java_keystore - Added support for private key pass phrase (#276) (#276)

* This fixes (#275) * Migrated PR from https://github.com/ansible/ansible/pull/47768 * Applied requested changes * Fixed issue with load_file_common_arguments * Using args list when calling run_commands * Keytool now reads passwords from stdin * Fixed PEP8 indentation issues
2024-09-14 20:13:21 +02:00 · 2020-05-25 05:09:18 -03:00 · 2020-05-25 05:09:18 -03:00 · 1774352313
commit 1774352313
parent d1798d3056
3 changed files with 89 additions and 39 deletions
--- a/changelogs/fragments/276-java_keystore-private_key_passphrase.yaml
+++ b/changelogs/fragments/276-java_keystore-private_key_passphrase.yaml
@ -0,0 +1,2 @@
+minor_changes:
+  - java_keystore - add the private_key_passphrase parameter (https://github.com/ansible-collections/community.general/pull/276).
--- a/plugins/modules/system/java_keystore.py
+++ b/plugins/modules/system/java_keystore.py
@ -27,6 +27,12 @@ options:
        description:
          - Private key that should be used to create the key store.
        required: true
+    private_key_passphrase:
+        description:
+          - Pass phrase for reading the private key, if required.
+        type: str
+        required: false
+        version_added: "2.10"
    password:
        description:
          - Password that should be used to secure the key store.
@ -110,7 +116,7 @@ import re


 def read_certificate_fingerprint(module, openssl_bin, certificate_path):
-    current_certificate_fingerprint_cmd = "%s x509 -noout -in %s -fingerprint -sha256" % (openssl_bin, certificate_path)
+    current_certificate_fingerprint_cmd = [openssl_bin, "x509", "-noout", "-in", certificate_path, "-fingerprint", "-sha256"]
    (rc, current_certificate_fingerprint_out, current_certificate_fingerprint_err) = run_commands(module, current_certificate_fingerprint_cmd)
    if rc != 0:
        return module.fail_json(msg=current_certificate_fingerprint_out,
@ -130,7 +136,7 @@ def read_certificate_fingerprint(module, openssl_bin, certificate_path):


 def read_stored_certificate_fingerprint(module, keytool_bin, alias, keystore_path, keystore_password):
-    stored_certificate_fingerprint_cmd = "%s -list -alias '%s' -keystore '%s' -storepass '%s' -v" % (keytool_bin, alias, keystore_path, keystore_password)
+    stored_certificate_fingerprint_cmd = [keytool_bin, "-list", "-alias", alias, "-keystore", keystore_path, "-storepass", keystore_password, "-v"]
    (rc, stored_certificate_fingerprint_out, stored_certificate_fingerprint_err) = run_commands(module, stored_certificate_fingerprint_cmd)
    if rc != 0:
        if "keytool error: java.lang.Exception: Alias <%s> does not exist" % alias not in stored_certificate_fingerprint_out:
@ -152,8 +158,8 @@ def read_stored_certificate_fingerprint(module, keytool_bin, alias, keystore_pat
        return stored_certificate_match.group(1)


-def run_commands(module, cmd, check_rc=True):
-    return module.run_command(cmd, check_rc)
+def run_commands(module, cmd, data=None, check_rc=True):
+    return module.run_command(cmd, check_rc=check_rc, data=data)


 def create_file(path, content):
@ -180,7 +186,7 @@ def cert_changed(module, openssl_bin, keytool_bin, keystore_path, keystore_pass,
        os.remove(certificate_path)


-def create_jks(module, name, openssl_bin, keytool_bin, keystore_path, password):
+def create_jks(module, name, openssl_bin, keytool_bin, keystore_path, password, keypass):
    if module.check_mode:
        module.exit_json(changed=True)
    else:
@ -194,23 +200,33 @@ def create_jks(module, name, openssl_bin, keytool_bin, keystore_path, password):
            if os.path.exists(keystore_p12_path):
                os.remove(keystore_p12_path)

-            export_p12_cmd = "%s pkcs12 -export -name '%s' -in '%s' -inkey '%s' -out '%s' -passout 'pass:%s'" % (
-                openssl_bin, name, certificate_path, private_key_path, keystore_p12_path, password)
-            (rc, export_p12_out, export_p12_err) = run_commands(module, export_p12_cmd)
+            export_p12_cmd = [openssl_bin, "pkcs12", "-export", "-name", name, "-in", certificate_path,
+                              "-inkey", private_key_path, "-out",
+                              keystore_p12_path, "-passout", "stdin"]
+
+            # when keypass is provided, add -passin
+            cmd_stdin = ""
+            if keypass:
+                export_p12_cmd.append("-passin")
+                export_p12_cmd.append("stdin")
+                cmd_stdin = "%s\n" % keypass
+
+            cmd_stdin += "%s\n%s" % (password, password)
+            (rc, export_p12_out, export_p12_err) = run_commands(module, export_p12_cmd, data=cmd_stdin)
            if rc != 0:
                return module.fail_json(msg=export_p12_out,
                                        rc=rc,
                                        cmd=export_p12_cmd)

