1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
community.general/plugins/modules/system/java_cert.py

402 lines
14 KiB
Python
Raw Normal View History

2020-03-09 10:11:07 +01:00
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Copyright: (c) 2013, RSD Services S.A
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = r'''
---
module: java_cert
short_description: Uses keytool to import/remove key from java keystore (cacerts)
description:
- This is a wrapper module around keytool, which can be used to import/remove
certificates from a given java keystore.
options:
cert_url:
description:
- Basic URL to fetch SSL certificate from.
- One of C(cert_url) or C(cert_path) is required to load certificate.
type: str
cert_port:
description:
- Port to connect to URL.
- This will be used to create server URL:PORT.
type: int
default: 443
cert_path:
description:
- Local path to load certificate from.
- One of C(cert_url) or C(cert_path) is required to load certificate.
type: path
cert_alias:
description:
- Imported certificate alias.
- The alias is used when checking for the presence of a certificate in the keystore.
type: str
trust_cacert:
description:
- Trust imported cert as CAcert.
type: bool
default: False
version_added: '0.2.0'
2020-03-09 10:11:07 +01:00
pkcs12_path:
description:
- Local path to load PKCS12 keystore from.
type: path
pkcs12_password:
description:
- Password for importing from PKCS12 keystore.
type: str
default: ''
pkcs12_alias:
description:
- Alias in the PKCS12 keystore.
type: str
keystore_path:
description:
- Path to keystore.
type: path
keystore_pass:
description:
- Keystore password.
type: str
required: true
keystore_create:
description:
- Create keystore if it does not exist.
type: bool
2020-11-23 12:14:43 +01:00
default: false
2020-03-09 10:11:07 +01:00
keystore_type:
description:
- Keystore type (JCEKS, JKS).
type: str
executable:
description:
- Path to keytool binary if not used we search in PATH for it.
type: str
default: keytool
state:
description:
- Defines action which can be either certificate import or removal.
type: str
choices: [ absent, present ]
default: present
author:
- Adam Hamsik (@haad)
'''
EXAMPLES = r'''
- name: Import SSL certificate from google.com to a given cacerts keystore
community.general.java_cert:
2020-03-09 10:11:07 +01:00
cert_url: google.com
cert_port: 443
keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts
keystore_pass: changeit
state: present
- name: Remove certificate with given alias from a keystore
community.general.java_cert:
2020-03-09 10:11:07 +01:00
cert_url: google.com
keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts
keystore_pass: changeit
executable: /usr/lib/jvm/jre7/bin/keytool
state: absent
- name: Import trusted CA from SSL certificate
community.general.java_cert:
2020-03-09 10:11:07 +01:00
cert_path: /opt/certs/rootca.crt
keystore_path: /tmp/cacerts
keystore_pass: changeit
keystore_create: yes
state: present
cert_alias: LE_RootCA
trust_cacert: True
- name: Import SSL certificate from google.com to a keystore, create it if it doesn't exist
community.general.java_cert:
2020-03-09 10:11:07 +01:00
cert_url: google.com
keystore_path: /tmp/cacerts
keystore_pass: changeit
keystore_create: yes
state: present
- name: Import a pkcs12 keystore with a specified alias, create it if it doesn't exist
community.general.java_cert:
2020-03-09 10:11:07 +01:00
pkcs12_path: "/tmp/importkeystore.p12"
cert_alias: default
keystore_path: /opt/wildfly/standalone/configuration/defaultkeystore.jks
keystore_pass: changeit
keystore_create: yes
state: present
- name: Import SSL certificate to JCEKS keystore
community.general.java_cert:
2020-03-09 10:11:07 +01:00
pkcs12_path: "/tmp/importkeystore.p12"
pkcs12_alias: default
pkcs12_password: somepass
cert_alias: default
keystore_path: /opt/someapp/security/keystore.jceks
keystore_type: "JCEKS"
keystore_pass: changeit
keystore_create: yes
state: present
'''
RETURN = r'''
msg:
description: Output from stdout of keytool command after execution of given command.
returned: success
type: str
sample: "Module require existing keystore at keystore_path '/tmp/test/cacerts'"
rc:
description: Keytool command execution return value.
