internet/community.crypto
3
0
Fork 0
mirror of https://github.com/ansible-collections/community.crypto.git synced 2026-05-06 13:22:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: internet:2.3.2
Branches Tags
internet:main internet:stable-2 internet:gh-pages internet:stable-1
internet:3.2.0 internet:3.1.1 internet:2.26.7 internet:3.1.0 internet:3.0.5 internet:2.26.6 internet:3.0.4 internet:3.0.3 internet:2.26.5 internet:3.0.2 internet:2.26.4 internet:3.0.1 internet:3.0.0 internet:3.0.0-rc1 internet:2.26.3 internet:3.0.0-a2 internet:2.26.2 internet:3.0.0-a1 internet:2.26.1 internet:2.26.0 internet:2.25.0 internet:2.24.0 internet:2.23.0 internet:2.22.3 internet:2.22.2 internet:2.22.1 internet:2.22.0 internet:1.9.26 internet:2.21.1 internet:2.21.0 internet:1.9.25 internet:2.20.0 internet:2.19.1 internet:2.19.0 internet:2.18.0 internet:2.17.1 internet:1.9.24 internet:2.17.0 internet:2.16.2 internet:2.16.1 internet:2.16.0 internet:1.9.23 internet:2.15.1 internet:2.15.0 internet:2.14.1 internet:1.9.22 internet:2.14.0 internet:2.13.1 internet:2.13.0 internet:2.12.0 internet:1.9.21 internet:2.11.1 internet:2.11.0 internet:2.10.0 internet:1.9.20 internet:2.9.0 internet:2.8.1 internet:2.8.0 internet:1.9.19 internet:2.7.1 internet:2.7.0 internet:2.6.0 internet:2.5.0 internet:2.4.0 internet:1.9.18 internet:2.3.4 internet:1.9.17 internet:2.3.2 internet:1.9.16 internet:2.3.1 internet:1.9.15 internet:2.3.0 internet:1.9.14 internet:2.2.4 internet:2.2.3 internet:1.9.13 internet:2.2.2 internet:1.9.12 internet:2.2.1 internet:1.9.11 internet:2.2.0 internet:1.9.10 internet:1.9.9 internet:2.1.0 internet:2.0.2 internet:1.9.8 internet:2.0.1 internet:1.9.7 internet:2.0.0 internet:1.9.6 internet:1.9.5 internet:1.9.4 internet:1.9.3 internet:1.9.2 internet:1.9.0 internet:1.9.1 internet:1.8.0 internet:1.7.1 internet:1.7.0 internet:1.6.2 internet:1.6.1 internet:1.6.0 internet:1.5.0 internet:1.4.0 internet:1.3.0 internet:1.2.0 internet:1.1.1 internet:1.1.0 internet:1.0.0 internet:0.1.0
...
compare: internet:2.11.0
Branches Tags
internet:main internet:stable-2 internet:gh-pages internet:stable-1
internet:3.2.0 internet:3.1.1 internet:2.26.7 internet:3.1.0 internet:3.0.5 internet:2.26.6 internet:3.0.4 internet:3.0.3 internet:2.26.5 internet:3.0.2 internet:2.26.4 internet:3.0.1 internet:3.0.0 internet:3.0.0-rc1 internet:2.26.3 internet:3.0.0-a2 internet:2.26.2 internet:3.0.0-a1 internet:2.26.1 internet:2.26.0 internet:2.25.0 internet:2.24.0 internet:2.23.0 internet:2.22.3 internet:2.22.2 internet:2.22.1 internet:2.22.0 internet:1.9.26 internet:2.21.1 internet:2.21.0 internet:1.9.25 internet:2.20.0 internet:2.19.1 internet:2.19.0 internet:2.18.0 internet:2.17.1 internet:1.9.24 internet:2.17.0 internet:2.16.2 internet:2.16.1 internet:2.16.0 internet:1.9.23 internet:2.15.1 internet:2.15.0 internet:2.14.1 internet:1.9.22 internet:2.14.0 internet:2.13.1 internet:2.13.0 internet:2.12.0 internet:1.9.21 internet:2.11.1 internet:2.11.0 internet:2.10.0 internet:1.9.20 internet:2.9.0 internet:2.8.1 internet:2.8.0 internet:1.9.19 internet:2.7.1 internet:2.7.0 internet:2.6.0 internet:2.5.0 internet:2.4.0 internet:1.9.18 internet:2.3.4 internet:1.9.17 internet:2.3.2 internet:1.9.16 internet:2.3.1 internet:1.9.15 internet:2.3.0 internet:1.9.14 internet:2.2.4 internet:2.2.3 internet:1.9.13 internet:2.2.2 internet:1.9.12 internet:2.2.1 internet:1.9.11 internet:2.2.0 internet:1.9.10 internet:1.9.9 internet:2.1.0 internet:2.0.2 internet:1.9.8 internet:2.0.1 internet:1.9.7 internet:2.0.0 internet:1.9.6 internet:1.9.5 internet:1.9.4 internet:1.9.3 internet:1.9.2 internet:1.9.0 internet:1.9.1 internet:1.8.0 internet:1.7.1 internet:1.7.0 internet:1.6.2 internet:1.6.1 internet:1.6.0 internet:1.5.0 internet:1.4.0 internet:1.3.0 internet:1.2.0 internet:1.1.1 internet:1.1.0 internet:1.0.0 internet:0.1.0

123 Commits
2.3.2 ... 2.11.0

Author SHA1 Message Date
Felix Fontein
d4509bce5f Release 2.11.0. 2023-02-23 09:28:13 +01:00
Austin Lane
ced0e30506 EL9 - Retrieve python3-pyOpenSSL from epel (#575) 
* EL9 - pull python3-pyOpenSSL from epel

* Incorporate bindep changes from felixfontein

Co-authored-by: Felix Fontein <felix@fontein.de>

* Add changelog fragment for PR #575

* Update changelog fragment.

---------

Co-authored-by: Felix Fontein <felix@fontein.de>
 2023-02-22 23:16:26 +01:00
Felix Fontein
2fb543b144 Normalize bools in tests. (#577) 2023-02-15 22:23:36 +01:00
Felix Fontein
b08f6eefe8 Remove unnecessary test imports. (#576) 2023-02-12 20:59:55 +01:00
Felix Fontein
65d1881f12 Prepare 2.11.0 release. 2023-02-10 21:02:11 +01:00
dlehrman
b000491514 Support Custom Cipher Selection (#571) 
* Enable custom cipher selection for get_certificate

* get_certificate ciphers desc grammar fix

Co-authored-by: Felix Fontein <felix@fontein.de>

* get_certificate ciphers desc grammar fix

Co-authored-by: Felix Fontein <felix@fontein.de>

* get_certificate ciphers include version_added

Co-authored-by: Felix Fontein <felix@fontein.de>

* Add changelog fragment

* Fail if ciphers is set and Python < 2.7.9

* Standardize ciphers conditionals in get_certificate

Co-authored-by: Felix Fontein <felix@fontein.de>

---------

Co-authored-by: Felix Fontein <felix@fontein.de>
 2023-02-10 21:01:13 +01:00
Felix Fontein
70c4585b88 Fix deprecation handling. (#572) 2023-02-09 15:36:23 +01:00
Felix Fontein
aea3713484 Remove unneccessary imports (#569) 
* Remove unneccessary imports.

* Add noqas.

