Add x509_certificate_convert module. (#728)

2026-05-06 21:33:00 +00:00 · 2024-04-18 07:50:36 +02:00
parent ae548de502
commit 27a9ff14fb
13 changed files with 680 additions and 0 deletions
--- a/tests/integration/targets/x509_certificate_convert/aliases
+++ b/tests/integration/targets/x509_certificate_convert/aliases
@@ -0,0 +1,7 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/generic/2
+azp/posix/2
+destructive
--- a/tests/integration/targets/x509_certificate_convert/meta/main.yml
+++ b/tests/integration/targets/x509_certificate_convert/meta/main.yml
@@ -0,0 +1,9 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_openssl
+  - setup_remote_tmp_dir
+  - prepare_jinja2_compat
--- a/tests/integration/targets/x509_certificate_convert/tasks/impl.yml
+++ b/tests/integration/targets/x509_certificate_convert/tasks/impl.yml
@@ -0,0 +1,212 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Read PEM cert
+  slurp:
+    src: '{{ remote_tmp_dir }}/cert_2.pem'
+  register: slurp_pem
+
+- name: Read DER cert
+  slurp:
+    src: '{{ remote_tmp_dir }}/cert_2.der'
+  register: slurp_der
+
+- name: Convert PEM cert (check mode)
+  x509_certificate_convert:
+    src_path: '{{ remote_tmp_dir }}/cert_1.pem'
+    format: pem
+    strict: true
+    dest_path: '{{ remote_tmp_dir }}/out_1.pem'
+  register: result_1
+  check_mode: true
+
+- name: Convert PEM cert
+  x509_certificate_convert:
+    src_path: '{{ remote_tmp_dir }}/cert_1.pem'
+    format: pem
+    strict: true
+    dest_path: '{{ remote_tmp_dir }}/out_1.pem'
+  register: result_2
+
+- name: Convert PEM cert (idempotent, check mode)
+  x509_certificate_convert:
+    src_path: '{{ remote_tmp_dir }}/cert_1.pem'
+    format: pem
+    strict: true
+    dest_path: '{{ remote_tmp_dir }}/out_1.pem'
+  register: result_3
+  check_mode: true
+
+- name: Convert PEM cert (idempotent)
+  x509_certificate_convert:
+    src_path: '{{ remote_tmp_dir }}/cert_1.pem'
+    format: pem
+    strict: true
+    dest_path: '{{ remote_tmp_dir }}/out_1.pem'
+  register: result_4
+
+- name: Convert PEM cert (overwrite, check mode)
+  x509_certificate_convert:
+    src_path: '{{ remote_tmp_dir }}/cert_2.pem'
+    format: pem
+    strict: true
+    dest_path: '{{ remote_tmp_dir }}/out_1.pem'
+  register: result_5
+  check_mode: true
+
+- name: Convert PEM cert (overwrite)
+  x509_certificate_convert:
+    src_path: '{{ remote_tmp_dir }}/cert_2.pem'
+    format: pem
+    strict: true
+    dest_path: '{{ remote_tmp_dir }}/out_1.pem'
+  register: result_6
+
+- name: Convert PEM cert (idempotent, content)
+  x509_certificate_convert:
+    src_content: '{{ slurp_pem.content | b64decode }}'
+    format: pem
+    strict: true
+    dest_path: '{{ remote_tmp_dir }}/out_1.pem'
+  register: result_7
+
+- name: Convert PEM cert (idempotent, content, base64)
+  x509_certificate_convert:
+    src_content: '{{ slurp_pem.content }}'
+    src_content_base64: true
+    format: pem
+    strict: true
+    dest_path: '{{ remote_tmp_dir }}/out_1.pem'
+  register: result_8
+
+- name: Convert PEM cert (idempotent, content, base64, from DER)
+  x509_certificate_convert:
+    src_content: '{{ slurp_der.content }}'
+    src_content_base64: true
+    format: pem
+    strict: true
+    dest_path: '{{ remote_tmp_dir }}/out_1.pem'
+  register: result_9
+
+- name: Convert PEM cert (idempotent, from DER)
+  x509_certificate_convert:
+    src_path: '{{ remote_tmp_dir }}/cert_2.der'
+    format: pem
+    strict: true
+    dest_path: '{{ remote_tmp_dir }}/out_1.pem'
+  register: result_10
+
+- name: Check conditions
+  assert:
+    that:
+      - result_1 is changed
+      - result_2 is changed
+      - result_3 is not changed
+      - result_4 is not changed
+      - result_5 is changed
