ACME modules: simplify code, refactor argspec handling code, move csr/csr_content to own docs fragment (#750)

* Fix bug in argspec module util. * Move csr / csr_content to new docs fragment. * Simplify code. * Refactor ACME argspec creation. Add with_certificate argument for new CERTIFICATE docs fragment.
2026-05-06 05:12:54 +00:00 · 2024-05-05 14:37:52 +02:00
parent f3c9cb7a8a
commit aa82575a78
5 changed files with 72 additions and 55 deletions
--- a/plugins/module_utils/acme/acme.py
+++ b/plugins/module_utils/acme/acme.py
@@ -420,45 +420,60 @@ class ACMEClient(object):
        return data


-def get_default_argspec(with_account=True):
+def get_default_argspec():
    '''
    Provides default argument spec for the options documented in the acme doc fragment.
+
+    DEPRECATED: will be removed in community.crypto 3.0.0
    '''
-    argspec = dict(
+    return dict(
        acme_directory=dict(type='str', required=True),
        acme_version=dict(type='int', required=True, choices=[1, 2]),
        validate_certs=dict(type='bool', default=True),
        select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'openssl', 'cryptography']),
        request_timeout=dict(type='int', default=10),
+        account_key_src=dict(type='path', aliases=['account_key']),
+        account_key_content=dict(type='str', no_log=True),
+        account_key_passphrase=dict(type='str', no_log=True),
+        account_uri=dict(type='str'),
    )
-    if with_account:
-        argspec.update(dict(
-            account_key_src=dict(type='path', aliases=['account_key']),
-            account_key_content=dict(type='str', no_log=True),
-            account_key_passphrase=dict(type='str', no_log=True),
-            account_uri=dict(type='str'),
-        ))
-    return argspec


-def create_default_argspec(with_account=True, require_account_key=True):
+def create_default_argspec(
+    with_account=True,
+    require_account_key=True,
+    with_certificate=False,
+):
    '''
    Provides default argument spec for the options documented in the acme doc fragment.
    '''
    result = ArgumentSpec(
-        get_default_argspec(with_account=with_account),
+        argument_spec=dict(
+            acme_directory=dict(type='str', required=True),
+            acme_version=dict(type='int', required=True, choices=[1, 2]),
+            validate_certs=dict(type='bool', default=True),
+            select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'openssl', 'cryptography']),
+            request_timeout=dict(type='int', default=10),
+        ),
    )
    if with_account:
+        result.update_argspec(
+            account_key_src=dict(type='path', aliases=['account_key']),
+            account_key_content=dict(type='str', no_log=True),
+            account_key_passphrase=dict(type='str', no_log=True),
+            account_uri=dict(type='str'),
+        )
        if require_account_key:
-            result.update(
-                required_one_of=[
-                    ['account_key_src', 'account_key_content'],
-                ],
-            )
+            result.update(required_one_of=[['account_key_src', 'account_key_content']])
+        result.update(mutually_exclusive=[['account_key_src', 'account_key_content']])
+    if with_certificate:
+        result.update_argspec(
+            csr=dict(type='path'),
+            csr_content=dict(type='str'),
+        )
        result.update(
-            mutually_exclusive=[
-                ['account_key_src', 'account_key_content'],
-            ],
+            required_one_of=[['csr', 'csr_content']],
+            mutually_exclusive=[['csr', 'csr_content']],
        )
    return result

--- a/plugins/module_utils/acme/challenges.py
+++ b/plugins/module_utils/acme/challenges.py
@@ -103,7 +103,7 @@ class Challenge(object):
            # https://tools.ietf.org/html/rfc8555#section-8.4
            resource = '_acme-challenge'
            value = nopad_b64(hashlib.sha256(to_bytes(key_authorization)).digest())
-            record = (resource + identifier[1:]) if identifier.startswith('*.') else '{0}.{1}'.format(resource, identifier)
+            record = '{0}.{1}'.format(resource, identifier[2:] if identifier.startswith('*.') else identifier)
            return {
                'resource': resource,
                'resource_value': value,
--- a/plugins/module_utils/argspec.py
+++ b/plugins/module_utils/argspec.py
@@ -47,7 +47,7 @@ class ArgumentSpec:
        return self

    def merge(self, other):
-        self.update_argspec(other.argument_spec)
+        self.update_argspec(**other.argument_spec)
        self.update(
            mutually_exclusive=other.mutually_exclusive,
            required_together=other.required_together,