Add acme_certificate_renewal_info module (#746)

* Allow to provide cert_info object to get_renewal_info(). * Add acme_certificate_renewal_info module. * Allow to provide value for 'now'. * Actually append msg_append. * Fix bug in module timestamp param parsing, and add tests.
2026-05-07 22:03:01 +00:00 · 2024-05-04 15:47:42 +02:00
parent 0a15be1017
commit 59606d48ad
10 changed files with 492 additions and 1 deletions
--- a/tests/integration/targets/acme_certificate_renewal_info/aliases
+++ b/tests/integration/targets/acme_certificate_renewal_info/aliases
@@ -0,0 +1,10 @@
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+azp/generic/1
+azp/posix/1
+cloud/acme
+
+# For some reason connecting to helper containers does not work on the Alpine VMs
+skip/alpine
--- a/tests/integration/targets/acme_certificate_renewal_info/meta/main.yml
+++ b/tests/integration/targets/acme_certificate_renewal_info/meta/main.yml
@@ -0,0 +1,8 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependencies:
+  - setup_acme
+  - setup_remote_tmp_dir
--- a/tests/integration/targets/acme_certificate_renewal_info/tasks/impl.yml
+++ b/tests/integration/targets/acme_certificate_renewal_info/tasks/impl.yml
@@ -0,0 +1,114 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+## SET UP ACCOUNT KEYS ########################################################################
+- block:
+  - name: Generate account keys
+    openssl_privatekey:
+      path: "{{ remote_tmp_dir }}/{{ item.name }}.pem"
+      type: "{{ item.type }}"
+      size: "{{ item.size | default(omit) }}"
+      curve: "{{ item.curve | default(omit) }}"
+      force: true
+    loop: "{{ account_keys }}"
+
+  vars:
+    account_keys:
+      - name: account-ec256
+        type: ECC
+        curve: secp256r1
+## CREATE ACCOUNTS AND OBTAIN CERTIFICATES ####################################################
+- name: Obtain cert 1
+  include_tasks: obtain-cert.yml
+  vars:
+    certgen_title: Certificate 1 for renewal check
+    certificate_name: cert-1
+    key_type: rsa
+    rsa_bits: "{{ default_rsa_key_size }}"
+    subject_alt_name: "DNS:example.com"
+    subject_alt_name_critical: false
+    account_key: account-ec256
+    challenge: http-01
+    modify_account: true
+    deactivate_authzs: false
+    force: true
+    remaining_days: "{{ omit }}"
+    terms_agreed: true
+    account_email: "example@example.org"
+## OBTAIN CERTIFICATE INFOS ###################################################################
+- name: Obtain certificate information
+  x509_certificate_info:
+    path: "{{ remote_tmp_dir }}/cert-1.pem"
+  register: cert_1_info
+- name: Read certificate
+  slurp:
+    src: '{{ remote_tmp_dir }}/cert-1.pem'
+  register: slurp_cert_1
+- name: Obtain certificate information (1/6)
+  acme_certificate_renewal_info:
+    select_crypto_backend: "{{ select_crypto_backend }}"
+    certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
+    acme_version: 2
+    acme_directory: https://{{ acme_host }}:14000/dir
+    validate_certs: false
+    # Certificate is valid for ~1826 days
+  register: cert_1_renewal_1
+- name: Obtain certificate information (2/6)
+  acme_certificate_renewal_info:
+    select_crypto_backend: "{{ select_crypto_backend }}"
+    certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
+    acme_version: 2
+    acme_directory: https://{{ acme_host }}:14000/dir
+    validate_certs: false
+    # Certificate is valid for ~1826 days
+    remaining_days: 1000
+    remaining_percentage: 0.5
+  register: cert_1_renewal_2
+- name: Obtain certificate information (3/6)
+  acme_certificate_renewal_info:
+    select_crypto_backend: "{{ select_crypto_backend }}"
+    certificate_content: "{{ slurp_cert_1.content | b64decode }}"
+    acme_version: 2
+    acme_directory: https://{{ acme_host }}:14000/dir
+    validate_certs: false
+    now: +1800d
+    # Certificate is valid for ~26 days
+  register: cert_1_renewal_3
