diff --git a/.gitignore b/.gitignore index 38d1f7e..98bcd04 100644 --- a/.gitignore +++ b/.gitignore @@ -4,9 +4,7 @@ venv venv27 .venv37 venafi_certificate_*.json -tpp_credentials.yml -cloud_credentials.yml -fake_credentials.yml +*_credentials.yml credentials.yml vault-password.txt tests/library diff --git a/library/venafi_certificate.py b/library/venafi_certificate.py index ac1b60e..8b30c24 100644 --- a/library/venafi_certificate.py +++ b/library/venafi_certificate.py @@ -71,7 +71,7 @@ taking action if the state is different from what is stated. renew: - default: False + default: True type: bool description: - Try to renew certificate if is existing but not valid. @@ -442,7 +442,7 @@ def _check_and_update_permissions(self, path): if self.module.set_fs_attributes_if_different(file_args, False): self.changed = True - def _check_certificate_validity(self, cert): + def _check_certificate_validity(self, cert, validate): cn = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value if cn != self.common_name: self.changed_message.append( @@ -457,7 +457,11 @@ def _check_certificate_validity(self, cert): 'is less than before_expired_hours value %s' % (cert.not_valid_after, self.before_expired_hours) ) - return False + # Do not return false if we're just validating existing certificate + if validate: + return True + else: + return False if cert.not_valid_before - datetime.timedelta( hours=24) > datetime.datetime.now(): self.changed_message.append( @@ -529,13 +533,15 @@ def _check_files_permissions(self): def _check_file_permissions(self, path, update=False): return True # todo: write - def check(self): + def check(self,validate): """Return true if running will change anything""" result = { + 'cert_file_exists': True, 'changed': False, } if not os.path.exists(self.certificate_filename): result = { + 'cert_file_exists': False, 'changed': True, 'changed_msg': self.changed_message.append(STRING_CERT_FILE_NOT_EXISTS), @@ -558,7 +564,7 @@ def check(self): result['changed'] = True self.changed_message.append(STRING_PKEY_NOT_MATCHED) - if not self._check_certificate_validity(cert): + if not self._check_certificate_validity(cert, validate): result['changed'] = True self.changed_message.append( STRING_FAILED_TO_CHECK_CERT_VALIDITY) @@ -576,7 +582,7 @@ def check(self): def validate(self): """Ensure the resource is in its desired state.""" - result = self.check() + result = self.check(validate=True) if result['changed']: self.module.fail_json( msg=result['changed_msg'] @@ -639,7 +645,8 @@ def main(): csr_path=dict(type='path', require=False), # Role config - before_expired_hours=dict(type='int', required=False, default=72) + before_expired_hours=dict(type='int', required=False, default=72), + renew=dict(type='bool', required=False, default=True) ), supports_check_mode=True, add_file_common_args=True, @@ -649,19 +656,27 @@ def main(): if not HAS_CRYPTOGRAPHY: module.fail_json(msg='"cryptography" python library is required') vcert = VCertificate(module) - change_dump = vcert.check() + change_dump = vcert.check(validate=False) if module.check_mode: module.exit_json(**change_dump) - # TODO: make a following choice (make it after completing role @arykalin): - """ - 1. If certificate is present and renew is true validate it - 2. If certificate not present renew it - 3. If it present and renew is false just keep it. - """ if not vcert.check_dirs_existed(): module.fail_json(msg="Dirs not existed") - if change_dump['changed'] or module.params['force']: + if change_dump['changed']: + # TODO: Cover it by tests + """ + make a following choice: + 1. If certificate is present and renew is true validate it + 2. If certificate not present renew it + 3. If it present and renew is false just keep it. + """ + if change_dump['cert_file_exists']: + if module.params['renew']: + vcert.enroll() + else: + module.exit_json(**change_dump) + vcert.enroll() + elif module.params['force']: vcert.enroll() vcert.validate() result = vcert.dump() diff --git a/tests/jeremy-playbook.yml b/tests/jeremy-playbook.yml new file mode 100644 index 0000000..951bac6 --- /dev/null +++ b/tests/jeremy-playbook.yml @@ -0,0 +1,33 @@ +--- +- hosts: localhost + roles: + - role: ansible-role-venafi + #certificate_common_name: "{{ ansible_fqdn }}.jeremy-test.venafi.com" + certificate_common_name: "ansible-test.se.venafi.com" + certificate_cert_dir: "/tmp/etc/ssl/{{ certificate_common_name }}" + + certificate_alt_name: "IP:192.168.1.1,DNS:san-example.se.com" + #certificate_alt_name: "IP:192.168.1.1,DNS:www.venafi.example.com,DNS:m.venafi.example.com,email:e@venafi.com,email:e2@venafi.com,IP Address:192.168.2.2" + + certificate_privatekey_type: "RSA" + certificate_privatekey_size: "2048" + #certificate_privatekey_curve: "P251" + #certificate_privatekey_passphrase: "password" + #certificate_chain_option: "last" + certificate_before_expired_hours: 72 + + #certificate_cert_dir: "/etc/ssl/{{ certificate_common_name }}" + certificate_cert_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.pem" + certificate_chain_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.chain.pem" + certificate_privatekey_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.key" + #certificate_csr_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.csr" + + # Where to execute venafi_certificate module. If set to false, certificate will be + # created on Ansible master host and then copied to the remote server. + #certificate_remote_execution: false + # Remote location where to place the certificate. + #certificate_remote_cert_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.pem" + #certificate_remote_chain_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.chain.pem" + #certificate_remote_privatekey_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.key" + # Set to false if you don't want to copy private key to remote location. + #certificate_copy_private_key_to_remote: true