+      - result_6 is changed
+      - result_7 is not changed
+      - result_8 is not changed
+      - result_9 is not changed
+      - result_10 is not changed
+
+- name: Convert DER cert (check mode)
+  x509_certificate_convert:
+    src_path: '{{ remote_tmp_dir }}/cert_1.der'
+    format: der
+    strict: true
+    dest_path: '{{ remote_tmp_dir }}/out_1.der'
+  register: result_1
+  check_mode: true
+
+- name: Convert DER cert
+  x509_certificate_convert:
+    src_path: '{{ remote_tmp_dir }}/cert_1.der'
+    format: der
+    strict: true
+    dest_path: '{{ remote_tmp_dir }}/out_1.der'
+  register: result_2
+
+- name: Convert DER cert (idempotent, check mode)
+  x509_certificate_convert:
+    src_path: '{{ remote_tmp_dir }}/cert_1.der'
+    format: der
+    strict: true
+    dest_path: '{{ remote_tmp_dir }}/out_1.der'
+  register: result_3
+  check_mode: true
+
+- name: Convert DER cert (idempotent)
+  x509_certificate_convert:
+    src_path: '{{ remote_tmp_dir }}/cert_1.der'
+    format: der
+    strict: true
+    dest_path: '{{ remote_tmp_dir }}/out_1.der'
+  register: result_4
+
+- name: Convert DER cert (overwrite, check mode)
+  x509_certificate_convert:
+    src_path: '{{ remote_tmp_dir }}/cert_2.der'
+    format: der
+    strict: true
+    dest_path: '{{ remote_tmp_dir }}/out_1.der'
+  register: result_5
+  check_mode: true
+
+- name: Convert DER cert (overwrite)
+  x509_certificate_convert:
+    src_path: '{{ remote_tmp_dir }}/cert_2.der'
+    format: der
+    strict: true
+    dest_path: '{{ remote_tmp_dir }}/out_1.der'
+  register: result_6
+
+- name: Convert DER cert (idempotent, content, base64)
+  x509_certificate_convert:
+    src_content: '{{ slurp_der.content }}'
+    src_content_base64: true
+    format: der
+    strict: true
+    dest_path: '{{ remote_tmp_dir }}/out_1.der'
+  register: result_7
+
+- name: Convert DER cert (idempotent, content, from PEM)
+  x509_certificate_convert:
+    src_content: '{{ slurp_pem.content | b64decode }}'
+    format: der
+    strict: true
+    dest_path: '{{ remote_tmp_dir }}/out_1.der'
+  register: result_8
+
+- name: Convert DER cert (idempotent, content, base64, from PEM)
+  x509_certificate_convert:
+    src_content: '{{ slurp_pem.content }}'
+    src_content_base64: true
+    format: der
+    strict: true
+    dest_path: '{{ remote_tmp_dir }}/out_1.der'
+  register: result_9
+
+- name: Convert DER cert (idempotent, from PEM)
+  x509_certificate_convert:
+    src_path: '{{ remote_tmp_dir }}/cert_2.pem'
+    format: der
+    strict: true
+    dest_path: '{{ remote_tmp_dir }}/out_1.der'
+  register: result_10
+
+- name: Check conditions
+  assert:
+    that:
+      - result_1 is changed
+      - result_2 is changed
+      - result_3 is not changed
+      - result_4 is not changed
+      - result_5 is changed
+      - result_6 is changed
+      - result_7 is not changed
+      - result_8 is not changed
+      - result_9 is not changed
+      - result_10 is not changed
--- a/tests/integration/targets/x509_certificate_convert/tasks/main.yml
+++ b/tests/integration/targets/x509_certificate_convert/tasks/main.yml
@@ -0,0 +1,136 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: Generate privatekey
+  openssl_privatekey:
+    path: '{{ remote_tmp_dir }}/privatekey.pem'
+    size: '{{ default_rsa_key_size_certifiates }}'
+
+- name: Generate CSR 1
+  openssl_csr:
+    path: '{{ remote_tmp_dir }}/csr_1.csr'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
+    subject:
+      commonName: www.example.com
+      C: de
+      L: Somewhere
+      ST: Zurich
+      streetAddress: Welcome Street
+      O: Ansible
+      organizationalUnitName:
+        - Crypto Department
+        - ACME Department
+      serialNumber: "1234"
+      SN: Last Name
