don't validate alt names when in test mode

Venafi · Nov 18, 2019 · d57711b · d57711b
1 parent d7f8f2b
commit d57711b
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 22 deletions.
diff --git a/library/venafi_certificate.py b/library/venafi_certificate.py
@@ -480,26 +480,28 @@ def _check_certificate_validity(self, cert, validate):
                    (datetime.datetime.now()))
             )
             return False
-        ips = []
-        dns = []
-        alternative_names = cert.extensions.get_extension_for_oid(
-            ExtensionOID.SUBJECT_ALTERNATIVE_NAME).value
-        for e in alternative_names:
-            if isinstance(e, x509.general_name.DNSName):
-                dns.append(e.value)
-            elif isinstance(e, x509.general_name.IPAddress):
-                ips.append(e.value.exploded)
-        if self.ip_addresses and sorted(self.ip_addresses) != sorted(ips):
-            self.changed_message.append("IP addresses in request: %s and in "
-                                        "certificate: %s are different"
-                                        % (sorted(self.ip_addresses), ips))
-            self.changed_message.append("CN is %s" % cn)
-            return False
-        expected_dns = self.san_dns.append(cn)
-        if expected_dns and sorted(expected_dns) != sorted(dns):
-            self.changed_message.append("DNS addresses in request and in "
-                                        "certificate are different")
-            return False
+        # Python vcert test mode don't support alt names
+        if not self.module.params['test_mode']:
+            ips = []
+            dns = []
+            alternative_names = cert.extensions.get_extension_for_oid(
+                ExtensionOID.SUBJECT_ALTERNATIVE_NAME).value
+            for e in alternative_names:
+                if isinstance(e, x509.general_name.DNSName):
+                    dns.append(e.value)
+                elif isinstance(e, x509.general_name.IPAddress):
+                    ips.append(e.value.exploded)
+            if self.ip_addresses and sorted(self.ip_addresses) != sorted(ips):
+                self.changed_message.append("IP addresses in request: %s and in "
+                                            "certificate: %s are different"
+                                            % (sorted(self.ip_addresses), ips))
+                self.changed_message.append("CN is %s" % cn)
+                return False
+            expected_dns = self.san_dns.append(cn)
+            if expected_dns and sorted(expected_dns) != sorted(dns):
+                self.changed_message.append("DNS addresses in request and in "
+                                            "certificate are different")
+                return False
         return True
 
     def _check_public_key_matched_to_private_key(self, cert):

diff --git a/tests/jeremy-playbook.yml b/tests/jeremy-playbook.yml
@@ -6,15 +6,15 @@
       certificate_common_name: "ansible-test.se.venafi.com"
       certificate_cert_dir: "/tmp/etc/ssl/{{ certificate_common_name }}"
 
-      certificate_alt_name: "IP:192.168.1.1,DNS:san-example.se.com"
+      certificate_alt_name: "IP:192.168.0.15,DNS:ansible-test-ext.se.venafi.com"
       #certificate_alt_name: "IP:192.168.1.1,DNS:www.venafi.example.com,DNS:m.venafi.example.com,email:e@venafi.com,email:e2@venafi.com,IP Address:192.168.2.2"
 
       certificate_privatekey_type: "RSA"
       certificate_privatekey_size: "2048"
       #certificate_privatekey_curve: "P251"
       #certificate_privatekey_passphrase: "password"
       #certificate_chain_option: "last"
-      certificate_before_expired_hours: 2200
+      certificate_before_expired_hours: 2000
 
       #certificate_cert_dir: "/etc/ssl/{{ certificate_common_name }}"
       certificate_cert_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.pem"