x509_certificate: fix time idempotence (#754)

* Fix time idempotence. * Lint and add changelog fragment. * Add tests. * Make sure 'ignore_timestamps: false' is passed for time idempotence tests; pass right private key for OwnCA tests
2026-05-07 05:43:06 +00:00 · 2024-05-11 16:04:41 +02:00
parent 29ac3cbe81
commit f43fa94549
8 changed files with 72 additions and 6 deletions
--- a/plugins/module_utils/crypto/module_backends/certificate_entrust.py
+++ b/plugins/module_utils/crypto/module_backends/certificate_entrust.py
@@ -47,7 +47,12 @@ class EntrustCertificateBackend(CertificateBackend):
    def __init__(self, module, backend):
        super(EntrustCertificateBackend, self).__init__(module, backend)
        self.trackingId = None
-        self.notAfter = get_relative_time_option(module.params['entrust_not_after'], 'entrust_not_after', backend=self.backend)
+        self.notAfter = get_relative_time_option(
+            module.params['entrust_not_after'],
+            'entrust_not_after',
+            backend=self.backend,
+            with_timezone=CRYPTOGRAPHY_TIMEZONE,
+        )

        if self.csr_content is None and self.csr_path is None:
            raise CertificateError(
--- a/plugins/module_utils/crypto/module_backends/certificate_ownca.py
+++ b/plugins/module_utils/crypto/module_backends/certificate_ownca.py
@@ -26,6 +26,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
 )

 from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
+    CRYPTOGRAPHY_TIMEZONE,
    cryptography_compare_public_keys,
    cryptography_key_needs_digest_for_signing,
    cryptography_serial_number_of_cert,
@@ -62,8 +63,18 @@ class OwnCACertificateBackendCryptography(CertificateBackend):

        self.create_subject_key_identifier = module.params['ownca_create_subject_key_identifier']
        self.create_authority_key_identifier = module.params['ownca_create_authority_key_identifier']
-        self.notBefore = get_relative_time_option(module.params['ownca_not_before'], 'ownca_not_before', backend=self.backend)
-        self.notAfter = get_relative_time_option(module.params['ownca_not_after'], 'ownca_not_after', backend=self.backend)
+        self.notBefore = get_relative_time_option(
+            module.params['ownca_not_before'],
+            'ownca_not_before',
+            backend=self.backend,
+            with_timezone=CRYPTOGRAPHY_TIMEZONE,
+        )
+        self.notAfter = get_relative_time_option(
+            module.params['ownca_not_after'],
+            'ownca_not_after',
+            backend=self.backend,
+            with_timezone=CRYPTOGRAPHY_TIMEZONE,
+        )
        self.digest = select_message_digest(module.params['ownca_digest'])
        self.version = module.params['ownca_version']
        self.serial_number = x509.random_serial_number()
--- a/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py
+++ b/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py
@@ -18,6 +18,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
 )

 from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
+    CRYPTOGRAPHY_TIMEZONE,
    cryptography_key_needs_digest_for_signing,
    cryptography_serial_number_of_cert,
    cryptography_verify_certificate_signature,
@@ -51,8 +52,18 @@ class SelfSignedCertificateBackendCryptography(CertificateBackend):
        super(SelfSignedCertificateBackendCryptography, self).__init__(module, 'cryptography')

        self.create_subject_key_identifier = module.params['selfsigned_create_subject_key_identifier']
-        self.notBefore = get_relative_time_option(module.params['selfsigned_not_before'], 'selfsigned_not_before', backend=self.backend)
-        self.notAfter = get_relative_time_option(module.params['selfsigned_not_after'], 'selfsigned_not_after', backend=self.backend)
+        self.notBefore = get_relative_time_option(
+            module.params['selfsigned_not_before'],
+            'selfsigned_not_before',
+            backend=self.backend,
+            with_timezone=CRYPTOGRAPHY_TIMEZONE,
+        )
+        self.notAfter = get_relative_time_option(
+            module.params['selfsigned_not_after'],
+            'selfsigned_not_after',
+            backend=self.backend,
+            with_timezone=CRYPTOGRAPHY_TIMEZONE,
+        )
        self.digest = select_message_digest(module.params['selfsigned_digest'])
        self.version = module.params['selfsigned_version']
        self.serial_number = x509.random_serial_number()