+      GN: First Name
+      title: Chief
+      pseudonym: test
+      UID: asdf
+      emailAddress: test@example.com
+      postalAddress: 1234 Somewhere
+      postalCode: "1234"
+    useCommonNameForSAN: false
+    key_usage:
+      - digitalSignature
+      - keyAgreement
+      - Non Repudiation
+      - Key Encipherment
+      - dataEncipherment
+      - Certificate Sign
+      - cRLSign
+      - Encipher Only
+      - decipherOnly
+    key_usage_critical: true
+    extended_key_usage:
+      - serverAuth  # the same as "TLS Web Server Authentication"
+      - TLS Web Server Authentication
+      - TLS Web Client Authentication
+      - Code Signing
+      - E-mail Protection
+      - timeStamping
+      - OCSPSigning
+      - Any Extended Key Usage
+      - qcStatements
+      - DVCS
+      - IPSec User
+      - biometricInfo
+    subject_alt_name:
+      - "DNS:www.ansible.com"
+      - "DNS:öç.com"
+      # cryptography < 2.1 cannot handle certain Unicode characters
+      - "DNS:{{ 'www.öç' if cryptography_version.stdout is version('2.1', '<') else '☺' }}.com"
+      - "IP:1.2.3.4"
+      - "IP:::1"
+      - "email:test@example.org"
+      - "URI:https://example.org/test/index.html"
+    basic_constraints:
+      - "CA:TRUE"
+      - "pathlen:23"
+    basic_constraints_critical: true
+    ocsp_must_staple: true
+    subject_key_identifier: '{{ "00:11:22:33" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    authority_cert_issuer: '{{ value_for_authority_cert_issuer if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    authority_cert_serial_number: '{{ 12345 if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+  vars:
+    value_for_authority_cert_issuer:
+      - "DNS:ca.example.org"
+      - "IP:1.2.3.4"
+
+- name: Generate CSR 2
+  openssl_csr:
+    path: '{{ remote_tmp_dir }}/csr_2.csr'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
+    useCommonNameForSAN: false
+    basic_constraints:
+      - "CA:TRUE"
+
+- name: Generate CSR 3
+  openssl_csr:
+    path: '{{ remote_tmp_dir }}/csr_3.csr'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
+    useCommonNameForSAN: false
+    subject_alt_name:
+      - "DNS:*.ansible.com"
+      - "DNS:*.example.org"
+      - "IP:DEAD:BEEF::1"
+    basic_constraints:
+      - "CA:FALSE"
+    authority_cert_issuer: '{{ value_for_authority_cert_issuer if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    authority_cert_serial_number: '{{ 12345 if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+  vars:
+    value_for_authority_cert_issuer:
+      - "DNS:ca.example.org"
+      - "IP:1.2.3.4"
+
+- name: Generate selfsigned certificates
+  x509_certificate:
+    path: '{{ remote_tmp_dir }}/cert_{{ item }}.pem'
+    csr_path: '{{ remote_tmp_dir }}/csr_{{ item }}.csr'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
+    provider: selfsigned
+    selfsigned_digest: sha256
+    selfsigned_not_after: "+10d"
+    selfsigned_not_before: "-3d"
+  loop:
+  - 1
+  - 2
+  - 3
+
+- name: Convert PEM files to DER
+  command:
+    cmd: openssl x509 -inform PEM -outform DER -in {{ remote_tmp_dir }}/cert_{{ item }}.pem -out {{ remote_tmp_dir }}/cert_{{ item }}.der
+  loop:
+  - 1
+  - 2
+  - 3
+
+- name: Running tests
+  include_tasks: impl.yml
--- a/tests/sanity/ignore-2.10.txt
+++ b/tests/sanity/ignore-2.10.txt
@@ -15,6 +15,7 @@ plugins/modules/openssl_csr_info.py validate-modules:invalid-documentation
 plugins/modules/openssl_csr_pipe.py validate-modules:invalid-documentation
 plugins/modules/openssl_privatekey_info.py validate-modules:invalid-documentation
 plugins/modules/openssl_publickey_info.py validate-modules:invalid-documentation
+plugins/modules/x509_certificate_convert.py validate-modules:invalid-documentation
