Add simple module to import/delete ssl certificate from/to java keystore (#20274)

* Add simple module to import/delete ssl certificate from/to java keystore. * add diff/check mode support, fix reported issues and simplify decision logic * Fix build by adding new line at the end of file. * Some updates to module requested PR review * Add simple executable parameter * Fix build error
2024-09-14 20:13:21 +02:00 · 2017-03-09 20:14:43 +01:00 · 2017-03-09 20:14:43 +01:00 · 6cf8318468
commit 6cf8318468
parent e5b990a55a
1 changed files with 281 additions and 0 deletions
--- a/lib/ansible/modules/system/java_cert.py
+++ b/lib/ansible/modules/system/java_cert.py
@ -0,0 +1,281 @@
+#!/usr/bin/python
+#
+# (c) 2013, RSD Services S.A
+#
+# This file is part of Ansible
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+
+ANSIBLE_METADATA = {'status': ['preview'],
+                    'supported_by': 'community',
+                    'version': '1.0'}
+
+DOCUMENTATION = '''
+---
+module: java_cert
+version_added: '2.3'
+short_description: Uses keytool to import/remove key from java keystore(cacerts)
+description:
+  - This is a wrapper module around keytool. Which can be used to import/remove
+    certificates from a given java keystore.
+options:
+  cert_url:
+    description:
+      - Basic URL to fetch SSL certificate from. One of cert_url or cert_path is required to load certificate.
+  cert_port:
+    description:
+      - Port to connect to URL. This will be used to create server URL:PORT
+    default: 443
+  cert_path:
+    description:
+      - Local path to load certificate from. One of cert_url or cert_path is required to load certificate.
+  cert_alias:
+    description:
+      - Imported certificate alias.
+  keystore_path:
+    description:
+      - Path to keystore.
+  keystore_pass:
+    description:
+      - Keystore password.
+    required: true
+  keystore_create:
+    description:
+      - Create keystore if it doesn't exist
+  executable:
+    description:
+      - Path to keytool binary if not used we search in PATH for it.
+    default: keytool
+  state:
+    description:
+      - Defines action which can be either certificate import or removal.
+    choices: [ 'present', 'absent' ]
+    default: present
+
+author: Adam Hamsik @haad
+'''
+
+EXAMPLES = '''
+# Import SSL certificate from google.com to a given cacerts keystore
+java_cert:
+  cert_url: google.com
+  cert_port: 443
+  keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts
+  keystore_pass: changeit
+  state: present
+
+# Remove certificate with given alias from a keystore
+java_cert:
+  cert_url: google.com
+  keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts
+  keystore_pass: changeit
+  executable: /usr/lib/jvm/jre7/bin/keytool
+  state: absent
+
+# Import SSL certificate from google.com to a keystore,
+# create it if it doesn't exist
+java_cert:
+  cert_url: google.com
+  keystore_path: /tmp/cacerts
+  keystore_pass: changeit
+  keystore_create: yes
+  state: present
+'''
+
+RETURN = '''
+msg:
+  description: Output from stdout of keytool command after execution of given command.
+  returned: success
+  type: string
+  sample: "Module require existing keystore at keystore_path '/tmp/test/cacerts'"
+
+rc:
+  description: Keytool command execution return value
+  returned: success
+  type: int
+  sample: "0"
+
+cmd:
+  description: Executed command to get action done
+  returned: success
+  type: string
+  sample: "keytool -importcert -noprompt -keystore"
+'''
+
+import os
+
+# import module snippets
+from ansible.module_utils.basic import AnsibleModule
+
+def check_cert_present(module, executable, keystore_path, keystore_pass, alias):
+    ''' Check if certificate with alias is present in keystore
+        located at keystore_path '''
+    test_cmd = ("%s -noprompt -list -keystore '%s' -storepass '%s' "
+                "-alias '%s'")%(executable, keystore_path, keystore_pass, alias)
+
+    (check_rc, _, _) = module.run_command(test_cmd)
+    if check_rc == 0:
+        return True
+    return False
+
+def import_cert_url(module, executable, url, port, keystore_path, keystore_pass, alias):
+    ''' Import certificate from URL into keystore located at keystore_path '''
+    fetch_cmd = ("%s -printcert -rfc -sslserver %s:%d")%(executable, url, port)
+    import_cmd = ("%s -importcert -noprompt -keystore '%s' "
+                  "-storepass '%s' -alias '%s'")%(executable, keystore_path,
+                                                  keystore_pass, alias)
+
+    if module.check_mode:
+        module.exit_json(changed=True)
+
+    # Fetch SSL certificate from remote host.
