Merge pull request #23 from Venafi/release-fix

Release fix
Venafi · Nov 19, 2019 · 2e3a735 · 2e3a735
2 parents 29b038d + a4e23b4
commit 2e3a735
Show file tree

Hide file tree

Showing 7 changed files with 101 additions and 86 deletions.
diff --git a/library/venafi_certificate.py b/library/venafi_certificate.py
@@ -294,7 +294,17 @@ def __init__(self, module):
         self.privatekey_filename = module.params['privatekey_path']
         self.certificate_filename = module.params['cert_path']
         self.privatekey_type = module.params['privatekey_type']
+        if module.params['privatekey_curve']:
+            if not module.params['privatekey_type']:
+                module.fail_json(
+                    msg="privatekey_type should be "
+                        "set if privatekey_curve configured")
         self.privatekey_curve = module.params['privatekey_curve']
+        if module.params['privatekey_size']:
+            if not module.params['privatekey_type']:
+                module.fail_json(
+                    msg="privatekey_type should be set if "
+                        "privatekey_size configured")
         self.privatekey_size = module.params['privatekey_size']
         self.privatekey_passphrase = module.params['privatekey_passphrase']
         self.privatekey_reuse = module.params['privatekey_reuse']
@@ -683,7 +693,8 @@ def main():
                 vcert.enroll()
             else:
                 module.exit_json(**change_dump)
-        vcert.enroll()
+        else:
+            vcert.enroll()
     elif module.params['force']:
         vcert.enroll()
     vcert.validate()

diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml
@@ -10,12 +10,13 @@
 - name: Converge
   hosts: all
   vars:
+    tpp_alt_names: "email:e@venafi.com,IP:192.168.0.15,DNS:{{ ansible_fqdn }}-{{ cn }}-alt.venafi.example.com"
+    cloud_alt_names: "DNS:{{ ansible_fqdn }}-{{ cn }}-alt.venafi.example.com"
     certificate_common_name: "{{ ansible_fqdn }}-{{ cn }}.venafi.example.com"
-    certificate_alt_name: "IP:192.168.0.15,DNS:{{ ansible_fqdn }}-{{ cn }}-alt.venafi.example.com"
+    certificate_alt_name: "{{ cloud_alt_names if venafi.token is defined else tpp_alt_names }}"
     certificate_cert_dir: "/tmp/ansible/etc/ssl/{{ certificate_common_name }}"
     certificate_cert_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.pem"
     certificate_chain_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.chain.pem"
-    certificate_privatekey_size: "4096"
     certificate_privatekey_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.key"
     certificate_csr_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.csr"
 
@@ -42,13 +43,13 @@
 
     - name: "Verify Venafi certificate on remote host"
       venafi_certificate:
-        url: "{{ venafi.url if venafi.url is defined else None }}"
-        token: "{{ venafi.token if venafi.token is defined else None }}"
-        zone: "{{ venafi.zone if venafi.zone is defined else None }}"
+        url: "{{ venafi.url | default(omit) }}"
+        token: "{{ venafi.token | default(omit) }}"
+        zone: "{{ venafi.zone | default(omit) }}"
         test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}"
-        user: "{{ venafi.user if venafi.user is defined else None }}"
-        password: "{{ venafi.password if venafi.password is defined else None }}"
-        trust_bundle: "{{ venafi.trust_bundle if venafi.trust_bundle is defined else None }}"
+        user: "{{ venafi.user | default(omit) }}"
+        password: "{{ venafi.password | default(omit) }}"
+        trust_bundle: "{{ venafi.trust_bundle | default(omit) }}"
         cert_path: "{{ certificate_remote_cert_path if certificate_remote_cert_path  is defined else certificate_cert_path }}"
         chain_path: "{{ certificate_remote_chain_path if certificate_remote_chain_path else certificate_chain_path }}"
         privatekey_path: "{{ certificate_remote_privatekey_path if certificate_remote_privatekey_path else certificate_privatekey_path }}"
@@ -62,13 +63,13 @@
 
