mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
acme_account: improve account deactivation idempotency (#53234)
* Improve account deactivation idempotency. * Using newer testing container. * Add comment to test.
This commit is contained in:
parent
8ba2e15578
commit
1510435577
3 changed files with 15 additions and 3 deletions
|
@ -686,8 +686,9 @@ class ACMEAccount(object):
|
||||||
elif info['status'] == (409 if self.version == 1 else 200):
|
elif info['status'] == (409 if self.version == 1 else 200):
|
||||||
# Account did exist
|
# Account did exist
|
||||||
if result.get('status') == 'deactivated':
|
if result.get('status') == 'deactivated':
|
||||||
# A probable bug in Pebble (https://github.com/letsencrypt/pebble/issues/179)
|
# A bug in Pebble (https://github.com/letsencrypt/pebble/issues/179) and
|
||||||
# and Boulder: this should not return a valid account object according to
|
# Boulder (https://github.com/letsencrypt/boulder/issues/3971): this should
|
||||||
|
# not return a valid account object according to
|
||||||
# https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-7.3.6:
|
# https://tools.ietf.org/html/draft-ietf-acme-acme-18#section-7.3.6:
|
||||||
# "Once an account is deactivated, the server MUST NOT accept further
|
# "Once an account is deactivated, the server MUST NOT accept further
|
||||||
# requests authorized by that account's key."
|
# requests authorized by that account's key."
|
||||||
|
@ -701,6 +702,14 @@ class ACMEAccount(object):
|
||||||
elif info['status'] == 400 and result['type'] == 'urn:ietf:params:acme:error:accountDoesNotExist' and not allow_creation:
|
elif info['status'] == 400 and result['type'] == 'urn:ietf:params:acme:error:accountDoesNotExist' and not allow_creation:
|
||||||
# Account does not exist (and we didn't try to create it)
|
# Account does not exist (and we didn't try to create it)
|
||||||
return False, None
|
return False, None
|
||||||
|
elif info['status'] == 403 and result['type'] == 'urn:ietf:params:acme:error:unauthorized' and 'deactivated' in (result.get('detail') or ''):
|
||||||
|
# Account has been deactivated; currently works for Pebble; hasn't been
|
||||||
|
# implemented for Boulder (https://github.com/letsencrypt/boulder/issues/3971),
|
||||||
|
# might need adjustment in error detection.
|
||||||
|
if not allow_creation:
|
||||||
|
return False, None
|
||||||
|
else:
|
||||||
|
raise ModuleFailException("Account is deactivated")
|
||||||
else:
|
else:
|
||||||
raise ModuleFailException("Error registering: {0} {1}".format(info['status'], result))
|
raise ModuleFailException("Error registering: {0} {1}".format(info['status'], result))
|
||||||
|
|
||||||
|
|
|
@ -111,6 +111,9 @@
|
||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- account_deactivate_idempotent is not changed
|
- account_deactivate_idempotent is not changed
|
||||||
|
# The next condition should be true for all conforming ACME servers.
|
||||||
|
# In case it is not true, it could be both an error in acme_account
|
||||||
|
# and in the ACME server.
|
||||||
- account_deactivate_idempotent.account_uri is none
|
- account_deactivate_idempotent.account_uri is none
|
||||||
|
|
||||||
- name: Validate that the account is gone (new account key)
|
- name: Validate that the account is gone (new account key)
|
||||||
|
|
|
@ -44,7 +44,7 @@ class ACMEProvider(CloudProvider):
|
||||||
if os.environ.get('ANSIBLE_ACME_CONTAINER'):
|
if os.environ.get('ANSIBLE_ACME_CONTAINER'):
|
||||||
self.image = os.environ.get('ANSIBLE_ACME_CONTAINER')
|
self.image = os.environ.get('ANSIBLE_ACME_CONTAINER')
|
||||||
else:
|
else:
|
||||||
self.image = 'quay.io/ansible/acme-test-container:1.4.1'
|
self.image = 'quay.io/ansible/acme-test-container:1.4.2'
|
||||||
self.container_name = ''
|
self.container_name = ''
|
||||||
|
|
||||||
def _wait_for_service(self, protocol, acme_host, port, local_part, name):
|
def _wait_for_service(self, protocol, acme_host, port, local_part, name):
|
||||||
|
|
Loading…
Reference in a new issue