params.get('pkcs12_path')
pkcs12_pass = module.params.get('pkcs12_password', '')
pkcs12_alias = module.params.get('pkcs12_alias', '1')
cert_alias = module.params.get('cert_alias') or url cert_alias = module.params.get('cert_alias') or url
keystore_path = module.params.get('keystore_path') keystore_path = module.params.get('keystore_path')
@ -258,6 +312,10 @@ def main():
elif state == 'present': elif state == 'present':
if not cert_present: if not cert_present:
if pkcs12_path:
import_pkcs12_path(module, executable, pkcs12_path, keystore_path,
keystore_pass, pkcs12_pass, pkcs12_alias, cert_alias)
if path: if path:
import_cert_path(module, executable, path, keystore_path, import_cert_path(module, executable, path, keystore_path,
keystore_pass, cert_alias) keystore_pass, cert_alias)

0
test/integration/targets/java_cert/aliases Normal file
View file

3
test/integration/targets/java_cert/defaults/main.yml Normal file
View file

@ -0,0 +1,3 @@
---
test_pkcs12_path: testpkcs.p12
test_keystore_path: keystore.jks

BIN
test/integration/targets/java_cert/files/testpkcs.p12 Normal file
View file

Binary file not shown.

56
test/integration/targets/java_cert/tasks/main.yml Normal file
View file

@ -0,0 +1,56 @@
---
- name: prep pkcs12 file
copy: src="{{ test_pkcs12_path }}" dest="{{output_dir}}/{{ test_pkcs12_path }}"
- name: import pkcs12
local_action:
module: java_cert
pkcs12_path: "{{output_dir}}/{{ test_pkcs12_path }}"
pkcs12_password: changeit
pkcs12_alias: default
cert_alias: default
keystore_path: "{{output_dir}}/{{ test_keystore_path }}"
keystore_pass: changeme_keystore
keystore_create: yes
state: present
register: result_success
- name: verify success
assert:
that:
- result_success|success
- name: import pkcs12 with wrong password
local_action:
module: java_cert
pkcs12_path: "{{output_dir}}/{{ test_pkcs12_path }}"
pkcs12_password: wrong_pass
pkcs12_alias: default
cert_alias: default_new
keystore_path: "{{output_dir}}/{{ test_keystore_path }}"
keystore_pass: changeme_keystore
keystore_create: yes
state: present
ignore_errors: true
register: result_wrong_pass
- name: verify fail with wrong import password
assert:
that:
- result_wrong_pass|failed
- name: test fail on mutually exclusive params
local_action:
module: java_cert
cert_path: ca.crt
pkcs12_path: "{{output_dir}}/{{ test_pkcs12_path }}"
cert_alias: default
keystore_path: "{{output_dir}}/{{ test_keystore_path }}"
keystore_pass: changeme_keystore
keystore_create: yes
state: present
ignore_errors: true
register: result_excl_params
- name: verify failed exclusive params
assert:
that:
- result_excl_params|failed