     - name: "Example verification which will always fail with debug message"
       venafi_certificate:
-        url: "{{ venafi.url if venafi.url is defined else None }}"
-        token: "{{ venafi.token if venafi.token is defined else None }}"
-        zone: "{{ venafi.zone if venafi.zone is defined else None }}"
+        url: "{{ venafi.url | default(omit) }}"
+        token: "{{ venafi.token | default(omit) }}"
+        zone: "{{ venafi.zone | default(omit) }}"
         test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}"
-        user: "{{ venafi.user if venafi.user is defined else None }}"
-        password: "{{ venafi.password if venafi.password is defined else None }}"
-        trust_bundle: "{{ venafi.trust_bundle if venafi.trust_bundle is defined else None }}"
+        user: "{{ venafi.user | default(omit) }}"
+        password: "{{ venafi.password | default(omit) }}"
+        trust_bundle: "{{ venafi.trust_bundle | default(omit) }}"
         cert_path: "{{ certificate_remote_cert_path if certificate_remote_cert_path  is defined else certificate_cert_path }}"
         chain_path: "{{ certificate_remote_chain_path if certificate_remote_chain_path else certificate_chain_path }}"
         privatekey_path: "{{ certificate_remote_privatekey_path if certificate_remote_privatekey_path else certificate_privatekey_path }}"
@@ -87,13 +88,13 @@
 
     - name: "This one shouldn't enroll new Venafi certificate on remote host because it's valid"
       venafi_certificate:
-        url: "{{ venafi.url if venafi.url is defined else None }}"
-        token: "{{ venafi.token if venafi.token is defined else None }}"
-        zone: "{{ venafi.zone if venafi.zone is defined else None }}"
+        url: "{{ venafi.url | default(omit) }}"
+        token: "{{ venafi.token | default(omit) }}"
+        zone: "{{ venafi.zone | default(omit) }}"
         test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}"
-        user: "{{ venafi.user if venafi.user is defined else None }}"
-        password: "{{ venafi.password if venafi.password is defined else None }}"
-        trust_bundle: "{{ venafi.trust_bundle if venafi.trust_bundle is defined else None }}"
+        user: "{{ venafi.user | default(omit) }}"
+        password: "{{ venafi.password | default(omit) }}"
+        trust_bundle: "{{ venafi.trust_bundle | default(omit) }}"
         cert_path: "{{ certificate_remote_cert_path if certificate_remote_cert_path  is defined else certificate_cert_path }}"
         chain_path: "{{ certificate_remote_chain_path if certificate_remote_chain_path else certificate_chain_path }}"
         privatekey_path: "{{ certificate_remote_privatekey_path if certificate_remote_privatekey_path else certificate_privatekey_path }}"

diff --git a/requirements.txt b/requirements.txt
@@ -1,3 +1,3 @@
-vcert>=0.6.8
+git+https://github.com/Venafi/vcert-python.git@fix-tpp-zone-configuration-parser
 ansible
 cryptography
diff --git a/tasks/local-certificate.yml b/tasks/local-certificate.yml
@@ -12,17 +12,19 @@
 - name: "Enroll Venafi certificate on local host"
   local_action:
     module: venafi_certificate
-    url: "{{ venafi.url if venafi.url is defined else None }}"
-    token: "{{ venafi.token if venafi.token is defined else None }}"
-    zone: "{{ venafi.zone if venafi.zone is defined else None }}"
+    url: "{{ venafi.url | default(omit) }}"
+    token: "{{ venafi.token | default(omit) }}"
+    zone: "{{ venafi.zone | default(omit) }}"
     test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}"
-    user: "{{ venafi.user if venafi.user is defined else None }}"
-    password: "{{ venafi.password if venafi.password is defined else None }}"
-    trust_bundle: "{{ venafi.trust_bundle if venafi.trust_bundle is defined else None }}"
+    user: "{{ venafi.user | default(omit) }}"
+    password: "{{ venafi.password | default(omit) }}"
+    trust_bundle: "{{ venafi.trust_bundle  | default(omit) }}"
     cert_path: "{{ certificate_cert_path }}"
-    chain_path: "{{ certificate_chain_path if certificate_chain_path is defined else None }}"
-    privatekey_path: "{{ certificate_privatekey_path if certificate_privatekey_path is defined else None }}"
-    privatekey_size: "{{ certificate_privatekey_size if certificate_privatekey_size is defined else 4096 }}"
+    chain_path: "{{ certificate_chain_path | default(omit) }}"
+    privatekey_path: "{{ certificate_privatekey_path | default(omit) }}"
+    privatekey_type: "{{ certificate_privatekey_type | default(omit) }}"
+    privatekey_size: "{{ certificate_privatekey_size | default(omit) }}"
+    privatekey_curve: "{{ certificate_privatekey_curve | default(omit) }}"
     common_name: "{{ certificate_common_name }}"
     alt_name: "{{ certificate_alt_name | default([]) }}"
     before_expired_hours: "{{ certificate_before_expired_hours if certificate_before_expired_hours is defined else 72 }}"