* Add comment which name is actually ignored.
 2023-02-09 11:57:54 +01:00
Felix Fontein
7f040011f0 Document PSF-2.0 license in galaxy.yml. (#567) 2023-01-31 21:31:30 +01:00
Felix Fontein
c6429eae4f Fix acme_inspect tests. (#565) 2023-01-22 22:41:12 +01:00
Felix Fontein
d2a30d2801 Update CI matrix. (#562) 2023-01-07 12:46:05 +01:00
Felix Fontein
a122be7942 Update CI matrix. (#562) 2023-01-07 12:45:52 +01:00
Felix Fontein
61f431dff3 Next expected release is 2.11.0. 2023-01-02 20:20:50 +01:00
Felix Fontein
b19c83578d Release 2.10.0. 2023-01-02 19:54:30 +01:00
Felix Fontein
ddfb18b609 openssl_csr: fix bad tests, avoid accepting invalid crl_distribution_points records (#560) 
* Improve error handling.

* Remove invalid tests.

* Add changelog fragment.

* Fix tests.

* Improve exception catching.

Co-authored-by: Kristian Heljas <11139388+kristianheljas@users.noreply.github.com>

* Prevent empty full_name.

* Fix condition. Make sure errors are caught.

* Add more checks.

Co-authored-by: Kristian Heljas <11139388+kristianheljas@users.noreply.github.com>
 2023-01-02 14:52:59 +00:00
Felix Fontein
095434a4c1 Prepare 2.10.0 release. 2022-12-31 18:05:12 +01:00
Felix Fontein
8a80ced4b8 Add openssl_privatekey_info filter (#555) 
* Add openssl_privatekey_info filter.

* Update description.
 2022-12-31 17:45:45 +01:00
Felix Fontein
ef2bb6d510 Add openssl_csr_info ilter. (#554) 2022-12-31 07:58:37 +01:00
Felix Fontein
889cfdf47e Add openssl_publickey_info filter. (#556) 2022-12-31 07:56:54 +01:00
Felix Fontein
c173449c46 Add x509_crl_info filter (#558) 
* Add x509_crl_info filter.

* Work around bugs in Ansible 2.9 and ansible-base 2.10.
 2022-12-31 07:56:34 +01:00
Felix Fontein
c08bae8308 Add x509_certificate_info filter. (#557) 2022-12-31 07:56:11 +01:00
Felix Fontein
80f7b084c0 Add filter module base, prepare adding filters (#553) 
* Improve string handling.

* Cleanup tests.

* Add filter module mock.
 2022-12-30 20:44:13 +01:00
Felix Fontein
5d24d04adf Fix crash when public key cannot be parsed. (#551) 2022-12-28 18:28:50 +01:00
Felix Fontein
7cc9a70e43 Add split_pem filter (#549) 
* Add split_pem filter.

* Fix documentation.

* Python 2.7.

* Improve error message matching.

Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com>

Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com>
 2022-12-27 21:57:20 +01:00
Felix Fontein
5ddfb2c2ca CI: balance groups (#548) 
* Show timings with devel, and skip everything else.

* Move to other group.

* Try smaller SSH key size (i.e. make tests run faster).

* Add implicit size that now must be explicit.

* Change group of luks_device.

* Revert "Show timings with devel, and skip everything else."

This reverts commit 7b73f7e4d7.
 2022-12-21 08:12:53 +01:00
Felix Fontein
242c15bf4c Make sure that iteration_count=1000 is not used with algorithm=argon* (which is SLOW and takes around 10 minutes). (#546) 2022-12-20 20:01:26 +01:00
Felix Fontein
867f407401 CI: improve CI matrix, split into two groups (#544) 
* Prepare having more than one group.

* Remove duplicates; add CentOS Stream 8 with Python 3.6.

* Split up tests into two groups.
 2022-12-20 12:57:53 +01:00
Felix Fontein
54f49f38f2 Improve docsite build. 2022-12-18 21:50:28 +01:00
Felix Fontein
83d2a782f6 Switch to my fork of ansible-test-gh-action. 2022-12-18 09:53:58 +01:00
Felix Fontein
d6dd8e0d45 The ansible-test patch has been backported to stable-2.12. 2022-12-17 19:39:06 +01:00
Felix Fontein
9029f8ce34 Fix CI name. 2022-12-12 21:28:19 +01:00
Felix Fontein
ca23b2ed9a Improve CI (#539) 
* Update CI scripts to be more close to the ones in ansible-core.

* Extend CI matrix.

* Mark more VMs.

* Revert "Mark more VMs."

This reverts commit 8bc79af636.

* Disable alpine VMs for get_certificate due to httptester problems.

* Improve retrieval of cryptsetup version.

* ACME 'emulator' won't work on Alpine either.

* Improve luks test setup.

* Make sure wipefs is installed on Alpine.

* dmsetup (from device-mapper) is used by the tests.

* Fix bcrypt install failure handling.

* String, not float.

* openssl_privatekey_convert is not an action module.

* Update Python info.

* Try out which VMs can be used by now.

* Enable ACME tests on all VMs but Alpine; update comment.

* Adjust acme-tiny shebang.

* Remove new entries from CI matrix.
 2022-12-11 19:55:47 +01:00
Felix Fontein
664f34f2ac Mark x509_certificate-acme test as target test. 2022-12-09 23:10:26 +01:00
Felix Fontein
1c2c404ca9 Bump CentOS Stream 8 Python from 3.8 to 3.9. (#540) 2022-12-09 14:58:03 +01:00
Felix Fontein
eef4df9063 Allow triggering docs workflow manually. 2022-12-07 19:54:22 +01:00
Felix Fontein
176da44faf Backports to stable-2.13 and stable-2.14 have been merged. (#537) 
https://github.com/ansible/ansible/pull/79538
https://github.com/ansible/ansible/pull/79507
 2022-12-07 08:59:00 +01:00
Felix Fontein
619d7d1dfe Improve CI image selection. (#536) 2022-12-03 15:31:03 +01:00
Felix Fontein
2eab4ec19c Switch CI from ubuntu-latest to ubuntu-20.04 to avoid problems with ansible-test from ansible-core 2.12, 2.13, 2.14. (#535) 2022-12-01 23:01:49 +01:00
Felix Fontein
05eff13ec8 ansible-core 2.11 is EOL. Move CI runs to GHA. (#534) 2022-11-27 22:44:07 +01:00
Felix Fontein
4d28266eba Use proposed new options for ansible-test-gh-action. (#533) 2022-11-27 21:04:52 +01:00
Felix Fontein
ba9c50c358 Next expected release is 2.10.0. 2022-11-27 18:55:12 +01:00
Felix Fontein
e1e5dfccc1 Release 2.9.0. 2022-11-27 18:15:33 +01:00
Felix Fontein
1097371cf4 Be more precise about which private keys are supported in openssl_publickey. (#532) 2022-11-27 18:13:59 +01:00
Felix Fontein
0b08d6bc52 Include collection name into docs workflows. 2022-11-27 17:44:19 +01:00
Felix Fontein
72ed39a481 Reference documentation in README. 2022-11-26 09:53:59 +01:00
Felix Fontein
d4683d941f Add GH Pages publishing. 2022-11-26 09:38:36 +01:00
Felix Fontein
f853108d69 Prepare 2.9.0 release. 2022-11-17 12:43:40 +01:00
Felix Fontein
045ff10826 Allow changelog fragments with .yaml ending. 2022-11-17 12:41:33 +01:00
Katze
2a746115ca fix #529 issuer_uri in x509_certificate_info (#530) 
The issuer_uri is retrieved from the Authority Information Access field the same way as the OCSP responder URI is.
Handling is exactly the same since they reside in the same OID space and have the same data type.
Tests have also been added based on the integration test certificates.

