1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

Minimizing information needed for second stage from first stage. (#42167)

This commit is contained in:
Felix Fontein 2018-07-01 16:06:38 +02:00 committed by ansibot
parent f4efa2c4cc
commit 52e7946de5

View file

@ -97,6 +97,10 @@ options:
the second run of the module only."
- "The value that must be used here will be provided by a previous use
of this module. See the examples for more details."
- "Note that for ACME v2, only the C(order_uri) entry of C(data) will
be used. For ACME v1, C(data) must be non-empty to indicate the
second stage is active; all needed data will be taken from the
CSR."
- "I(Note): the C(data) option was marked as C(no_log) up to
Ansible 2.5. From Ansible 2.6 on, it is no longer marked this way
as it causes error messages to be come unusable, and C(data) does
@ -363,7 +367,7 @@ class ACMEClient(object):
self.authorizations = None
self.cert_days = -1
self.order_uri = self.data.get('order_uri') if self.data else None
self.finalize_uri = self.data.get('finalize_uri') if self.data else None
self.finalize_uri = None
# Make sure account exists
modify_account = module.params['modify_account']
@ -679,11 +683,15 @@ class ACMEClient(object):
Return True if this is the first execution of this module, i.e. if a
sufficient data object from a first run has not been provided.
'''
if (self.data is None) or ('authorizations' not in self.data):
if self.data is None:
return True
if self.finalize_uri is None and self.version != 1:
return True
return False
if self.version == 1:
# As soon as self.data is a non-empty object, we are in the second stage.
return not self.data
else:
# We are in the second stage if data.order_uri is given (which has been
# stored in self.order_uri by the constructor).
return self.order_uri is None
def start_challenges(self):
'''
@ -725,8 +733,42 @@ class ACMEClient(object):
Verify challenges for all domains of the CSR.
'''
self.authorizations = {}
for domain, auth in self.data['authorizations'].items():
self.authorizations[domain] = auth
# Step 1: obtain challenge information
if self.version == 1:
# For ACME v1, we attempt to create new authzs. Existing ones
# will be returned instead.
for domain in self.domains:
new_auth = self._new_authz_v1(domain)
self._add_or_update_auth(domain, new_auth)
else:
# For ACME v2, we obtain the order object by fetching the
# order URI, and extract the information from there.
resp, info = fetch_url(self.module, self.order_uri)
try:
result = resp.read()
except AttributeError:
result = info.get('body')
if not result:
raise ModuleFailException("Cannot download order from {0}: {1} (headers: {2})".format(self.order_uri, result, info))
if info['status'] not in [200]:
raise ModuleFailException("Error on downloading order: CODE: {0} RESULT: {1}".format(info['status'], result))
result = self.module.from_json(result.decode('utf8'))
for auth_uri in result['authorizations']:
auth_data = simple_get(self.module, auth_uri)
auth_data['uri'] = auth_uri
domain = auth_data['identifier']['value']
if auth_data.get('wildcard', False):
domain = '*.{0}'.format(domain)
self.authorizations[domain] = auth_data
self.finalize_uri = result['finalize']
# Step 2: validate challenges
for domain, auth in self.authorizations.items():
if auth['status'] == 'pending':
self._validate_challenges(domain, auth)