get_certificate: add get_certificate_chain option (#784)

* Implement get_certificate_chain option. * Implement basic tests. * Add compatibility for current Python 3.13 pre-releases.
2026-05-07 13:53:06 +00:00 · 2024-07-10 21:51:30 +02:00
parent 4c26fada5e
commit d50c3cc944
3 changed files with 114 additions and 3 deletions
--- a/tests/integration/targets/get_certificate/tasks/main.yml
+++ b/tests/integration/targets/get_certificate/tasks/main.yml
@@ -10,6 +10,8 @@

 - set_fact:
    skip_tests: false
+    has_get_certificate_chain: >-
+      {{ ansible_facts.python_version is version('3.10.0', '>=') }}

 - block:

--- a/tests/integration/targets/get_certificate/tests/validate.yml
+++ b/tests/integration/targets/get_certificate/tests/validate.yml
@@ -123,6 +123,7 @@
    port: 443
    select_crypto_backend: "{{ select_crypto_backend }}"
    asn1_base64: true
+    get_certificate_chain: "{{ has_get_certificate_chain }}"
  register: result

 - assert:
@@ -130,6 +131,30 @@
      - result is not changed
      - result is not failed

+- name: Read CA cert
+  slurp:
+    src: '{{ remote_tmp_dir }}/temp.pem'
+  register: cacert
+  when: has_get_certificate_chain
+
+- name: Validate get_certificate_chain=true results
+  assert:
+    that:
+      - result.verified_chain is sequence
+      - result.unverified_chain is sequence
+      - result.verified_chain[0] == result.cert
+      - result.unverified_chain[0] == result.cert
+      - result.verified_chain[-1] == cacert.content | b64decode
+      - result.verified_chain == result.unverified_chain + [cacert.content | b64decode]
+  when: has_get_certificate_chain
+
+- name: Validate get_certificate_chain=false results
+  assert:
+    that:
+      - result.verified_chain is undefined
+      - result.unverified_chain is undefined
+  when: not has_get_certificate_chain
+
 - name: Generate bogus CA privatekey
  openssl_privatekey:
    path: '{{ remote_tmp_dir }}/bogus_ca.key'