Signed-off-by: benaryorg <binary@benary.org>

Signed-off-by: benaryorg <binary@benary.org>
 2022-11-17 12:40:44 +01:00
Christoph
37fddc61d8 openssl_privatekey: fix example for cipher (#527) 
the cipher parameter required for encrypted private keys only accepts the value "auto" 
as described in /plugins/doc_fragments/module_privatekey.py.

The previously documented value of "aes256" is invalid here.
 2022-11-10 20:25:56 +01:00
Felix Fontein
a050250153 Next expected release is 2.9.0. 2022-11-06 22:31:21 +01:00
Felix Fontein
42e27a360d Release 2.8.1 2022-11-06 22:02:07 +01:00
Felix Fontein
95b9df187f Prepare 2.8.1 release. 2022-11-06 21:13:02 +01:00
Felix Fontein
7bbe8f467c Document attributes (#526) 
* Add 'acme' action group attribute.

* Compatibility with older ansible-core releases.

* Fix typo.

* Document standard attributes.

* Improve docs.

* Add shortcuts for common combinations.
 2022-11-06 21:10:56 +01:00
Felix Fontein
0c67afb6c3 Next expected release is 2.9.0. 2022-11-02 13:33:30 +01:00
Felix Fontein
68b7c0d38c Release 2.8.0. 2022-11-02 12:56:08 +01:00
Felix Fontein
9ba0e25bfe Handle new nonce call more gracefully when it does not return nonce. (#525) 2022-11-02 08:32:01 +00:00
Felix Fontein
9a64347ea6 Prepare 2.8.0 release. 2022-11-01 19:52:23 +01:00
Felix Fontein
e4e2b804bc Allow to configure encryption level. (#523) 2022-11-01 19:51:28 +01:00
Felix Fontein
4533b3e934 Include symbolic HTTP status codes in error and log messages when available. (#524) 2022-10-31 21:33:27 +01:00
Felix Fontein
fd71773668 Add badge for EOL CI. (#522) 2022-10-30 09:21:12 +01:00
Felix Fontein
b17d57f737 CI: drop remote CI targets for EoL Ansible/ansible-base versions; move docker CI targets for EoL Ansible/ansible-base versions to GHA (#520) 
* Drop remote CI targets for EoL Ansible/ansible-base versions; move docker CI targets for EoL Ansible/ansible-base versions to GHA.

* Add target.

* Use change detection.
 2022-10-29 21:23:33 +02:00
Felix Fontein
f5d98e3148 Use dependabot to update GHAs. 2022-10-17 22:57:28 +02:00
Felix Fontein
5f9536af06 Next expected elease is 2.8.0. 2022-10-17 22:47:26 +02:00
Felix Fontein
7c41b31c37 Bump GHA actions. 2022-10-17 22:47:26 +02:00
Felix Fontein
a5c43c26f3 Release 2.7.1. 2022-10-17 22:24:20 +02:00
Felix Fontein
82aa1480af Prepare 2.7.1 release. 2022-10-17 21:41:04 +02:00
Felix Fontein
516be406e0 Improve import error handling for ACME modules (#519) 
* Improve import error handling for ACME modules

* Update plugins/module_utils/acme/acme.py

Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua>

Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua>
 2022-10-17 21:38:54 +02:00
Felix Fontein
1f4840ba2f Change CI group identifiers (#517) 
* Change CI group identifiers.

* cloud → generic.
 2022-10-10 22:39:10 +02:00
Felix Fontein
52bc2cb266 Next expected release is 2.8.0. 2022-09-23 08:06:55 +02:00
Felix Fontein
18502d5250 Release 2.7.0. 2022-09-23 07:40:12 +02:00
Felix Fontein
b3f589df62 Action plugin support code: ensure compatibility with newer versions of ansible-core (#515) 
* Only access C.STRING_CONVERSION_ACTION for old ansible-base / Ansible versions.

* Always use self.__xxx instead of xxx directly.
 2022-09-23 07:02:46 +02:00
Felix Fontein
8ebf1279f9 Prepare 2.7.0 release. 2022-09-23 06:48:26 +02:00
Felix Fontein
19161ae4a0 Use stable-2.14 (default) for docs build, instead of devel. 2022-09-22 06:39:51 +02:00
Felix Fontein
c24e5c63e8 acme modules: also support 503 for retries (#513) 
* Also support 503 for retries.

* Forgot to adjust status code comparison.

* Also support 408.
 2022-09-21 13:50:26 +02:00
Felix Fontein
e656570d13 Add stable-2.14 to CI. (#514) 2022-09-21 08:27:54 +02:00
Felix Fontein
9e4209b837 Next expected release is 2.7.0. 2022-09-19 21:34:32 +02:00
Felix Fontein
ed52123206 Release 2.6.0. 2022-09-19 20:46:26 +02:00
Felix Fontein
d10bcd3d6c Fix fragment. 2022-09-19 20:46:13 +02:00
Felix Fontein
45e81a1b0c Prepare 2.6.0 release. 2022-09-19 20:11:29 +02:00
Andrew Pantuso
829707fc5a fix: add warning when openssh-keypair has private_key_format specified with opensshbin (#512) 2022-09-19 20:10:21 +02:00
Felix Fontein
a0d862e1f1 Support 429 Too Many Requests for acme module_utils. (#508) 2022-09-19 20:10:03 +02:00
Andrew Pantuso
1dcc135da5 feat: add private_key_format choices for openssh_keypair (#511) 
* feat: add private_key_format choices for openssh_keypair

* chore: add changelog fragment
 2022-09-18 20:10:29 -04:00
Felix Fontein
95626abdd3 Make mostly reuse conformant (#502) 
* Add .license files.

* Update README.

* Normalize licenses test.

* Add reuse GHA.

* Add blanket rule for changelog fragments.

* Add .license file for vendored third-party certificates.

* Fix workflow's permissions.

* Revert "Add .license file for vendored third-party certificates."

This reverts commit 35e106867c.

* Make reuse lint test optional.

* Add exceptions.

* Update README.

* Improve reuse test.
 2022-09-13 19:13:04 +00:00
Maxwell G
152c5422f1 Prefer unitest.mock by universally using compat.mock (#506) 
* tests.unit.compat.mock: Remove legacy compat code

This removes old Python 3.4 compatibility code that is no longer needed.

* Prefer unitest.mock by universally using compat.mock

`mock` is a backport of the `unittest.mock` module from the stdlib, and
there's no reason to use it on newer Python versions.
 2022-09-04 22:21:31 +02:00
Felix Fontein
98bfdb322a Make sure that escape sequence in YAML is not interpreted by Python. (#507) 2022-09-04 22:09:06 +02:00
Felix Fontein
d0d99c31b0 [TEMP] Create temp remote directory in ~. (#504) 2022-08-24 06:54:09 +02:00
Felix Fontein
0e15d6cea8 Convert yes/no to true/false. (#503) 2022-08-23 21:33:29 +02:00
Felix Fontein
ed03b1aa7f Remove included fake CA cert, create one on demand. (#501) 2022-08-21 09:53:57 +02:00
Felix Fontein
0379fb5614 Move Fedora 35 from devel to stable-2.13 CI runs. (#500) 2022-08-16 21:54:00 +02:00
Felix Fontein
fd1263c9aa Fix some new linting errors (#499) 
* Fix some new linting errors.