-            import_keystore_cmd = "%s -importkeystore " \
-                                  "-destkeystore '%s' " \
-                                  "-srckeystore '%s' " \
-                                  "-srcstoretype pkcs12 " \
-                                  "-alias '%s' " \
-                                  "-deststorepass '%s' " \
-                                  "-srcstorepass '%s' " \
-                                  "-noprompt" % (keytool_bin, keystore_path, keystore_p12_path, name, password, password)
-            (rc, import_keystore_out, import_keystore_err) = run_commands(module, import_keystore_cmd)
+            import_keystore_cmd = [keytool_bin, "-importkeystore",
+                                   "-destkeystore", keystore_path,
+                                   "-srckeystore", keystore_p12_path,
+                                   "-srcstoretype", "pkcs12",
+                                   "-alias", name,
+                                   "-deststorepass", password,
+                                   "-srcstorepass", password,
+                                   "-noprompt"]
+            (rc, import_keystore_out, import_keystore_err) = run_commands(module, import_keystore_cmd, data=None)
            if rc == 0:
                update_jks_perm(module, keystore_path)
                return module.exit_json(changed=True,
@ -241,6 +257,7 @@ def update_jks_perm(module, keystore_path):
 def process_jks(module):
    name = module.params['name']
    password = module.params['password']
+    keypass = module.params['private_key_passphrase']
    keystore_path = module.params['dest']
    force = module.params['force']
    openssl_bin = module.get_bin_path('openssl', True)
@ -248,16 +265,16 @@ def process_jks(module):

    if os.path.exists(keystore_path):
        if force:
-            create_jks(module, name, openssl_bin, keytool_bin, keystore_path, password)
+            create_jks(module, name, openssl_bin, keytool_bin, keystore_path, password, keypass)
        else:
            if cert_changed(module, openssl_bin, keytool_bin, keystore_path, password, name):
-                create_jks(module, name, openssl_bin, keytool_bin, keystore_path, password)
+                create_jks(module, name, openssl_bin, keytool_bin, keystore_path, password, keypass)
            else:
                if not module.check_mode:
                    update_jks_perm(module, keystore_path)
                return module.exit_json(changed=False)
    else:
-        create_jks(module, name, openssl_bin, keytool_bin, keystore_path, password)
+        create_jks(module, name, openssl_bin, keytool_bin, keystore_path, password, keypass)


 class ArgumentSpec(object):
@ -270,7 +287,8 @@ class ArgumentSpec(object):
            private_key=dict(required=True, no_log=True),
            password=dict(required=True, no_log=True),
            dest=dict(required=True),
-            force=dict(required=False, default=False, type='bool')
+            force=dict(required=False, default=False, type='bool'),
+            private_key_passphrase=dict(required=False, no_log=True, type='str')
        )
        self.argument_spec = argument_spec

--- a/tests/unit/plugins/modules/system/test_java_keystore.py
+++ b/tests/unit/plugins/modules/system/test_java_keystore.py
@ -64,19 +64,49 @@ class TestCreateJavaKeystore(ModuleTestCase):
        module.exit_json = Mock()

        with patch('os.remove', return_value=True):
-            self.run_commands.side_effect = lambda args, kwargs: (0, '', '')
-            create_jks(module, "test", "openssl", "keytool", "/path/to/keystore.jks", "changeit")
+            self.run_commands.side_effect = lambda module, cmd, data: (0, '', '')
+            create_jks(module, "test", "openssl", "keytool", "/path/to/keystore.jks", "changeit", "")
            module.exit_json.assert_called_once_with(
                changed=True,
-                cmd="keytool -importkeystore "
-                    "-destkeystore '/path/to/keystore.jks' "
-                    "-srckeystore '/tmp/keystore.p12' -srcstoretype pkcs12 -alias 'test' "
-                    "-deststorepass 'changeit' -srcstorepass 'changeit' -noprompt",
+                cmd=["keytool", "-importkeystore",
+                     "-destkeystore", "/path/to/keystore.jks",
+                     "-srckeystore", "/tmp/keystore.p12", "-srcstoretype", "pkcs12", "-alias", "test",
+                     "-deststorepass", "changeit", "-srcstorepass", "changeit", "-noprompt"],
                msg='',
                rc=0,
                stdout_lines=''
            )

