From d57711bd8f1c16cee1f5eb55ade2255b725a96c6 Mon Sep 17 00:00:00 2001 From: Aleksandr Rykalin Date: Mon, 18 Nov 2019 14:27:15 +0300 Subject: [PATCH] don't validate alt names when in test mode --- library/venafi_certificate.py | 42 ++++++++++++++++++----------------- tests/jeremy-playbook.yml | 4 ++-- 2 files changed, 24 insertions(+), 22 deletions(-) diff --git a/library/venafi_certificate.py b/library/venafi_certificate.py index 1482cf4..0a42304 100644 --- a/library/venafi_certificate.py +++ b/library/venafi_certificate.py @@ -480,26 +480,28 @@ def _check_certificate_validity(self, cert, validate): (datetime.datetime.now())) ) return False - ips = [] - dns = [] - alternative_names = cert.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_ALTERNATIVE_NAME).value - for e in alternative_names: - if isinstance(e, x509.general_name.DNSName): - dns.append(e.value) - elif isinstance(e, x509.general_name.IPAddress): - ips.append(e.value.exploded) - if self.ip_addresses and sorted(self.ip_addresses) != sorted(ips): - self.changed_message.append("IP addresses in request: %s and in " - "certificate: %s are different" - % (sorted(self.ip_addresses), ips)) - self.changed_message.append("CN is %s" % cn) - return False - expected_dns = self.san_dns.append(cn) - if expected_dns and sorted(expected_dns) != sorted(dns): - self.changed_message.append("DNS addresses in request and in " - "certificate are different") - return False + # Python vcert test mode don't support alt names + if not self.module.params['test_mode']: + ips = [] + dns = [] + alternative_names = cert.extensions.get_extension_for_oid( + ExtensionOID.SUBJECT_ALTERNATIVE_NAME).value + for e in alternative_names: + if isinstance(e, x509.general_name.DNSName): + dns.append(e.value) + elif isinstance(e, x509.general_name.IPAddress): + ips.append(e.value.exploded) + if self.ip_addresses and sorted(self.ip_addresses) != sorted(ips): + self.changed_message.append("IP addresses in request: %s and in " + "certificate: %s are different" + % (sorted(self.ip_addresses), ips)) + self.changed_message.append("CN is %s" % cn) + return False + expected_dns = self.san_dns.append(cn) + if expected_dns and sorted(expected_dns) != sorted(dns): + self.changed_message.append("DNS addresses in request and in " + "certificate are different") + return False return True def _check_public_key_matched_to_private_key(self, cert): diff --git a/tests/jeremy-playbook.yml b/tests/jeremy-playbook.yml index d8b6c94..af8159a 100644 --- a/tests/jeremy-playbook.yml +++ b/tests/jeremy-playbook.yml @@ -6,7 +6,7 @@ certificate_common_name: "ansible-test.se.venafi.com" certificate_cert_dir: "/tmp/etc/ssl/{{ certificate_common_name }}" - certificate_alt_name: "IP:192.168.1.1,DNS:san-example.se.com" + certificate_alt_name: "IP:192.168.0.15,DNS:ansible-test-ext.se.venafi.com" #certificate_alt_name: "IP:192.168.1.1,DNS:www.venafi.example.com,DNS:m.venafi.example.com,email:e@venafi.com,email:e2@venafi.com,IP Address:192.168.2.2" certificate_privatekey_type: "RSA" @@ -14,7 +14,7 @@ #certificate_privatekey_curve: "P251" #certificate_privatekey_passphrase: "password" #certificate_chain_option: "last" - certificate_before_expired_hours: 2200 + certificate_before_expired_hours: 2000 #certificate_cert_dir: "/etc/ssl/{{ certificate_common_name }}" certificate_cert_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.pem"