* More linting errors.

ci_complete
 2022-08-12 08:34:51 +02:00
Felix Fontein
c0bab015a4 Next expected release is 2.6.0. 2022-08-04 23:24:04 +02:00
Felix Fontein
4428daa411 Release 2.5.0. 2022-08-04 23:06:49 +02:00
Felix Fontein
f821fa0f2d Prepare 2.5.0 release. 2022-08-04 22:47:16 +02:00
Felix Fontein
2dafef1fab Fix docs (#497) 
* Fix docs.

* Fix YAML.

* Prevent crashes with older pyyaml versions.
 2022-08-04 20:02:56 +02:00
Daniel Ziegenberg
d83f7639be add production directory URL for ACME v2 for Sectigo (#496) 
According the to official Sectigo documentation [1] the directory URL
for ACME v2 is: https://acme-qa.secure.trust-provider.com/v2/DV

[1] https://docs.sectigo.com/scm/acme-integration-docs/1/eab-clients-sectigo-acme-integration.html

Signed-off-by: Daniel Ziegenberg <daniel@ziegenberg.at>
 2022-07-26 18:10:43 +02:00
Felix Fontein
e08efe2598 Correctly mark plugins/module_utils/crypto/_obj2txt.py as having two licenses. (#495) 2022-07-25 07:17:56 +02:00
Felix Fontein
e4ebca0945 Fix ssh-agent tests (#493) 
* Work around stupid ssh-agent output format.

* Workaround for Ansible 2.9.

* Old jinja2...

* Jinja2 on CentOS 6 is really annoying.
 2022-07-22 13:54:15 +02:00
Felix Fontein
6bf3ef47e1 Move licenses to LICENSES/, use SPDX-License-Identifier, mention all licenses in galaxy.yml (#491) 
* Add SPDX license identifiers, mention all licenses in galaxy.yml.

* Add default copyright headers.

* Add headers for documents.

* Fix/add more copyright statements.

* Add copyright / license info for vendored code.

* Add extra sanity test.

* Add changelog fragment.

* Comment PSF-2.0 license out in galaxy.yml for now.

* Remove colon after 'Copyright'.

* Avoid colon after 'Copyright' in lint script.

* Mention correct filename.

* Add BSD-3-Clause.

* Improve lint script.

* Update README.

* Symlinks...
 2022-07-21 07:27:26 +02:00
Felix Fontein
7deb0a6db9 openssl_csr: extend tests to check for privatekey_content together with privatekey_passphrase (#490) 
* Extend tests to check for privatekey_content together with privatekey_passphrase.

* Also test privatekey_content for private keys without passphrases.
 2022-07-14 14:32:53 +02:00
Felix Fontein
c106638648 Next expected release is 2.5.0. 2022-07-09 14:11:28 +02:00
Felix Fontein
4dcbbfba5b Release 2.4.0. 2022-07-09 13:20:28 +02:00
Felix Fontein
036c4c8e6f Prepare 2.4.0. 2022-07-09 13:19:48 +02:00
Felix Fontein
9ed4526fee openssl_pkcs12: fix crash when trying to get non-existing other certificates (#487) 
* Fix crash when trying to get non-existing other certificates.

* Add test.
 2022-07-07 22:30:22 +02:00
Felix Fontein
b16f12faa3 Add docs PR workflow that a) builds docs and b) show the docs diff that a PR ceates. (#484) 2022-06-29 20:46:25 +02:00
Felix Fontein
9df02aa335 Next expected release is 2.4.0. 2022-06-21 12:22:01 +02:00
Felix Fontein
d60d3fe1cb Revert "Revert "Revert "Revert "Revert "Revert "Deprecate Ansible 2.9 and ansible-base 2.10 support. (#460)"""""" 
This reverts commit 4a1842c004.
 2022-06-21 12:21:46 +02:00
Felix Fontein
a554a588c9 Release 2.3.4. 2022-06-21 12:11:22 +02:00
Felix Fontein
4a1842c004 Revert "Revert "Revert "Revert "Revert "Deprecate Ansible 2.9 and ansible-base 2.10 support. (#460)""""" 
This reverts commit 39ec208171.
 2022-06-21 12:09:00 +02:00
Felix Fontein
39ec208171 Revert "Revert "Revert "Revert "Deprecate Ansible 2.9 and ansible-base 2.10 support. (#460)"""" 
This reverts commit f5ccc1516b.
 2022-06-17 09:26:38 +02:00
Felix Fontein
899de8227d Next expected release is 2.4.0. 2022-06-17 09:26:36 +02:00
Felix Fontein
5af4a16e57 Release 2.3.3. 2022-06-17 08:25:13 +02:00
Felix Fontein
fc07de73e3 Prepare 2.3.3 release. 2022-06-17 08:24:47 +02:00
Felix Fontein
f5ccc1516b Revert "Revert "Revert "Deprecate Ansible 2.9 and ansible-base 2.10 support. (#460)""" 
(So we can do yet another bugfix release.)

This reverts commit cb77d81f8d.
 2022-06-17 08:24:03 +02:00
Felix Fontein
de0ec1f739 Add Apache 2.0 license; simplify and standardize license headers (#478) 
* Add Apache 2.0 license for Apache 2.0 licensed parts.

* Unify license headers.

* Move additional licenses to licenses/.

* Revert "Move additional licenses to licenses/."

This reverts commit c12b22de1c.
 2022-06-17 08:20:40 +02:00
Songmin Li
b29f238083 Fix ValueError: excluded_subtrees must be a non-empty list or None (#481) 2022-06-17 07:53:07 +02:00
Felix Fontein
2941bb9bb8 Prepare 2.4.0 release. 2022-06-15 22:16:49 +02:00
Felix Fontein
297b44f24b x509_crl: do not crash when signing with Ed25519 or Ed448 (#475) 
* Do not crash when signing with Ed25519 or Ed448.

* Forgot replace.
 2022-06-15 22:06:40 +02:00
Felix Fontein
429ed5faa5 Skip Ansible 2.9 coverage reporting with new AZP container. (#476) 
ci_coverage
 2022-06-14 21:41:27 +02:00
Felix Fontein
b3029f75cd Bump AZP container version. (#472) 2022-06-13 21:16:19 +02:00
Felix Fontein
f7bc3aa77c Disable broken CI platforms. (#469) 2022-06-05 23:11:29 +02:00
Felix Fontein
cb77d81f8d Revert "Revert "Deprecate Ansible 2.9 and ansible-base 2.10 support. (#460)"" 
This reverts commit 798d12b499.
 2022-06-02 12:52:58 +02:00
Felix Fontein
b87617945e Next expected release is 2.4.0. 2022-06-02 12:52:37 +02:00
449 changed files with 7775 additions and 1970 deletions
Expand all files Collapse all files

6
.azure-pipelines/README.md
View File

@@ -1,3 +1,9 @@
<!--
Copyright (c) Ansible Project
GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
SPDX-License-Identifier: GPL-3.0-or-later
-->
## Azure Pipelines Configuration
Please see the [Documentation](https://github.com/ansible/community/wiki/Testing:-Azure-Pipelines) for more information.