diff --git a/tasks/remote-certificate.yml b/tasks/remote-certificate.yml
@@ -2,20 +2,21 @@
 ---
 - name: "Enroll Venafi certificate on remote host"
   venafi_certificate:
-    url: "{{ venafi.url if venafi.url is defined else None }}"
-    token: "{{ venafi.token if venafi.token is defined else None }}"
-    zone: "{{ venafi.zone if venafi.zone is defined else None }}"
+    url: "{{ venafi.url | default(omit) }}"
+    token: "{{ venafi.token | default(omit) }}"
+    zone: "{{ venafi.zone | default(omit) }}"
     test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}"
-    user: "{{ venafi.user if venafi.user is defined else None }}"
-    password: "{{ venafi.password if venafi.password is defined else None }}"
-    trust_bundle: "{{ venafi.trust_bundle if venafi.trust_bundle is defined else None }}"
+    user: "{{ venafi.user | default(omit) }}"
+    password: "{{ venafi.password | default(omit) }}"
+    trust_bundle: "{{ venafi.trust_bundle | default(omit) }}"
     cert_path: "{{ certificate_cert_path }}"
-    chain_path: "{{ certificate_chain_path if certificate_chain_path is defined else None }}"
-    privatekey_path: "{{ certificate_privatekey_path if certificate_privatekey_path is defined else None }}"
-    privatekey_size: "{{ certificate_privatekey_size if certificate_privatekey_size is defined else 2048 }}"
+    chain_path: "{{ certificate_chain_path | default(omit) }}"
+    privatekey_path: "{{ certificate_privatekey_path | default(omit) }}"
+    privatekey_type: "{{ certificate_privatekey_type | default(omit) }}"
+    privatekey_size: "{{ certificate_privatekey_size | default(omit) }}"
     common_name: "{{ certificate_common_name }}"
     alt_name: "{{ certificate_alt_name | default([]) }}"
-    before_expired_hours: "{{ certificate_before_expired_hours if certificate_before_expired_hours is defined else None }}"
+    before_expired_hours: "{{ certificate_before_expired_hours | default(omit) }}"
     force: "{{ certificate_force if certificate_force is defined else false }}"
   register: certout
 - name: "dump test output"

diff --git a/tests/venafi-playbook-example.yml b/tests/venafi-playbook-example.yml
@@ -64,17 +64,17 @@
     - name: "Enroll Venafi certificate on local host"
       local_action:
         module: venafi_certificate
-        url: "{{ venafi.url if venafi.url is defined else None }}"
-        token: "{{ venafi.token if venafi.token is defined else None }}"
-        zone: "{{ venafi.zone if venafi.zone is defined else None }}"
+        url: "{{ venafi.url | default(omit) }}"
+        token: "{{ venafi.token | default(omit) }}"
+        zone: "{{ venafi.zone | default(omit) }}"
         test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}"
-        user: "{{ venafi.user if venafi.user is defined else None }}"
-        password: "{{ venafi.password if venafi.password is defined else None }}"
-        trust_bundle: "{{ venafi.trust_bundle if venafi.trust_bundle is defined else None }}"
+        user: "{{ venafi.user | default(omit) }}"
+        password: "{{ venafi.password | default(omit) }}"
+        trust_bundle: "{{ venafi.trust_bundle | default(omit) }}"
         cert_path: "{{ certificate_cert_path }}"
-        chain_path: "{{ certificate_chain_path if certificate_chain_path is defined else None }}"
-        privatekey_path: "{{ certificate_privatekey_path if certificate_privatekey_path is defined else None }}"
-        privatekey_size: "{{ certificate_privatekey_size if certificate_privatekey_size is defined else None }}"
+        chain_path: "{{ certificate_chain_path | default(omit) }}"
+        privatekey_path: "{{ certificate_privatekey_path | default(omit) }}"
+        privatekey_size: "{{ certificate_privatekey_size | default(omit) }}"
         common_name: "{{ certificate_common_name }}"
       register: certout
     - name: "Certificate is in following state:"
@@ -106,13 +106,13 @@
 