+- name: Obtain certificate information (4/6)
+  acme_certificate_renewal_info:
+    select_crypto_backend: "{{ select_crypto_backend }}"
+    certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
+    acme_version: 2
+    acme_directory: https://{{ acme_host }}:14000/dir
+    validate_certs: false
+    now: +1800d
+    # Certificate is valid for ~26 days
+    remaining_days: 30
+    remaining_percentage: 0.1
+  register: cert_1_renewal_4
+- name: Obtain certificate information (5/6)
+  acme_certificate_renewal_info:
+    select_crypto_backend: "{{ select_crypto_backend }}"
+    certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
+    acme_version: 2
+    acme_directory: https://{{ acme_host }}:14000/dir
+    validate_certs: false
+    now: +1800d
+    # Certificate is valid for ~26 days
+    remaining_days: 30
+    remaining_percentage: 0.01
+  register: cert_1_renewal_5
+- name: Obtain certificate information (6/6)
+  acme_certificate_renewal_info:
+    select_crypto_backend: "{{ select_crypto_backend }}"
+    certificate_path: "{{ remote_tmp_dir }}/cert-1.pem"
+    acme_version: 2
+    acme_directory: https://{{ acme_host }}:14000/dir
+    validate_certs: false
+    now: +1800d
+    # Certificate is valid for ~26 days
+    remaining_days: 10
+    remaining_percentage: 0.03
+  register: cert_1_renewal_6
--- a/tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml
+++ b/tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml
@@ -0,0 +1,40 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- block:
+  - name: Running tests with OpenSSL backend
+    include_tasks: impl.yml
+    vars:
+      select_crypto_backend: openssl
+
+  - import_tasks: ../tests/validate.yml
+
+  # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
+  when: openssl_version.stdout is version('1.0.0', '>=')
+
+- name: Remove output directory
+  file:
+    path: "{{ remote_tmp_dir }}"
+    state: absent
+
+- name: Re-create output directory
+  file:
+    path: "{{ remote_tmp_dir }}"
+    state: directory
+
+- block:
+  - name: Running tests with cryptography backend
+    include_tasks: impl.yml
+    vars:
+      select_crypto_backend: cryptography
+
+  - import_tasks: ../tests/validate.yml
+
+  when: cryptography_version.stdout is version('1.5', '>=')
--- a/tests/integration/targets/acme_certificate_renewal_info/tasks/obtain-cert.yml
+++ b/tests/integration/targets/acme_certificate_renewal_info/tasks/obtain-cert.yml
@@ -0,0 +1 @@
+../../setup_acme/tasks/obtain-cert.yml
--- a/tests/integration/targets/acme_certificate_renewal_info/tests/validate.yml
+++ b/tests/integration/targets/acme_certificate_renewal_info/tests/validate.yml
@@ -0,0 +1,28 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Validate results
+  assert:
+    that:
+      - cert_1_renewal_1.should_renew == false
+      - cert_1_renewal_1.msg == 'The certificate is still valid and no condition was reached'
+      - cert_1_renewal_1.supports_ari == supports_ari
+      - cert_1_renewal_2.should_renew == false
+      - cert_1_renewal_2.msg == 'The certificate is still valid and no condition was reached'
+      - cert_1_renewal_2.supports_ari == supports_ari
+      - cert_1_renewal_3.should_renew == false
+      - cert_1_renewal_3.msg == 'The certificate is still valid and no condition was reached'
+      - cert_1_renewal_3.supports_ari == supports_ari
+      - cert_1_renewal_4.should_renew == true
+      - cert_1_renewal_4.msg == 'The certificate expires in 25 days'
+      - cert_1_renewal_4.supports_ari == supports_ari
+      - cert_1_renewal_5.should_renew == true
+      - cert_1_renewal_5.msg == 'The certificate expires in 25 days'
+      - cert_1_renewal_5.supports_ari == supports_ari
+      - cert_1_renewal_6.should_renew == true
+      - cert_1_renewal_6.msg.startswith("The remaining percentage 3.0% of the certificate's lifespan was reached on ")
+      - cert_1_renewal_6.supports_ari == supports_ari
+  vars:
+    supports_ari: false