311
.azure-pipelines/azure-pipelines.yml
View File

@@ -1,3 +1,8 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
trigger:
batch: true
branches:
@@ -41,7 +46,7 @@ variables:
resources:
containers:
- container: default
image: quay.io/ansible/azure-pipelines-test-container:1.9.0
image: quay.io/ansible/azure-pipelines-test-container:3.0.0
pool: Standard
@@ -60,6 +65,17 @@ stages:
test: 'devel/sanity/extra'
- name: Units
test: 'devel/units/1'
- stage: Ansible_2_14
displayName: Sanity & Units 2.14
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
targets:
- name: Sanity
test: '2.14/sanity/1'
- name: Units
test: '2.14/units/1'
- stage: Ansible_2_13
displayName: Sanity & Units 2.13
dependsOn: []
@@ -82,39 +98,6 @@ stages:
test: '2.12/sanity/1'
- name: Units
test: '2.12/units/1'
- stage: Ansible_2_11
displayName: Sanity & Units 2.11
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
targets:
- name: Sanity
test: '2.11/sanity/1'
- name: Units
test: '2.11/units/1'
- stage: Ansible_2_10
displayName: Sanity & Units 2.10
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
targets:
- name: Sanity
test: '2.10/sanity/1'
- name: Units
test: '2.10/units/1'
- stage: Ansible_2_9
displayName: Sanity & Units 2.9
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
targets:
- name: Sanity
test: '2.9/sanity/1'
- name: Units
test: '2.9/units/1'
### Docker
- stage: Docker_devel
displayName: Docker devel
@@ -122,14 +105,12 @@ stages:
jobs:
- template: templates/matrix.yml
parameters:
testFormat: devel/linux/{0}/1
testFormat: devel/linux/{0}
targets:
- name: CentOS 7
test: centos7
- name: Fedora 35
test: fedora35
- name: Fedora 36
test: fedora36
- name: Fedora 37
test: fedora37
- name: openSUSE 15
test: opensuse15
- name: Ubuntu 20.04
@@ -138,70 +119,58 @@ stages:
test: ubuntu2204
- name: Alpine 3
test: alpine3
groups:
- 1
- 2
- stage: Docker_2_14
displayName: Docker 2.14
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
testFormat: 2.14/linux/{0}
targets:
- name: Fedora 36
test: fedora36
groups:
- 1
- 2
- stage: Docker_2_13
displayName: Docker 2.13
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
testFormat: 2.13/linux/{0}/1
testFormat: 2.13/linux/{0}
targets:
- name: openSUSE 15 py2
test: opensuse15py2
- name: Fedora 35
test: fedora35
- name: Fedora 34
test: fedora34
- name: Ubuntu 18.04
test: ubuntu1804
- name: Alpine 3
test: alpine3
groups:
- 1
- 2
- stage: Docker_2_12
displayName: Docker 2.12
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
testFormat: 2.12/linux/{0}/1
testFormat: 2.12/linux/{0}
targets:
- name: CentOS 6
test: centos6
- name: Fedora 33
test: fedora33
- stage: Docker_2_11
displayName: Docker 2.11
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
testFormat: 2.11/linux/{0}/1
targets:
- name: CentOS 7
test: centos7
- name: Fedora 32
test: fedora32
- name: Alpine 3
test: alpine3
- stage: Docker_2_10
displayName: Docker 2.10
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
testFormat: 2.10/linux/{0}/1
targets:
- name: CentOS 6
test: centos6
- stage: Docker_2_9
displayName: Docker 2.9
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
testFormat: 2.9/linux/{0}/1
targets:
- name: Fedora 31
test: fedora31
- name: Ubuntu 18.04
test: ubuntu1804
groups:
- 1
- 2
### Community Docker
- stage: Docker_community_devel
@@ -210,14 +179,19 @@ stages:
jobs:
- template: templates/matrix.yml
parameters:
testFormat: devel/linux-community/{0}/1
testFormat: devel/linux-community/{0}
targets:
- name: Debian Bullseye
test: debian-bullseye/3.9
- name: ArchLinux
test: archlinux/3.10
- name: CentOS Stream 8
test: centos-stream8/3.8
- name: CentOS Stream 8 with Python 3.9
test: centos-stream8/3.9
- name: CentOS Stream 8 with Python 3.6
test: centos-stream8/3.6
groups:
- 1
- 2
### Remote
- stage: Remote_devel
@@ -226,147 +200,132 @@ stages:
jobs:
- template: templates/matrix.yml
parameters:
testFormat: devel/{0}/1
testFormat: devel/{0}
targets:
- name: macOS 12.0
test: macos/12.0
- name: RHEL 7.9
test: rhel/7.9
- name: RHEL 9.1
test: rhel/9.1
- name: FreeBSD 12.4
test: freebsd/12.4
- name: FreeBSD 13.1
test: freebsd/13.1
groups:
- 1
- 2
- stage: Remote_2_14
displayName: Remote 2.14
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
testFormat: 2.14/{0}
targets:
- name: RHEL 9.0
test: rhel/9.0
- name: FreeBSD 12.3
test: freebsd/12.3
- name: FreeBSD 13.1
test: freebsd/13.1
groups:
- 1
- 2
- stage: Remote_2_13
displayName: Remote 2.13
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
testFormat: 2.13/{0}/1
testFormat: 2.13/{0}
targets:
- name: macOS 12.0
test: macos/12.0
# - name: macOS 12.0
# test: macos/12.0
- name: RHEL 8.5
test: rhel/8.5
- name: FreeBSD 13.0
test: freebsd/13.0
groups:
- 1
- 2
- stage: Remote_2_12
displayName: Remote 2.12
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
testFormat: 2.12/{0}/1
testFormat: 2.12/{0}
targets:
- name: macOS 11.1
test: macos/11.1
# Not working anymore:
# - name: macOS 11.1
# test: macos/11.1
- name: RHEL 8.4
test: rhel/8.4
- stage: Remote_2_11
displayName: Remote 2.11
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
testFormat: 2.11/{0}/1
targets:
- name: RHEL 8.3
test: rhel/8.3
- name: FreeBSD 12.2
test: freebsd/12.2
- stage: Remote_2_10
displayName: Remote 2.10
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
testFormat: 2.10/{0}/1
targets:
- name: OS X 10.11
test: osx/10.11
- name: macOS 10.15
test: macos/10.15
- stage: Remote_2_9
displayName: Remote 2.9
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
testFormat: 2.9/{0}/1
targets:
- name: 'RHEL 7.8'
test: 'rhel/7.8'
### cloud
- stage: Cloud_devel
displayName: Cloud devel
groups:
- 1
- 2
### Generic
- stage: Generic_devel
displayName: Generic devel
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
nameFormat: Python {0}
testFormat: devel/cloud/{0}/1
testFormat: devel/generic/{0}
targets:
- test: 2.7
- test: 3.5
- test: 3.6
- test: 3.7
- test: 3.8
- test: 3.9
# - test: 3.8
# - test: 3.9
- test: "3.10"
- stage: Cloud_2_13
displayName: Cloud 2.13
- test: "3.11"
groups:
- 1
- 2
- stage: Generic_2_14
displayName: Generic 2.14
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
nameFormat: Python {0}
testFormat: 2.13/cloud/{0}/1
testFormat: 2.14/generic/{0}
targets:
- test: 2.7
- test: 3.7
- stage: Cloud_2_12
displayName: Cloud 2.12
- test: 3.9
groups:
- 1
- 2
- stage: Generic_2_13
displayName: Generic 2.13
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
nameFormat: Python {0}
testFormat: 2.12/cloud/{0}/1
testFormat: 2.13/generic/{0}
targets:
- test: 3.8
groups:
- 1
- 2
- stage: Generic_2_12
displayName: Generic 2.12
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
nameFormat: Python {0}
testFormat: 2.12/generic/{0}
targets:
- test: 2.6
- test: 3.9
- stage: Cloud_2_11
displayName: Cloud 2.11
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
nameFormat: Python {0}
testFormat: 2.11/cloud/{0}/1
targets:
- test: 3.8
- stage: Cloud_2_10
displayName: Cloud 2.10
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
nameFormat: Python {0}
testFormat: 2.10/cloud/{0}/1
targets:
- test: 3.6
- stage: Cloud_2_9
displayName: Cloud 2.9
dependsOn: []
jobs:
- template: templates/matrix.yml
parameters:
nameFormat: Python {0}
testFormat: 2.9/cloud/{0}/1
targets:
- test: 2.7
groups:
- 1
- 2
## Finally
@@ -374,29 +333,21 @@ stages:
condition: succeededOrFailed()
dependsOn:
- Ansible_devel
- Ansible_2_14
- Ansible_2_13
- Ansible_2_12
- Ansible_2_11
- Ansible_2_10
- Ansible_2_9
- Remote_devel
- Remote_2_14
- Remote_2_13
- Remote_2_12
- Remote_2_11
- Remote_2_10
- Remote_2_9
- Docker_devel
- Docker_2_14
- Docker_2_13
- Docker_2_12
- Docker_2_11
- Docker_2_10
- Docker_2_9
- Docker_community_devel
- Cloud_devel
- Cloud_2_13
- Cloud_2_12
- Cloud_2_11
- Cloud_2_10
- Cloud_2_9
- Generic_devel
- Generic_2_14
- Generic_2_13
- Generic_2_12
jobs:
- template: templates/coverage.yml

