Merge pull request #19 from Venafi/implement-renew

Implement renew
Venafi · Nov 15, 2019 · 628c79e · 628c79e
2 parents 05381f8 + 84c5d40
commit 628c79e
Show file tree

Hide file tree

Showing 3 changed files with 64 additions and 18 deletions.
diff --git a/.gitignore b/.gitignore
@@ -4,9 +4,7 @@ venv
 venv27
 .venv37
 venafi_certificate_*.json
-tpp_credentials.yml
-cloud_credentials.yml
-fake_credentials.yml
+*_credentials.yml
 credentials.yml
 vault-password.txt
 tests/library

diff --git a/library/venafi_certificate.py b/library/venafi_certificate.py
@@ -71,7 +71,7 @@
             taking action if the state is different from what is stated.
 
     renew:
-        default: False
+        default: True
         type: bool
         description:
             - Try to renew certificate if is existing but not valid.
@@ -442,7 +442,7 @@ def _check_and_update_permissions(self, path):
         if self.module.set_fs_attributes_if_different(file_args, False):
             self.changed = True
 
-    def _check_certificate_validity(self, cert):
+    def _check_certificate_validity(self, cert, validate):
         cn = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
         if cn != self.common_name:
             self.changed_message.append(
@@ -457,7 +457,11 @@ def _check_certificate_validity(self, cert):
                 'is less than before_expired_hours value %s'
                 % (cert.not_valid_after, self.before_expired_hours)
             )
-            return False
+            # Do not return false if we're just validating existing certificate
+            if validate:
+                return True
+            else:
+                return False
         if cert.not_valid_before - datetime.timedelta(
                 hours=24) > datetime.datetime.now():
             self.changed_message.append(
@@ -529,13 +533,15 @@ def _check_files_permissions(self):
     def _check_file_permissions(self, path, update=False):
         return True  # todo: write
 
-    def check(self):
+    def check(self,validate):
         """Return true if running will change anything"""
         result = {
+            'cert_file_exists': True,
             'changed': False,
         }
         if not os.path.exists(self.certificate_filename):
             result = {
+                'cert_file_exists': False,
                 'changed': True,
                 'changed_msg':
                 self.changed_message.append(STRING_CERT_FILE_NOT_EXISTS),
@@ -558,7 +564,7 @@ def check(self):
                 result['changed'] = True
                 self.changed_message.append(STRING_PKEY_NOT_MATCHED)
 
-            if not self._check_certificate_validity(cert):
+            if not self._check_certificate_validity(cert, validate):
                 result['changed'] = True
                 self.changed_message.append(
                     STRING_FAILED_TO_CHECK_CERT_VALIDITY)
@@ -576,7 +582,7 @@ def check(self):
 
     def validate(self):
         """Ensure the resource is in its desired state."""
-        result = self.check()
+        result = self.check(validate=True)
         if result['changed']:
             self.module.fail_json(
                 msg=result['changed_msg']
@@ -639,7 +645,8 @@ def main():
             csr_path=dict(type='path', require=False),
 
             # Role config
-            before_expired_hours=dict(type='int', required=False, default=72)
+            before_expired_hours=dict(type='int', required=False, default=72),
+            renew=dict(type='bool', required=False, default=True)
         ),
         supports_check_mode=True,
         add_file_common_args=True,
@@ -649,19 +656,27 @@ def main():
     if not HAS_CRYPTOGRAPHY:
         module.fail_json(msg='"cryptography" python library is required')
     vcert = VCertificate(module)
-    change_dump = vcert.check()
+    change_dump = vcert.check(validate=False)
     if module.check_mode:
         module.exit_json(**change_dump)
 
-    # TODO: make a following choice (make it after completing role @arykalin):
-    """
-    1. If certificate is present and renew is true validate it
-    2. If certificate not present renew it
-    3. If it present and renew is false just keep it.
-    """
     if not vcert.check_dirs_existed():
         module.fail_json(msg="Dirs not existed")
-    if change_dump['changed'] or module.params['force']:
+    if change_dump['changed']:
+        # TODO: Cover it by tests
+        """
+        make a following choice:
+        1. If certificate is present and renew is true validate it
+        2. If certificate not present renew it
+        3. If it present and renew is false just keep it.
+        """
+        if change_dump['cert_file_exists']:
+            if module.params['renew']:
+                vcert.enroll()
+            else:
+                module.exit_json(**change_dump)
+        vcert.enroll()
+    elif module.params['force']:
         vcert.enroll()
     vcert.validate()
     result = vcert.dump()

diff --git a/tests/jeremy-playbook.yml b/tests/jeremy-playbook.yml
@@ -0,0 +1,33 @@
+---
+- hosts: localhost
+  roles:
+    - role: ansible-role-venafi
+      #certificate_common_name: "{{ ansible_fqdn }}.jeremy-test.venafi.com"
+      certificate_common_name: "ansible-test.se.venafi.com"
+      certificate_cert_dir: "/tmp/etc/ssl/{{ certificate_common_name }}"
+
+      certificate_alt_name: "IP:192.168.1.1,DNS:san-example.se.com"
+      #certificate_alt_name: "IP:192.168.1.1,DNS:www.venafi.example.com,DNS:m.venafi.example.com,email:e@venafi.com,email:e2@venafi.com,IP Address:192.168.2.2"
+
+      certificate_privatekey_type: "RSA"
+      certificate_privatekey_size: "2048"
+      #certificate_privatekey_curve: "P251"
+      #certificate_privatekey_passphrase: "password"
+      #certificate_chain_option: "last"
+      certificate_before_expired_hours: 72
+
+      #certificate_cert_dir: "/etc/ssl/{{ certificate_common_name }}"
+      certificate_cert_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.pem"
+      certificate_chain_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.chain.pem"
+      certificate_privatekey_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.key"
+      #certificate_csr_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.csr"
+
+      # Where to execute venafi_certificate module. If set to false, certificate will be
+      # created on Ansible master host and then copied to the remote server.
+      #certificate_remote_execution: false
+      # Remote location where to place the certificate.
+      #certificate_remote_cert_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.pem"
+      #certificate_remote_chain_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.chain.pem"
+      #certificate_remote_privatekey_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.key"
+      # Set to false if you don't want to copy private key to remote location.
+      #certificate_copy_private_key_to_remote: true