mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
java_keystore: overwrite instead of fail when password or alias does not match (#2262)
* Overwrite instead of fail when password does not match. * Update documentation. * Fix tests. * Update plugins/modules/system/java_keystore.py Co-authored-by: Amin Vakil <info@aminvakil.com> * Fix documentation. * Apply suggestions from code review Co-authored-by: quidame <quidame@poivron.org> * Update tests/unit/plugins/modules/system/test_java_keystore.py * One more. Co-authored-by: Amin Vakil <info@aminvakil.com> Co-authored-by: quidame <quidame@poivron.org>
This commit is contained in:
parent
6a8eb7b388
commit
91a0264f38
4 changed files with 46 additions and 30 deletions
8
changelogs/fragments/2262-java_keystore-passphrase.yml
Normal file
8
changelogs/fragments/2262-java_keystore-passphrase.yml
Normal file
|
@ -0,0 +1,8 @@
|
|||
breaking_changes:
|
||||
- "java_keystore - instead of failing, now overwrites keystore if the alias (name) is changed.
|
||||
This was originally the intended behavior, but did not work due to a logic error. Make sure
|
||||
that your playbooks and roles do not depend on the old behavior of failing instead of
|
||||
overwriting (https://github.com/ansible-collections/community.general/issues/1671)."
|
||||
- "java_keystore - instead of failing, now overwrites keystore if the passphrase is changed.
|
||||
Make sure that your playbooks and roles do not depend on the old behavior of failing instead
|
||||
of overwriting (https://github.com/ansible-collections/community.general/issues/1671)."
|
|
@ -19,8 +19,9 @@ options:
|
|||
name:
|
||||
description:
|
||||
- Name of the certificate in the keystore.
|
||||
- If the provided name does not exist in the keystore, the module fails.
|
||||
This behavior will change in a next release.
|
||||
- If the provided name does not exist in the keystore, the module
|
||||
will re-create the keystore. This behavior changed in community.general 3.0.0,
|
||||
before that the module would fail when the name did not match.
|
||||
type: str
|
||||
required: true
|
||||
certificate:
|
||||
|
@ -60,7 +61,9 @@ options:
|
|||
description:
|
||||
- Password that should be used to secure the keystore.
|
||||
- If the provided password fails to unlock the keystore, the module
|
||||
fails. This behavior will change in a next release.
|
||||
will re-create the keystore with the new passphrase. This behavior
|
||||
changed in community.general 3.0.0, before that the module would fail
|
||||
when the password did not match.
|
||||
type: str
|
||||
required: true
|
||||
dest:
|
||||
|
@ -187,16 +190,11 @@ def read_stored_certificate_fingerprint(module, keytool_bin, alias, keystore_pat
|
|||
(rc, stored_certificate_fingerprint_out, stored_certificate_fingerprint_err) = run_commands(
|
||||
module, stored_certificate_fingerprint_cmd, environ_update=dict(STOREPASS=keystore_password))
|
||||
if rc != 0:
|
||||
# First intention was to not fail, and overwrite the keystore instead,
|
||||
# in case of alias mismatch; but an issue in error handling caused the
|
||||
# module to fail anyway.
|
||||
# See: https://github.com/ansible-collections/community.general/issues/1671
|
||||
# And: https://github.com/ansible-collections/community.general/pull/2183
|
||||
# if "keytool error: java.lang.Exception: Alias <%s> does not exist" % alias in stored_certificate_fingerprint_out:
|
||||
# return "alias mismatch"
|
||||
# if re.match(r'keytool error: java\.io\.IOException: [Kk]eystore( was tampered with, or)? password was incorrect',
|
||||
# stored_certificate_fingerprint_out):
|
||||
# return "password mismatch"
|
||||
if "keytool error: java.lang.Exception: Alias <%s> does not exist" % alias in stored_certificate_fingerprint_out:
|
||||
return "alias mismatch"
|
||||
if re.match(r'keytool error: java\.io\.IOException: [Kk]eystore( was tampered with, or)? password was incorrect',
|
||||
stored_certificate_fingerprint_out):
|
||||
return "password mismatch"
|
||||
return module.fail_json(msg=stored_certificate_fingerprint_out,
|
||||
err=stored_certificate_fingerprint_err,
|
||||
cmd=stored_certificate_fingerprint_cmd,
|
||||
|
|
|
@ -64,7 +64,6 @@
|
|||
loop: "{{ java_keystore_new_certs }}"
|
||||
check_mode: yes
|
||||
register: result_alias_change_check
|
||||
when: false # FIXME: module currently crashes
|
||||
|
||||
- name: Create a Java keystore for the given certificates (alias changed)
|
||||
community.general.java_keystore:
|
||||
|
@ -72,7 +71,6 @@
|
|||
name: foobar
|
||||
loop: "{{ java_keystore_new_certs }}"
|
||||
register: result_alias_change
|
||||
when: false # FIXME: module currently crashes
|
||||
|
||||
|
||||
- name: Create a Java keystore for the given certificates (password changed, check mode)
|
||||
|
@ -83,7 +81,6 @@
|
|||
loop: "{{ java_keystore_new_certs }}"
|
||||
check_mode: yes
|
||||
register: result_pw_change_check
|
||||
when: false # FIXME: module currently crashes
|
||||
|
||||
- name: Create a Java keystore for the given certificates (password changed)
|
||||
community.general.java_keystore:
|
||||
|
@ -92,7 +89,6 @@
|
|||
password: hunter2
|
||||
loop: "{{ java_keystore_new_certs }}"
|
||||
register: result_pw_change
|
||||
when: false # FIXME: module currently crashes
|
||||
|
||||
- name: Check that the remote certificates have not been removed
|
||||
ansible.builtin.file:
|
||||
|
@ -117,7 +113,7 @@
|
|||
- result_idem_check is not changed
|
||||
- result_change is changed
|
||||
- result_change_check is changed
|
||||
# - result_alias_change is changed # FIXME: module currently crashes
|
||||
# - result_alias_change_check is changed # FIXME: module currently crashes
|
||||
# - result_pw_change is changed # FIXME: module currently crashes
|
||||
# - result_pw_change_check is changed # FIXME: module currently crashes
|
||||
- result_alias_change is changed
|
||||
- result_alias_change_check is changed
|
||||
- result_pw_change is changed
|
||||
- result_pw_change_check is changed
|
||||
|
|
|
@ -250,20 +250,34 @@ class TestCertChanged(ModuleTestCase):
|
|||
supports_check_mode=self.spec.supports_check_mode
|
||||
)
|
||||
|
||||
module.fail_json = Mock()
|
||||
|
||||
with patch('os.remove', return_value=True):
|
||||
self.create_file.side_effect = ['/tmp/placeholder']
|
||||
self.run_commands.side_effect = [(0, 'foo=abcd:1234:efgh', ''),
|
||||
(1, 'keytool error: java.lang.Exception: Alias <foo> does not exist', '')]
|
||||
cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo')
|
||||
module.fail_json.assert_called_once_with(
|
||||
cmd=["keytool", "-list", "-alias", "foo", "-keystore", "/path/to/keystore.jks", "-storepass:env", "STOREPASS", "-v"],
|
||||
msg='keytool error: java.lang.Exception: Alias <foo> does not exist',
|
||||
err='',
|
||||
rc=1
|
||||
result = cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo')
|
||||
self.assertTrue(result, 'Alias mismatch detected')
|
||||
|
||||
def test_cert_changed_password_mismatch(self):
|
||||
set_module_args(dict(
|
||||
certificate='cert-foo',
|
||||
private_key='private-foo',
|
||||
dest='/path/to/keystore.jks',
|
||||
name='foo',
|
||||
password='changeit'
|
||||
))
|
||||
|
||||
module = AnsibleModule(
|
||||
argument_spec=self.spec.argument_spec,
|
||||
supports_check_mode=self.spec.supports_check_mode
|
||||
)
|
||||
|
||||
with patch('os.remove', return_value=True):
|
||||
self.create_file.side_effect = ['/tmp/placeholder']
|
||||
self.run_commands.side_effect = [(0, 'foo=abcd:1234:efgh', ''),
|
||||
(1, 'keytool error: java.io.IOException: Keystore password was incorrect', '')]
|
||||
result = cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo')
|
||||
self.assertTrue(result, 'Password mismatch detected')
|
||||
|
||||
def test_cert_changed_fail_read_cert(self):
|
||||
set_module_args(dict(
|
||||
certificate='cert-foo',
|
||||
|
|
Loading…
Reference in a new issue