returned: success
type: int
sample: "0"
cmd:
description: Executed command to get action done.
returned: success
type: str
sample: "keytool -importcert -noprompt -keystore"
'''
import os
import re
# import module snippets
from ansible.module_utils.basic import AnsibleModule
def get_keystore_type(keystore_type):
''' Check that custom keystore is presented in parameters '''
if keystore_type:
return " -storetype '%s'" % keystore_type
return ''
def check_cert_present(module, executable, keystore_path, keystore_pass, alias, keystore_type):
''' Check if certificate with alias is present in keystore
located at keystore_path '''
test_cmd = ("%s -noprompt -list -keystore '%s' -storepass '%s' "
"-alias '%s' %s") % (executable, keystore_path, keystore_pass, alias, get_keystore_type(keystore_type))
Tidy up all pylint:blacklisted-name ignore lines (#1819) (#1839) * fixed validation-modules for plugins/callback/hipchat.py * fixed validation-modules for plugins/connection/lxc.py * fixed validation-modules for plugins/modules/cloud/lxc/lxc_container.py * fixed validation-modules for plugins/modules/monitoring/statusio_maintenance.py * fixed validation-modules for plugins/modules/system/alternatives.py * fixed validation-modules for plugins/modules/system/beadm.py * fixed validation-modules for plugins/modules/system/cronvar.py * fixed validation-modules for plugins/modules/system/dconf.py * fixed validation-modules for plugins/modules/system/interfaces_file.py * fixed validation-modules for plugins/modules/system/java_cert.py * fixed validation-modules for plugins/modules/system/lvg.py * fixed validation-modules for plugins/modules/system/lvol.py * fixed validation-modules for plugins/modules/system/parted.py * fixed validation-modules for plugins/modules/system/timezone.py * fixed validation-modules for plugins/modules/web_infrastructure/rundeck_acl_policy.py * Tidy up all pylint:blacklisted-name sanity checks ignore lines * Missed one in statusio_maintenace.py * fixed validation-modules for plugins/modules/system/filesystem.py * Missed one in gconftool2.py * Missed one in alternatives.py * Using dummies now * fixed indentation * Made all the changes about replacing _ with dummy * Rollback bug fixed * Rollback bug fixed, part II * added changelog fragment * Improved changelog frag message per PR (cherry picked from commit 03b7b39424d639821a7994e66459ee25e94365e8) Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2021-02-16 08:46:20 +01:00
check_rc, dummy, dummy = module.run_command(test_cmd)
2020-03-09 10:11:07 +01:00
if check_rc == 0:
return True
return False
def import_cert_url(module, executable, url, port, keystore_path, keystore_pass, alias, keystore_type, trust_cacert):
''' Import certificate from URL into keystore located at keystore_path '''
https_proxy = os.getenv("https_proxy")
no_proxy = os.getenv("no_proxy")
proxy_opts = ''
if https_proxy is not None:
(proxy_host, proxy_port) = https_proxy.split(':')
proxy_opts = "-J-Dhttps.proxyHost=%s -J-Dhttps.proxyPort=%s" % (proxy_host, proxy_port)
if no_proxy is not None:
# For Java's nonProxyHosts property, items are separated by '|',
# and patterns have to start with "*".
non_proxy_hosts = no_proxy.replace(',', '|')
non_proxy_hosts = re.sub(r'(^|\|)\.', r'\1*.', non_proxy_hosts)
# The property name is http.nonProxyHosts, there is no
# separate setting for HTTPS.
proxy_opts += " -J-Dhttp.nonProxyHosts='%s'" % non_proxy_hosts
fetch_cmd = "%s -printcert -rfc -sslserver %s %s:%d" % (executable, proxy_opts, url, port)
import_cmd = ("%s -importcert -noprompt -keystore '%s' "
"-storepass '%s' -alias '%s' %s") % (executable, keystore_path,
keystore_pass, alias,
get_keystore_type(keystore_type))
if trust_cacert:
import_cmd = import_cmd + " -trustcacerts"