8
.azure-pipelines/scripts/aggregate-coverage.sh
View File

@@ -1,4 +1,8 @@
#!/usr/bin/env bash
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
# Aggregate code coverage results for later processing.
set -o pipefail -eu
@@ -9,6 +13,10 @@ PATH="${PWD}/bin:${PATH}"
mkdir "${agent_temp_directory}/coverage/"
if [[ "$(ansible --version)" =~ \ 2\.9\. ]]; then
exit
fi
options=(--venv --venv-system-site-packages --color -v)
ansible-test coverage combine --group-by command --export "${agent_temp_directory}/coverage/" "${options[@]}"

4
.azure-pipelines/scripts/combine-coverage.py
View File

@@ -1,4 +1,8 @@
#!/usr/bin/env python
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
"""
Combine coverage data from multiple jobs, keeping the data only from the most recent attempt from each job.
Coverage artifacts must be named using the format: "Coverage $(System.JobAttempt) {StableUniqueNameForEachJob}"

4
.azure-pipelines/scripts/process-results.sh
View File

@@ -1,4 +1,8 @@
#!/usr/bin/env bash
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
# Check the test results and set variables for use in later steps.
set -o pipefail -eu

4
.azure-pipelines/scripts/publish-codecov.py
View File

@@ -1,4 +1,8 @@
#!/usr/bin/env python
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
"""
Upload code coverage reports to codecov.io.
Multiple coverage files from multiple languages are accepted and aggregated after upload.

8
.azure-pipelines/scripts/report-coverage.sh
View File

@@ -1,10 +1,18 @@
#!/usr/bin/env bash
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
# Generate code coverage reports for uploading to Azure Pipelines and codecov.io.
set -o pipefail -eu
PATH="${PWD}/bin:${PATH}"
if [[ "$(ansible --version)" =~ \ 2\.9\. ]]; then
exit
fi
if ! ansible-test --help >/dev/null 2>&1; then
# Install the devel version of ansible-test for generating code coverage reports.
# This is only used by Ansible Collections, which are typically tested against multiple Ansible versions (in separate jobs).

4
.azure-pipelines/scripts/run-tests.sh
View File

@@ -1,4 +1,8 @@
#!/usr/bin/env bash
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
# Configure the test environment and run the tests.
set -o pipefail -eu

4
.azure-pipelines/scripts/time-command.py
View File

@@ -1,4 +1,8 @@
#!/usr/bin/env python
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
"""Prepends a relative timestamp to each input line from stdin and writes it to stdout."""
from __future__ import (absolute_import, division, print_function)

5
.azure-pipelines/templates/coverage.yml
View File

@@ -1,3 +1,8 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
# This template adds a job for processing code coverage data.
# It will upload results to Azure Pipelines and codecov.io.
# Use it from a job stage that completes after all other jobs have completed.

5
.azure-pipelines/templates/matrix.yml
View File

@@ -1,3 +1,8 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
# This template uses the provided targets and optional groups to generate a matrix which is then passed to the test template.
# If this matrix template does not provide the required functionality, consider using the test template directly instead.

5
.azure-pipelines/templates/test.yml
View File

@@ -1,3 +1,8 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
# This template uses the provided list of jobs to create test one or more test jobs.
# It can be used directly if needed, or through the matrix template.

11
.github/dependabot.yml vendored Normal file
View File

@@ -0,0 +1,11 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"

4
.github/patchback.yml vendored
View File

@@ -1,4 +1,8 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
backport_branch_prefix: patchback/backports/
backport_label_prefix: backport-
target_branch_prefix: stable-

