From df86b9ec3daf27a0f5423518326485fcede91f83 Mon Sep 17 00:00:00 2001 From: Andrea Tartaglia Date: Tue, 26 Mar 2019 15:06:00 +0000 Subject: [PATCH] openssl_pkcs12: privatekey_path and friendly_name are not always required together (#54370) * Removed required_together, updated tests Since required_together: privatekey_path -> friendly_name, is not always required it has been removed. Updated openssl_pkcs12 integration tests to be in line with other openssl_* modules, and added a test for export with no privatekey_path. * linter fixes * Removed cryptography from tests * Added changelog fragment * Removed non-necessary select_crypto_backend --- ..._pkey_path_friendly_name_not_together.yaml | 2 + lib/ansible/modules/crypto/openssl_pkcs12.py | 5 - .../targets/openssl_pkcs12/tasks/impl.yml | 115 ++++++++++++++++++ .../targets/openssl_pkcs12/tasks/main.yml | 108 +--------------- .../targets/openssl_pkcs12/tests/validate.yml | 6 + 5 files changed, 127 insertions(+), 109 deletions(-) create mode 100644 changelogs/fragments/54370-openssl_pkcs12_pkey_path_friendly_name_not_together.yaml create mode 100644 test/integration/targets/openssl_pkcs12/tasks/impl.yml diff --git a/changelogs/fragments/54370-openssl_pkcs12_pkey_path_friendly_name_not_together.yaml b/changelogs/fragments/54370-openssl_pkcs12_pkey_path_friendly_name_not_together.yaml new file mode 100644 index 0000000000..da7eabcd7c --- /dev/null +++ b/changelogs/fragments/54370-openssl_pkcs12_pkey_path_friendly_name_not_together.yaml @@ -0,0 +1,2 @@ +bugfixes: +- "openssl_pkcs12 - No need to specify ``privatekey_path`` when ``friendly_name`` is specified." diff --git a/lib/ansible/modules/crypto/openssl_pkcs12.py b/lib/ansible/modules/crypto/openssl_pkcs12.py index aa23ac757b..da6d584928 100644 --- a/lib/ansible/modules/crypto/openssl_pkcs12.py +++ b/lib/ansible/modules/crypto/openssl_pkcs12.py @@ -307,15 +307,10 @@ def main(): ['action', 'parse', ['src']], ] - required_together = [ - ['privatekey_path', 'friendly_name'], - ] - module = AnsibleModule( add_file_common_args=True, argument_spec=argument_spec, required_if=required_if, - required_together=required_together, supports_check_mode=True, ) diff --git a/test/integration/targets/openssl_pkcs12/tasks/impl.yml b/test/integration/targets/openssl_pkcs12/tasks/impl.yml new file mode 100644 index 0000000000..fa0c6f5b28 --- /dev/null +++ b/test/integration/targets/openssl_pkcs12/tasks/impl.yml @@ -0,0 +1,115 @@ +- block: + - name: 'Generate privatekey with' + openssl_privatekey: + path: "{{ output_dir }}/ansible_pkey.pem" + + - name: 'Generate CSR with' + openssl_csr: + path: "{{ output_dir }}/ansible.csr" + privatekey_path: "{{ output_dir }}/ansible_pkey.pem" + commonName: 'www.ansible.com' + + - name: 'Generate certificate' + openssl_certificate: + path: "{{ output_dir }}/ansible.crt" + privatekey_path: "{{ output_dir }}/ansible_pkey.pem" + csr_path: "{{ output_dir }}/ansible.csr" + provider: selfsigned + + - name: 'Generate PKCS#12 file' + openssl_pkcs12: + path: "{{ output_dir }}/ansible.p12" + friendly_name: 'abracadabra' + privatekey_path: "{{ output_dir }}/ansible_pkey.pem" + certificate_path: "{{ output_dir }}/ansible.crt" + state: present + register: p12_standard + + - name: 'Generate PKCS#12 file (force)' + openssl_pkcs12: + path: "{{ output_dir }}/ansible.p12" + friendly_name: 'abracadabra' + privatekey_path: "{{ output_dir }}/ansible_pkey.pem" + certificate_path: "{{ output_dir }}/ansible.crt" + state: present + force: True + register: p12_force + + - name: 'Generate PKCS#12 file (force + change mode)' + openssl_pkcs12: + path: "{{ output_dir }}/ansible.p12" + friendly_name: 'abracadabra' + privatekey_path: "{{ output_dir }}/ansible_pkey.pem" + certificate_path: "{{ output_dir }}/ansible.crt" + state: present + force: True + mode: 0644 + register: p12_force_and_mode + + - name: 'Dump PKCS#12' + openssl_pkcs12: + src: "{{ output_dir }}/ansible.p12" + path: "{{ output_dir }}/ansible_parse.pem" + action: 'parse' + state: 'present' + + - name: Generate privatekey with password + openssl_privatekey: + path: '{{ output_dir }}/privatekeypw.pem' + passphrase: hunter2 + cipher: auto + select_crypto_backend: cryptography + + - name: 'Generate PKCS#12 file (password fail 1)' + openssl_pkcs12: + path: "{{ output_dir }}/ansible_pw1.p12" + friendly_name: 'abracadabra' + privatekey_path: "{{ output_dir }}/ansible_pkey.pem" + privatekey_passphrase: hunter2 + certificate_path: "{{ output_dir }}/ansible.crt" + state: present + ignore_errors: yes + register: passphrase_error_1 + + - name: 'Generate PKCS#12 file (password fail 2)' + openssl_pkcs12: + path: "{{ output_dir }}/ansible_pw2.p12" + friendly_name: 'abracadabra' + privatekey_path: '{{ output_dir }}/privatekeypw.pem' + privatekey_passphrase: wrong_password + certificate_path: "{{ output_dir }}/ansible.crt" + state: present + ignore_errors: yes + register: passphrase_error_2 + + - name: 'Generate PKCS#12 file (password fail 3)' + openssl_pkcs12: + path: "{{ output_dir }}/ansible_pw3.p12" + friendly_name: 'abracadabra' + privatekey_path: '{{ output_dir }}/privatekeypw.pem' + certificate_path: "{{ output_dir }}/ansible.crt" + state: present + ignore_errors: yes + register: passphrase_error_3 + + - name: 'Generate PKCS#12 file, no privatekey' + openssl_pkcs12: + path: "{{ output_dir }}/ansible_no_pkey.p12" + friendly_name: 'abracadabra' + certificate_path: "{{ output_dir }}/ansible.crt" + state: present + register: p12_no_pkey + + - import_tasks: ../tests/validate.yml + + always: + - name: 'Delete PKCS#12 file' + openssl_pkcs12: + state: absent + path: '{{ output_dir }}/ansible.p12' + loop: + - 'ansible' + - 'ansible_no_pkey' + - 'ansible_pw1' + - 'ansible_pw2' + - 'ansible_pw3' diff --git a/test/integration/targets/openssl_pkcs12/tasks/main.yml b/test/integration/targets/openssl_pkcs12/tasks/main.yml index c9552441de..a11ba75a43 100644 --- a/test/integration/targets/openssl_pkcs12/tasks/main.yml +++ b/test/integration/targets/openssl_pkcs12/tasks/main.yml @@ -1,104 +1,4 @@ -- block: - - name: 'Generate privatekey' - openssl_privatekey: - path: "{{ output_dir }}/ansible_pkey.pem" - - - name: 'Generate CSR' - openssl_csr: - path: "{{ output_dir }}/ansible.csr" - privatekey_path: "{{ output_dir }}/ansible_pkey.pem" - commonName: 'www.ansible.com' - - - name: 'Generate certificate' - openssl_certificate: - path: "{{ output_dir }}/ansible.crt" - privatekey_path: "{{ output_dir }}/ansible_pkey.pem" - csr_path: "{{ output_dir }}/ansible.csr" - provider: selfsigned - - - name: 'Generate PKCS#12 file' - openssl_pkcs12: - path: "{{ output_dir }}/ansible.p12" - friendly_name: 'abracadabra' - privatekey_path: "{{ output_dir }}/ansible_pkey.pem" - certificate_path: "{{ output_dir }}/ansible.crt" - state: present - register: p12_standard - - - name: 'Generate PKCS#12 file (force)' - openssl_pkcs12: - path: "{{ output_dir }}/ansible.p12" - friendly_name: 'abracadabra' - privatekey_path: "{{ output_dir }}/ansible_pkey.pem" - certificate_path: "{{ output_dir }}/ansible.crt" - state: present - force: True - register: p12_force - - - name: 'Generate PKCS#12 file (force + change mode)' - openssl_pkcs12: - path: "{{ output_dir }}/ansible.p12" - friendly_name: 'abracadabra' - privatekey_path: "{{ output_dir }}/ansible_pkey.pem" - certificate_path: "{{ output_dir }}/ansible.crt" - state: present - force: True - mode: 0644 - register: p12_force_and_mode - - - name: 'Dump PKCS#12' - openssl_pkcs12: - src: "{{ output_dir }}/ansible.p12" - path: "{{ output_dir }}/ansible_parse.pem" - action: 'parse' - state: 'present' - - - name: Generate privatekey with password - openssl_privatekey: - path: '{{ output_dir }}/privatekeypw.pem' - passphrase: hunter2 - cipher: auto - select_crypto_backend: cryptography - - - name: 'Generate PKCS#12 file (password fail 1)' - openssl_pkcs12: - path: "{{ output_dir }}/ansible_pw1.p12" - friendly_name: 'abracadabra' - privatekey_path: "{{ output_dir }}/ansible_pkey.pem" - privatekey_passphrase: hunter2 - certificate_path: "{{ output_dir }}/ansible.crt" - state: present - ignore_errors: yes - register: passphrase_error_1 - - - name: 'Generate PKCS#12 file (password fail 2)' - openssl_pkcs12: - path: "{{ output_dir }}/ansible_pw2.p12" - friendly_name: 'abracadabra' - privatekey_path: '{{ output_dir }}/privatekeypw.pem' - privatekey_passphrase: wrong_password - certificate_path: "{{ output_dir }}/ansible.crt" - state: present - ignore_errors: yes - register: passphrase_error_2 - - - name: 'Generate PKCS#12 file (password fail 3)' - openssl_pkcs12: - path: "{{ output_dir }}/ansible_pw3.p12" - friendly_name: 'abracadabra' - privatekey_path: '{{ output_dir }}/privatekeypw.pem' - certificate_path: "{{ output_dir }}/ansible.crt" - state: present - ignore_errors: yes - register: passphrase_error_3 - - - import_tasks: ../tests/validate.yml - - always: - - name: 'Delete PKCS#12 file' - openssl_pkcs12: - state: absent - path: '{{ output_dir }}/ansible.p12' - - # this is the pyopenssl version on my laptop. - when: pyopenssl_version.stdout is version_compare('17.1.0', '>=') +--- +- name: Run tests + include_tasks: impl.yml + when: pyopenssl_version.stdout is version('17.1.0', '>=') diff --git a/test/integration/targets/openssl_pkcs12/tests/validate.yml b/test/integration/targets/openssl_pkcs12/tests/validate.yml index e0a318aad8..c2783b8017 100644 --- a/test/integration/targets/openssl_pkcs12/tests/validate.yml +++ b/test/integration/targets/openssl_pkcs12/tests/validate.yml @@ -7,11 +7,17 @@ command: "openssl pkcs12 -info -in {{ output_dir }}/ansible.p12 -nodes -passin pass:''" register: p12 +- name: 'Validate PKCS#12 with no private key' + command: "openssl pkcs12 -info -in {{ output_dir }}/ansible_no_pkey.p12 -nodes -passin pass:''" + register: p12_validate_no_pkey + - name: 'Validate PKCS#12 (assert)' assert: that: - p12.stdout_lines[2].split(':')[-1].strip() == 'abracadabra' - p12_standard.mode == '0400' + - p12_no_pkey.changed + - p12_validate_no_pkey.stdout_lines[-1] == '-----END CERTIFICATE-----' - p12_force.changed - p12_force_and_mode.mode == '0644' and p12_force_and_mode.changed