     - name: "Verify Venafi certificate on remote host"
       venafi_certificate:
-        url: "{{ venafi.url if venafi.url is defined else None }}"
-        token: "{{ venafi.token if venafi.token is defined else None }}"
-        zone: "{{ venafi.zone if venafi.zone is defined else None }}"
+        url: "{{ venafi.url | default(omit) }}"
+        token: "{{ venafi.token | default(omit) }}"
+        zone: "{{ venafi.zone | default(omit) }}"
         test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}"
-        user: "{{ venafi.user if venafi.user is defined else None }}"
-        password: "{{ venafi.password if venafi.password is defined else None }}"
-        trust_bundle: "{{ venafi.trust_bundle if venafi.trust_bundle is defined else None }}"
+        user: "{{ venafi.user | default(omit) }}"
+        password: "{{ venafi.password | default(omit) }}"
+        trust_bundle: "{{ venafi.trust_bundle | default(omit) }}"
         cert_path: "{{ certificate_remote_cert_path if certificate_remote_cert_path  is defined else certificate_cert_path }}"
         chain_path: "{{ certificate_remote_chain_path if certificate_remote_chain_path else certificate_chain_path }}"
         privatekey_path: "{{ certificate_remote_privatekey_path if certificate_remote_privatekey_path else certificate_privatekey_path }}"
@@ -126,13 +126,13 @@
 
     - name: "Example verification which will always fail with debug message"
       venafi_certificate:
-        url: "{{ venafi.url if venafi.url is defined else None }}"
-        token: "{{ venafi.token if venafi.token is defined else None }}"
-        zone: "{{ venafi.zone if venafi.zone is defined else None }}"
+        url: "{{ venafi.url | default(omit) }}"
+        token: "{{ venafi.token | default(omit) }}"
+        zone: "{{ venafi.zone | default(omit) }}"
         test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}"
-        user: "{{ venafi.user if venafi.user is defined else None }}"
-        password: "{{ venafi.password if venafi.password is defined else None }}"
-        trust_bundle: "{{ venafi.trust_bundle if venafi.trust_bundle is defined else None }}"
+        user: "{{ venafi.user | default(omit) }}"
+        password: "{{ venafi.password | default(omit) }}"
+        trust_bundle: "{{ venafi.trust_bundle | default(omit) }}"
         cert_path: "{{ certificate_remote_cert_path if certificate_remote_cert_path  is defined else certificate_cert_path }}"
         chain_path: "{{ certificate_remote_chain_path if certificate_remote_chain_path else certificate_chain_path }}"
         privatekey_path: "{{ certificate_remote_privatekey_path if certificate_remote_privatekey_path else certificate_privatekey_path }}"
@@ -151,13 +151,13 @@
 
     - name: "This one shouldn't enroll new Venafi certificate on remote host because it's valid"
       venafi_certificate:
-        url: "{{ venafi.url if venafi.url is defined else None }}"
-        token: "{{ venafi.token if venafi.token is defined else None }}"
-        zone: "{{ venafi.zone if venafi.zone is defined else None }}"
+        url: "{{ venafi.url | default(omit) }}"
+        token: "{{ venafi.token | default(omit) }}"
+        zone: "{{ venafi.zone | default(omit) }}"
         test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}"
-        user: "{{ venafi.user if venafi.user is defined else None }}"
-        password: "{{ venafi.password if venafi.password is defined else None }}"
-        trust_bundle: "{{ venafi.trust_bundle if venafi.trust_bundle is defined else None }}"
+        user: "{{ venafi.user | default(omit) }}"
+        password: "{{ venafi.password | default(omit) }}"
+        trust_bundle: "{{ venafi.trust_bundle | default(omit) }}"
         cert_path: "{{ certificate_remote_cert_path if certificate_remote_cert_path  is defined else certificate_cert_path }}"
         chain_path: "{{ certificate_remote_chain_path if certificate_remote_chain_path else certificate_chain_path }}"
         privatekey_path: "{{ certificate_remote_privatekey_path if certificate_remote_privatekey_path else certificate_privatekey_path }}"