192
.github/workflows/ansible-test.yml vendored Normal file
View File

@@ -0,0 +1,192 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
# For the comprehensive list of the inputs supported by the ansible-community/ansible-test-gh-action GitHub Action, see
# https://github.com/marketplace/actions/ansible-test
name: EOL CI
on:
# Run EOL CI against all pushes (direct commits, also merged PRs), Pull Requests
push:
branches:
- main
- stable-*
pull_request:
# Run EOL CI once per day (at 09:00 UTC)
schedule:
- cron: '0 9 * * *'
jobs:
sanity:
name: EOL Sanity (Ⓐ${{ matrix.ansible }})
strategy:
matrix:
ansible:
- '2.9'
- '2.10'
- '2.11'
# Ansible-test on various stable branches does not yet work well with cgroups v2.
# Since ubuntu-latest now uses Ubuntu 22.04, we need to fall back to the ubuntu-20.04
# image for these stable branches. The list of branches where this is necessary will
# shrink over time, check out https://github.com/ansible-collections/news-for-maintainers/issues/28
# for the latest list.
runs-on: >-
${{ contains(fromJson(
'["2.9", "2.10", "2.11"]'
), matrix.ansible) && 'ubuntu-20.04' || 'ubuntu-latest' }}
steps:
- name: Perform sanity testing
uses: felixfontein/ansible-test-gh-action@main
with:
ansible-core-version: stable-${{ matrix.ansible }}
coverage: ${{ github.event_name == 'schedule' && 'always' || 'never' }}
pull-request-change-detection: 'true'
testing-type: sanity
units:
# Ansible-test on various stable branches does not yet work well with cgroups v2.
# Since ubuntu-latest now uses Ubuntu 22.04, we need to fall back to the ubuntu-20.04
# image for these stable branches. The list of branches where this is necessary will
# shrink over time, check out https://github.com/ansible-collections/news-for-maintainers/issues/28
# for the latest list.
runs-on: >-
${{ contains(fromJson(
'["2.9", "2.10", "2.11"]'
), matrix.ansible) && 'ubuntu-20.04' || 'ubuntu-latest' }}
name: EOL Units (Ⓐ${{ matrix.ansible }})
strategy:
# As soon as the first unit test fails, cancel the others to free up the CI queue
fail-fast: true
matrix:
ansible:
- '2.9'
- '2.10'
- '2.11'
steps:
- name: >-
Perform unit testing against
Ansible version ${{ matrix.ansible }}
uses: felixfontein/ansible-test-gh-action@main
with:
ansible-core-version: stable-${{ matrix.ansible }}
coverage: ${{ github.event_name == 'schedule' && 'always' || 'never' }}
pull-request-change-detection: 'true'
testing-type: units
integration:
# Ansible-test on various stable branches does not yet work well with cgroups v2.
# Since ubuntu-latest now uses Ubuntu 22.04, we need to fall back to the ubuntu-20.04
# image for these stable branches. The list of branches where this is necessary will
# shrink over time, check out https://github.com/ansible-collections/news-for-maintainers/issues/28
# for the latest list.
runs-on: >-
${{ contains(fromJson(
'["2.9", "2.10", "2.11"]'
), matrix.ansible) && 'ubuntu-20.04' || 'ubuntu-latest' }}
name: EOL I (Ⓐ${{ matrix.ansible }}+${{ matrix.docker }}+py${{ matrix.python }}:${{ matrix.target }})
strategy:
fail-fast: false
matrix:
ansible:
- ''
docker:
- ''
python:
- ''
target:
- ''
exclude:
- ansible: ''
include:
# 2.9
- ansible: '2.9'
docker: fedora31
python: ''
target: azp/posix/1/
- ansible: '2.9'
docker: fedora31
python: ''
target: azp/posix/2/
- ansible: '2.9'
docker: ubuntu1804
python: ''
target: azp/posix/1/
- ansible: '2.9'
docker: ubuntu1804
python: ''
target: azp/posix/2/
- ansible: '2.9'
docker: default
python: '2.7'
target: azp/generic/1/
- ansible: '2.9'
docker: default
python: '2.7'
target: azp/generic/2/
# 2.10
- ansible: '2.10'
docker: centos6
python: ''
target: azp/posix/1/
- ansible: '2.10'
docker: centos6
python: ''
target: azp/posix/2/
- ansible: '2.10'
docker: default
python: '3.6'
target: azp/generic/1/
- ansible: '2.10'
docker: default
python: '3.6'
target: azp/generic/2/
# 2.11
- ansible: '2.11'
docker: fedora32
python: ''
target: azp/posix/1/
- ansible: '2.11'
docker: fedora32
python: ''
target: azp/posix/2/
- ansible: '2.11'
docker: alpine3
python: ''
target: azp/posix/1/
- ansible: '2.11'
docker: alpine3
python: ''
target: azp/posix/2/
- ansible: '2.11'
docker: default
python: '3.8'
target: azp/generic/1/
- ansible: '2.11'
docker: default
python: '3.8'
target: azp/generic/2/
steps:
- name: >-
Perform integration testing against
Ansible version ${{ matrix.ansible }}
under Python ${{ matrix.python }}
uses: felixfontein/ansible-test-gh-action@main
with:
ansible-core-version: stable-${{ matrix.ansible }}
coverage: ${{ github.event_name == 'schedule' && 'always' || 'never' }}
docker-image: ${{ matrix.docker }}
integration-continue-on-error: 'false'
integration-diff: 'false'
integration-retry-on-error: 'true'
pre-test-cmd: >-
git clone --depth=1 --single-branch https://github.com/ansible-collections/community.internal_test_tools.git ../../community/internal_test_tools
;
git clone --depth=1 --single-branch https://github.com/ansible-collections/community.general.git ../../community/general
pull-request-change-detection: 'true'
target: ${{ matrix.target }}
target-python-version: ${{ matrix.python }}
testing-type: integration

92
.github/workflows/docs-pr.yml vendored Normal file
View File

@@ -0,0 +1,92 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
name: Collection Docs
concurrency:
group: docs-pr-${{ github.head_ref }}
cancel-in-progress: true
on:
pull_request_target:
types: [opened, synchronize, reopened, closed]
env:
GHP_BASE_URL: https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }}
jobs:
build-docs:
permissions:
contents: read
name: Build Ansible Docs
uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-pr.yml@main
with:
collection-name: community.crypto
init-lenient: false
init-fail-on-error: true
squash-hierarchy: true
init-project: Community.Crypto Collection
init-copyright: Community.Crypto Contributors
init-title: Community.Crypto Collection Documentation
init-html-short-title: Community.Crypto Collection Docs
init-extra-html-theme-options: |
documentation_home_url=https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }}/branch/main/
render-file-line: '> * `$<status>` [$<path_tail>](https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }}/pr/${{ github.event.number }}/$<path_tail>)'
publish-docs-gh-pages:
# for now we won't run this on forks
if: github.repository == 'ansible-collections/community.crypto'
permissions:
contents: write
needs: [build-docs]
name: Publish Ansible Docs
uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-publish-gh-pages.yml@main
with:
artifact-name: ${{ needs.build-docs.outputs.artifact-name }}
action: ${{ (github.event.action == 'closed' || needs.build-docs.outputs.changed != 'true') && 'teardown' || 'publish' }}
secrets:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
comment:
permissions:
pull-requests: write
runs-on: ubuntu-latest
needs: [build-docs, publish-docs-gh-pages]
name: PR comments
steps:
- name: PR comment
uses: ansible-community/github-docs-build/actions/ansible-docs-build-comment@main
with:
body-includes: '## Docs Build'
reactions: heart
action: ${{ needs.build-docs.outputs.changed != 'true' && 'remove' || '' }}
on-closed-body: |
## Docs Build 📝
This PR is closed and any previously published docsite has been unpublished.
on-merged-body: |
## Docs Build 📝
Thank you for contribution!✨
This PR has been merged and the docs are now incorporated into `main`:
${{ env.GHP_BASE_URL }}/branch/main
body: |
## Docs Build 📝
Thank you for contribution!✨
The docs for **this PR** have been published here:
${{ env.GHP_BASE_URL }}/pr/${{ github.event.number }}
You can compare to the docs for the `main` branch here:
${{ env.GHP_BASE_URL }}/branch/main
The docsite for **this PR** is also available for download as an artifact from this run:
${{ needs.build-docs.outputs.artifact-url }}
File changes:
${{ needs.build-docs.outputs.diff-files-rendered }}
${{ needs.build-docs.outputs.diff-rendered }}

52
.github/workflows/docs-push.yml vendored Normal file
View File

@@ -0,0 +1,52 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
name: Collection Docs
concurrency:
group: docs-push-${{ github.sha }}
cancel-in-progress: true
on:
push:
branches:
- main
- stable-*
tags:
- '*'
# Run CI once per day (at 09:00 UTC)
schedule:
- cron: '0 9 * * *'
# Allow manual trigger (for newer antsibull-docs, sphinx-ansible-theme, ... versions)
workflow_dispatch:
jobs:
build-docs:
permissions:
contents: read
name: Build Ansible Docs
uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-push.yml@main
with:
collection-name: community.crypto
init-lenient: false
init-fail-on-error: true
squash-hierarchy: true
init-project: Community.Crypto Collection
init-copyright: Community.Crypto Contributors
init-title: Community.Crypto Collection Documentation
init-html-short-title: Community.Crypto Collection Docs
init-extra-html-theme-options: |
documentation_home_url=https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }}/branch/main/
publish-docs-gh-pages:
# for now we won't run this on forks
if: github.repository == 'ansible-collections/community.crypto'
permissions:
contents: write
needs: [build-docs]
name: Publish Ansible Docs
uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-publish-gh-pages.yml@main
with:
artifact-name: ${{ needs.build-docs.outputs.artifact-name }}
secrets:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