+    def test_create_jks_keypass_fail_export_pkcs12(self):
+        set_module_args(dict(
+            certificate='cert-foo',
+            private_key='private-foo',
+            private_key_passphrase='passphrase-foo',
+            dest='/path/to/keystore.jks',
+            name='foo',
+            password='changeit'
+        ))
+
+        module = AnsibleModule(
+            argument_spec=self.spec.argument_spec,
+            supports_check_mode=self.spec.supports_check_mode
+        )
+
+        module.fail_json = Mock()
+
+        with patch('os.remove', return_value=True):
+            self.run_commands.side_effect = [(1, '', ''), (0, '', '')]
+            create_jks(module, "test", "openssl", "keytool", "/path/to/keystore.jks", "changeit", "passphrase-foo")
+            module.fail_json.assert_called_once_with(
+                cmd=["openssl", "pkcs12", "-export", "-name", "test",
+                     "-in", "/tmp/foo.crt", "-inkey", "/tmp/foo.key",
+                     "-out", "/tmp/keystore.p12",
+                     "-passout", "stdin",
+                     "-passin", "stdin"],
+                msg='',
+                rc=1
+            )
+
    def test_create_jks_fail_export_pkcs12(self):
        set_module_args(dict(
            certificate='cert-foo',
@ -95,12 +125,12 @@ class TestCreateJavaKeystore(ModuleTestCase):

        with patch('os.remove', return_value=True):
            self.run_commands.side_effect = [(1, '', ''), (0, '', '')]
-            create_jks(module, "test", "openssl", "keytool", "/path/to/keystore.jks", "changeit")
+            create_jks(module, "test", "openssl", "keytool", "/path/to/keystore.jks", "changeit", "")
            module.fail_json.assert_called_once_with(
-                cmd="openssl pkcs12 -export -name 'test' "
-                    "-in '/tmp/foo.crt' -inkey '/tmp/foo.key' "
-                    "-out '/tmp/keystore.p12' "
-                    "-passout 'pass:changeit'",
+                cmd=["openssl", "pkcs12", "-export", "-name", "test",
+                     "-in", "/tmp/foo.crt", "-inkey", "/tmp/foo.key",
+                     "-out", "/tmp/keystore.p12",
+                     "-passout", "stdin"],
                msg='',
                rc=1
            )
@ -123,12 +153,12 @@ class TestCreateJavaKeystore(ModuleTestCase):

        with patch('os.remove', return_value=True):
            self.run_commands.side_effect = [(0, '', ''), (1, '', '')]
-            create_jks(module, "test", "openssl", "keytool", "/path/to/keystore.jks", "changeit")
+            create_jks(module, "test", "openssl", "keytool", "/path/to/keystore.jks", "changeit", "")
            module.fail_json.assert_called_once_with(
-                cmd="keytool -importkeystore "
-                    "-destkeystore '/path/to/keystore.jks' "
-                    "-srckeystore '/tmp/keystore.p12' -srcstoretype pkcs12 -alias 'test' "
-                    "-deststorepass 'changeit' -srcstorepass 'changeit' -noprompt",
+                cmd=["keytool", "-importkeystore",
+                     "-destkeystore", "/path/to/keystore.jks",
+                     "-srckeystore", "/tmp/keystore.p12", "-srcstoretype", "pkcs12", "-alias", "test",
+                     "-deststorepass", "changeit", "-srcstorepass", "changeit", "-noprompt"],
                msg='',
                rc=1
            )
@ -231,7 +261,7 @@ class TestCertChanged(ModuleTestCase):
            self.run_commands.side_effect = [(1, '', 'Oops'), (0, 'SHA256: wxyz:9876:stuv', '')]
            cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo')
            module.fail_json.assert_called_once_with(
-                cmd="openssl x509 -noout -in /tmp/foo.crt -fingerprint -sha256",
+                cmd=["openssl", "x509", "-noout", "-in", "/tmp/foo.crt", "-fingerprint", "-sha256"],
                msg='',
                err='Oops',
                rc=1
@ -257,7 +287,7 @@ class TestCertChanged(ModuleTestCase):
            self.run_commands.side_effect = [(0, 'foo: wxyz:9876:stuv', ''), (1, '', 'Oops')]
            cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo')
            module.fail_json.assert_called_with(
-                cmd="keytool -list -alias 'foo' -keystore '/path/to/keystore.jks' -storepass 'changeit' -v",
+                cmd=["keytool", "-list", "-alias", "foo", "-keystore", "/path/to/keystore.jks", "-storepass", "changeit", "-v"],
                msg='',
                err='Oops',
                rc=1