+    (_, fetch_out, _) = module.run_command(fetch_cmd, check_rc=True)
+
+    # Use remote certificate from remote host and import it to a java keystore
+    (import_rc, import_out, import_err) = module.run_command(import_cmd,
+                                                             data=fetch_out,
+                                                             check_rc=False)
+    diff = {'before': '\n', 'after': '%s\n'%alias}
+    if import_rc == 0:
+        return module.exit_json(changed=True, msg=import_out,
+                                rc=import_rc, cmd=import_cmd, stdout=import_out,
+                                diff=diff)
+    else:
+        return module.fail_json(msg=import_out, rc=import_rc, cmd=import_cmd,
+                                error=import_err)
+
+def import_cert_path(module, executable, path, keystore_path, keystore_pass, alias):
+    ''' Import certificate from path into keystore located on
+        keystore_path as alias '''
+    import_cmd = ("%s -importcert -noprompt -keystore '%s' "
+                  "-storepass '%s' -file '%s' -alias '%s'")%(executable,
+                                                             keystore_path,
+                                                             keystore_pass,
+                                                             path, alias)
+
+    if module.check_mode:
+        module.exit_json(changed=True)
+
+    # Use local certificate from local path and import it to a java keystore
+    (import_rc, import_out, import_err) = module.run_command(import_cmd,
+                                                             check_rc=False)
+
+    diff = {'before': '\n', 'after': '%s\n'%alias}
+    if import_rc == 0:
+        return module.exit_json(changed=True, msg=import_out,
+                                rc=import_rc, cmd=import_cmd, stdout=import_out,
+                                error=import_err, diff=diff)
+    else:
+        return module.fail_json(msg=import_out, rc=import_rc, cmd=import_cmd)
+
+def delete_cert(module, executable, keystore_path, keystore_pass, alias):
+    ''' Delete cerificate identified with alias from keystore on keystore_path '''
+    del_cmd = ("%s -delete -keystore '%s' -storepass '%s' "
+               "-alias '%s'")%(executable, keystore_path, keystore_pass, alias)
+
+    if module.check_mode:
+        module.exit_json(changed=True)
+
+    # Delete SSL certificate from keystore
+    (del_rc, del_out, del_err) = module.run_command(del_cmd, check_rc=True)
+
+    diff = {'before': '%s\n'%alias, 'after': None}
+
+    return module.exit_json(changed=True, msg=del_out,
+                            rc=del_rc, cmd=del_cmd, stdout=del_out,
+                            error=del_err, diff=diff)
+
+def test_keytool(module, executable):
+    ''' Test if keytool is actuall executable or not '''
+    test_cmd = "%s"%(executable)
+
+    module.run_command(test_cmd, check_rc=True)
+
+def test_keystore(module, keystore_path):
+    ''' Check if we can access keystore as file or not '''
+    if keystore_path is None:
+        keystore_path = ''
+
+    if not os.path.exists(keystore_path) and not os.path.isfile(keystore_path):
+        ## Keystore doesn't exist we want to create it
+        return module.fail_json(changed=False,
+                                msg="Module require existing keystore at keystore_path '%s'"
+                                %(keystore_path))
+
+def main():
+    argument_spec = dict(
+        cert_url=dict(type='str'),
+        cert_path=dict(type='str'),
+        cert_alias=dict(type='str'),
+        cert_port=dict(default='443', type='int'),
+        keystore_path=dict(type='str'),
+        keystore_pass=dict(required=True, type='str'),
+        keystore_create=dict(default=False, type='bool'),
+        executable=dict(default='keytool', type='str'),
+        state=dict(default='present',
+                   choices=['present', 'absent'])
+    )
+
+    module = AnsibleModule(
+        argument_spec=argument_spec,
+        required_one_of=[['cert_path', 'cert_url']],
+        required_together=[['keystore_path', 'keystore_pass']],
+        mutually_exclusive=[
+            ['cert_url', 'cert_path']
+        ],
+        supports_check_mode=True,
+    )
+
+    url = module.params.get('cert_url')
+    path = module.params.get('cert_path')
+    port = module.params.get('cert_port')
+    cert_alias = module.params.get('cert_alias') or url
+
+    keystore_path = module.params.get('keystore_path')
+    keystore_pass = module.params.get('keystore_pass')
+    keystore_create = module.params.get('keystore_create')
+    executable = module.params.get('executable')
+    state = module.params.get('state')
+
+    if path and not cert_alias:
+        module.fail_json(changed=False,
+                         msg="Using local path import from %s requires alias argument."
+                         %(keystore_path))
+
+    test_keytool(module, executable)
+
+    if not keystore_create:
+        test_keystore(module, keystore_path)
+
+    cert_present = check_cert_present(module, executable, keystore_path,
+                                      keystore_pass, cert_alias)
+
+    if state == 'absent':
+        if cert_present:
+            delete_cert(module, executable, keystore_path, keystore_pass, cert_alias)
+
+    elif state == 'present':
+        if not cert_present:
+            if path:
+                import_cert_path(module, executable, path, keystore_path,
+                                 keystore_pass, cert_alias)
+
+            if url:
+                import_cert_url(module, executable, url, port, keystore_path,
+                                keystore_pass, cert_alias)
+
+    module.exit_json(changed=False)
+
+if __name__ == "__main__":
+    main()