# Fetch SSL certificate from remote host.
Tidy up all pylint:blacklisted-name ignore lines (#1819) (#1839) * fixed validation-modules for plugins/callback/hipchat.py * fixed validation-modules for plugins/connection/lxc.py * fixed validation-modules for plugins/modules/cloud/lxc/lxc_container.py * fixed validation-modules for plugins/modules/monitoring/statusio_maintenance.py * fixed validation-modules for plugins/modules/system/alternatives.py * fixed validation-modules for plugins/modules/system/beadm.py * fixed validation-modules for plugins/modules/system/cronvar.py * fixed validation-modules for plugins/modules/system/dconf.py * fixed validation-modules for plugins/modules/system/interfaces_file.py * fixed validation-modules for plugins/modules/system/java_cert.py * fixed validation-modules for plugins/modules/system/lvg.py * fixed validation-modules for plugins/modules/system/lvol.py * fixed validation-modules for plugins/modules/system/parted.py * fixed validation-modules for plugins/modules/system/timezone.py * fixed validation-modules for plugins/modules/web_infrastructure/rundeck_acl_policy.py * Tidy up all pylint:blacklisted-name sanity checks ignore lines * Missed one in statusio_maintenace.py * fixed validation-modules for plugins/modules/system/filesystem.py * Missed one in gconftool2.py * Missed one in alternatives.py * Using dummies now * fixed indentation * Made all the changes about replacing _ with dummy * Rollback bug fixed * Rollback bug fixed, part II * added changelog fragment * Improved changelog frag message per PR (cherry picked from commit 03b7b39424d639821a7994e66459ee25e94365e8) Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2021-02-16 08:46:20 +01:00
dummy, fetch_out, dummy = module.run_command(fetch_cmd, check_rc=True)
2020-03-09 10:11:07 +01:00
# Use remote certificate from remote host and import it to a java keystore
(import_rc, import_out, import_err) = module.run_command(import_cmd,
data=fetch_out,
check_rc=False)
diff = {'before': '\n', 'after': '%s\n' % alias}
if import_rc == 0:
module.exit_json(changed=True, msg=import_out,
rc=import_rc, cmd=import_cmd, stdout=import_out,
diff=diff)
else:
module.fail_json(msg=import_out, rc=import_rc, cmd=import_cmd,
error=import_err)
def import_cert_path(module, executable, path, keystore_path, keystore_pass, alias, keystore_type, trust_cacert):
''' Import certificate from path into keystore located on
keystore_path as alias '''
import_cmd = ("%s -importcert -noprompt -keystore '%s' "
"-storepass '%s' -file '%s' -alias '%s' %s") % (executable, keystore_path,
keystore_pass, path, alias,
get_keystore_type(keystore_type))
if trust_cacert:
import_cmd = import_cmd + " -trustcacerts"
# Use local certificate from local path and import it to a java keystore
(import_rc, import_out, import_err) = module.run_command(import_cmd,
check_rc=False)
diff = {'before': '\n', 'after': '%s\n' % alias}
if import_rc == 0:
module.exit_json(changed=True, msg=import_out,
rc=import_rc, cmd=import_cmd, stdout=import_out,
error=import_err, diff=diff)
else:
module.fail_json(msg=import_out, rc=import_rc, cmd=import_cmd)
def import_pkcs12_path(module, executable, path, keystore_path, keystore_pass, pkcs12_pass, pkcs12_alias, alias, keystore_type):
''' Import pkcs12 from path into keystore located on
keystore_path as alias '''
import_cmd = ("%s -importkeystore -noprompt -destkeystore '%s' -srcstoretype PKCS12 "
"-deststorepass '%s' -destkeypass '%s' -srckeystore '%s' -srcstorepass '%s' "
"-srcalias '%s' -destalias '%s' %s") % (executable, keystore_path, keystore_pass,
keystore_pass, path, pkcs12_pass, pkcs12_alias,
alias, get_keystore_type(keystore_type))
# Use local certificate from local path and import it to a java keystore
(import_rc, import_out, import_err) = module.run_command(import_cmd,
check_rc=False)
diff = {'before': '\n', 'after': '%s\n' % alias}
if import_rc == 0:
module.exit_json(changed=True, msg=import_out,
rc=import_rc, cmd=import_cmd, stdout=import_out,
error=import_err, diff=diff)
else:
module.fail_json(msg=import_out, rc=import_rc, cmd=import_cmd)
def delete_cert(module, executable, keystore_path, keystore_pass, alias, keystore_type):
''' Delete certificate identified with alias from keystore on keystore_path '''
del_cmd = ("%s -delete -keystore '%s' -storepass '%s' "
"-alias '%s' %s") % (executable, keystore_path, keystore_pass, alias, get_keystore_type(keystore_type))
# Delete SSL certificate from keystore
(del_rc, del_out, del_err) = module.run_command(del_cmd, check_rc=True)
diff = {'before': '%s\n' % alias, 'after': None}
module.exit_json(changed=True, msg=del_out,
rc=del_rc, cmd=del_cmd, stdout=del_out,
error=del_err, diff=diff)
def test_keytool(module, executable):
''' Test if keytool is actually executable or not '''
module.run_command("%s" % executable, check_rc=True)
def test_keystore(module, keystore_path):
''' Check if we can access keystore as file or not '''
if keystore_path is None:
keystore_path = ''
if not os.path.exists(keystore_path) and not os.path.isfile(keystore_path):
# Keystore doesn't exist we want to create it
module.fail_json(changed=False, msg="Module require existing keystore at keystore_path '%s'" % keystore_path)
def main():
argument_spec = dict(
cert_url=dict(type='str'),
cert_path=dict(type='path'),
pkcs12_path=dict(type='path'),
pkcs12_password=dict(type='str', no_log=True),
pkcs12_alias=dict(type='str'),
cert_alias=dict(type='str'),
cert_port=dict(type='int', default=443),
keystore_path=dict(type='path'),
keystore_pass=dict(type='str', required=True, no_log=True),
trust_cacert=dict(type='bool', default=False),
keystore_create=dict(type='bool', default=False),
keystore_type=dict(type='str'),
executable=dict(type='str', default='keytool'),
state=dict(type='str', default='present', choices=['absent', 'present']),
)
module = AnsibleModule(
argument_spec=argument_spec,
required_one_of=[['cert_path', 'cert_url', 'pkcs12_path']],
required_together=[['keystore_path', 'keystore_pass']],
mutually_exclusive=[
['cert_url', 'cert_path', 'pkcs12_path']
],
supports_check_mode=True,
)
url = module.params.get('cert_url')
path = module.params.get('cert_path')
port = module.params.get('cert_port')
pkcs12_path = module.params.get('pkcs12_path')
pkcs12_pass = module.params.get('pkcs12_password', '')
pkcs12_alias = module.params.get('pkcs12_alias', '1')
cert_alias = module.params.get('cert_alias') or url
trust_cacert = module.params.get('trust_cacert')
keystore_path = module.params.get('keystore_path')
keystore_pass = module.params.get('keystore_pass')
keystore_create = module.params.get('keystore_create')
keystore_type = module.params.get('keystore_type')
executable = module.params.get('executable')
state = module.params.get('state')
if path and not cert_alias:
module.fail_json(changed=False,
msg="Using local path import from %s requires alias argument."
% keystore_path)
test_keytool(module, executable)
if not keystore_create:
test_keystore(module, keystore_path)
cert_present = check_cert_present(module, executable, keystore_path,
keystore_pass, cert_alias, keystore_type)
if state == 'absent' and cert_present:
if module.check_mode:
module.exit_json(changed=True)
delete_cert(module, executable, keystore_path, keystore_pass, cert_alias, keystore_type)
elif state == 'present' and not cert_present:
if module.check_mode:
module.exit_json(changed=True)
if pkcs12_path:
import_pkcs12_path(module, executable, pkcs12_path, keystore_path,
keystore_pass, pkcs12_pass, pkcs12_alias, cert_alias, keystore_type)
if path:
import_cert_path(module, executable, path, keystore_path,
keystore_pass, cert_alias, keystore_type, trust_cacert)
if url:
import_cert_url(module, executable, url, port, keystore_path,
keystore_pass, cert_alias, keystore_type, trust_cacert)
module.exit_json(changed=False)
if __name__ == "__main__":
main()