 plugins/modules/x509_certificate_info.py validate-modules:invalid-documentation
 plugins/modules/x509_crl.py validate-modules:invalid-documentation
 plugins/modules/x509_crl.py validate-modules:return-syntax-error
--- a/tests/sanity/ignore-2.11.txt
+++ b/tests/sanity/ignore-2.11.txt
@@ -14,6 +14,7 @@ plugins/modules/openssl_csr_info.py validate-modules:invalid-documentation
 plugins/modules/openssl_csr_pipe.py validate-modules:invalid-documentation
 plugins/modules/openssl_privatekey_info.py validate-modules:invalid-documentation
 plugins/modules/openssl_publickey_info.py validate-modules:invalid-documentation
+plugins/modules/x509_certificate_convert.py validate-modules:invalid-documentation
 plugins/modules/x509_certificate_info.py validate-modules:invalid-documentation
 plugins/modules/x509_crl.py validate-modules:invalid-documentation
 plugins/modules/x509_crl.py validate-modules:return-syntax-error
--- a/tests/sanity/ignore-2.12.txt
+++ b/tests/sanity/ignore-2.12.txt
@@ -9,6 +9,7 @@ plugins/modules/openssl_csr_info.py validate-modules:invalid-documentation
 plugins/modules/openssl_csr_pipe.py validate-modules:invalid-documentation
 plugins/modules/openssl_privatekey_info.py validate-modules:invalid-documentation
 plugins/modules/openssl_publickey_info.py validate-modules:invalid-documentation
+plugins/modules/x509_certificate_convert.py validate-modules:invalid-documentation
 plugins/modules/x509_certificate_info.py validate-modules:invalid-documentation
 plugins/modules/x509_crl.py validate-modules:invalid-documentation
 plugins/modules/x509_crl.py validate-modules:return-syntax-error
--- a/tests/sanity/ignore-2.13.txt
+++ b/tests/sanity/ignore-2.13.txt
@@ -8,6 +8,7 @@ plugins/modules/openssl_csr_info.py validate-modules:invalid-documentation
 plugins/modules/openssl_csr_pipe.py validate-modules:invalid-documentation
 plugins/modules/openssl_privatekey_info.py validate-modules:invalid-documentation
 plugins/modules/openssl_publickey_info.py validate-modules:invalid-documentation
+plugins/modules/x509_certificate_convert.py validate-modules:invalid-documentation
 plugins/modules/x509_certificate_info.py validate-modules:invalid-documentation
 plugins/modules/x509_crl.py validate-modules:invalid-documentation
 plugins/modules/x509_crl_info.py validate-modules:invalid-documentation
--- a/tests/sanity/ignore-2.14.txt
+++ b/tests/sanity/ignore-2.14.txt
@@ -8,6 +8,7 @@ plugins/modules/openssl_csr_info.py validate-modules:invalid-documentation
 plugins/modules/openssl_csr_pipe.py validate-modules:invalid-documentation
 plugins/modules/openssl_privatekey_info.py validate-modules:invalid-documentation
 plugins/modules/openssl_publickey_info.py validate-modules:invalid-documentation
+plugins/modules/x509_certificate_convert.py validate-modules:invalid-documentation
 plugins/modules/x509_certificate_info.py validate-modules:invalid-documentation
 plugins/modules/x509_crl.py validate-modules:invalid-documentation
 plugins/modules/x509_crl_info.py validate-modules:invalid-documentation
--- a/tests/sanity/ignore-2.9.txt
+++ b/tests/sanity/ignore-2.9.txt
@@ -14,6 +14,7 @@ plugins/modules/openssl_csr_info.py validate-modules:invalid-documentation
 plugins/modules/openssl_csr_pipe.py validate-modules:invalid-documentation
 plugins/modules/openssl_privatekey_info.py validate-modules:invalid-documentation
 plugins/modules/openssl_publickey_info.py validate-modules:invalid-documentation
+plugins/modules/x509_certificate_convert.py validate-modules:invalid-documentation
 plugins/modules/x509_certificate_info.py validate-modules:invalid-documentation
 plugins/modules/x509_crl.py validate-modules:invalid-documentation
 plugins/modules/x509_crl.py validate-modules:return-syntax-error