6
.github/workflows/ee.yml vendored
View File

@@ -1,4 +1,8 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
name: execution environment
on:
# Run CI against all pushes (direct commits, also merged PRs), Pull Requests
@@ -34,7 +38,7 @@ jobs:
path: ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}
- name: Set up Python
uses: actions/setup-python@v3
uses: actions/setup-python@v4
with:
python-version: '3.10'

34
.github/workflows/reuse.yml vendored Normal file
View File

@@ -0,0 +1,34 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
name: Verify REUSE
on:
push:
branches: [main]
pull_request:
branches: [main]
# Run CI once per day (at 04:45 UTC)
schedule:
- cron: '45 4 * * *'
jobs:
check:
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install dependencies
run: |
pip install reuse
- name: Check REUSE compliance (except some PEM files)
run: |
rm -f tests/integration/targets/*/files/*.pem
rm -f tests/integration/targets/*/files/roots/*.pem
reuse lint

4
.gitignore vendored
View File

@@ -1,3 +1,7 @@
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
# Community.crypt specific things
/changelogs/.plugin-cache.yaml

5
.reuse/dep5 Normal file
View File

@@ -0,0 +1,5 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Files: changelogs/fragments/*
Copyright: Ansible Project
License: GPL-3.0-or-later

191
CHANGELOG.rst
View File

@@ -5,6 +5,197 @@ Community Crypto Release Notes
.. contents:: Topics
v2.11.0
=======
Release Summary
---------------
Feature and bugfix release.
Minor Changes
-------------
- get_certificate - adds ``ciphers`` option for custom cipher selection (https://github.com/ansible-collections/community.crypto/pull/571).
Bugfixes
--------
- action plugin helper - fix handling of deprecations for ansible-core 2.14.2 (https://github.com/ansible-collections/community.crypto/pull/572).
- execution environment binary dependencies (bindep.txt) - fix ``python3-pyOpenSSL`` dependency resolution on RHEL 9+ / CentOS Stream 9+ platforms (https://github.com/ansible-collections/community.crypto/pull/575).
- various plugins - remove unnecessary imports (https://github.com/ansible-collections/community.crypto/pull/569).
v2.10.0
=======
Release Summary
---------------
Bugfix and feature release.
Bugfixes
--------
- openssl_csr, openssl_csr_pipe - prevent invalid values for ``crl_distribution_points`` that do not have one of ``full_name``, ``relative_name``, and ``crl_issuer`` (https://github.com/ansible-collections/community.crypto/pull/560).
- openssl_publickey_info - do not crash with internal error when public key cannot be parsed (https://github.com/ansible-collections/community.crypto/pull/551).
New Plugins
-----------
Filter
~~~~~~
- openssl_csr_info - Retrieve information from OpenSSL Certificate Signing Requests (CSR)
- openssl_privatekey_info - Retrieve information from OpenSSL private keys
- openssl_publickey_info - Retrieve information from OpenSSL public keys in PEM format
- split_pem - Split PEM file contents into multiple objects
- x509_certificate_info - Retrieve information from X.509 certificates in PEM format
- x509_crl_info - Retrieve information from X.509 CRLs in PEM format
v2.9.0
======
Release Summary
---------------
Regular feature release.
Minor Changes
-------------
- x509_certificate_info - adds ``issuer_uri`` field in return value based on Authority Information Access data (https://github.com/ansible-collections/community.crypto/pull/530).
v2.8.1
======
Release Summary
---------------
Maintenance release with improved documentation.
v2.8.0
======
Release Summary
---------------
Feature release.
Minor Changes
-------------
- acme_* modules - handle more gracefully if CA's new nonce call does not return a nonce (https://github.com/ansible-collections/community.crypto/pull/525).
- acme_* modules - include symbolic HTTP status codes in error and log messages when available (https://github.com/ansible-collections/community.crypto/pull/524).
- openssl_pkcs12 - add option ``encryption_level`` which allows to chose ``compatibility2022`` when cryptography >= 38.0.0 is used to enable a more backwards compatible encryption algorithm. If cryptography uses OpenSSL 3.0.0 or newer, the default algorithm is not compatible with older software (https://github.com/ansible-collections/community.crypto/pull/523).
v2.7.1
======
Release Summary
---------------
Maintenance release.
Bugfixes
--------
- acme_* modules - improve feedback when importing ``cryptography`` does not work (https://github.com/ansible-collections/community.crypto/issues/518, https://github.com/ansible-collections/community.crypto/pull/519).
v2.7.0
======
Release Summary
---------------
Feature release.
Minor Changes
-------------
- acme* modules - also support the HTTP 503 Service Unavailable and 408 Request Timeout response status for automatic retries (https://github.com/ansible-collections/community.crypto/pull/513).
Bugfixes
--------
- openssl_privatekey_pipe - ensure compatibility with newer versions of ansible-core (https://github.com/ansible-collections/community.crypto/pull/515).
v2.6.0
======
Release Summary
---------------
Feature release.
Minor Changes
-------------
- acme* modules - support the HTTP 429 Too Many Requests response status (https://github.com/ansible-collections/community.crypto/pull/508).
- openssh_keypair - added ``pkcs1``, ``pkcs8``, and ``ssh`` to the available choices for the ``private_key_format`` option (https://github.com/ansible-collections/community.crypto/pull/511).
v2.5.0
======
Release Summary
---------------
Maintenance release with improved licensing declaration and documentation fixes.
Minor Changes
-------------
- All software licenses are now in the ``LICENSES/`` directory of the collection root. Moreover, ``SPDX-License-Identifier:`` is used to declare the applicable license for every file that is not automatically generated (https://github.com/ansible-collections/community.crypto/pull/491).
v2.4.0
======
Release Summary
---------------
Deprecation and bugfix release. No new features this time.
Deprecated Features
-------------------
- Support for Ansible 2.9 and ansible-base 2.10 is deprecated, and will be removed in the next major release (community.crypto 3.0.0). Some modules might still work with these versions afterwards, but we will no longer keep compatibility code that was needed to support them (https://github.com/ansible-collections/community.crypto/pull/460).
Bugfixes
--------
- openssl_pkcs12 - when using the pyOpenSSL backend, do not crash when trying to read non-existing other certificates (https://github.com/ansible-collections/community.crypto/issues/486, https://github.com/ansible-collections/community.crypto/pull/487).
v2.3.4
======
Release Summary
---------------
Re-release of what was intended to be 2.3.3.
A mistake during the release process caused the 2.3.3 tag to end up on the
commit for 1.9.17, which caused the release pipeline to re-publish 1.9.17
as 2.3.3.
This release is identical to what should have been 2.3.3, except that the
version number has been bumped to 2.3.4 and this changelog entry for 2.3.4
has been added.
v2.3.3
======
Release Summary
---------------
Bugfix release.
Bugfixes
--------
- Include ``Apache-2.0.txt`` file for ``plugins/module_utils/crypto/_obj2txt.py`` and ``plugins/module_utils/crypto/_objects_data.py``.
- openssl_csr - the module no longer crashes with 'permitted_subtrees/excluded_subtrees must be a non-empty list or None' if only one of ``name_constraints_permitted`` and ``name_constraints_excluded`` is provided (https://github.com/ansible-collections/community.crypto/issues/481).
- x509_crl - do not crash when signing CRL with Ed25519 or Ed448 keys (https://github.com/ansible-collections/community.crypto/issues/473, https://github.com/ansible-collections/community.crypto/pull/474).
v2.3.2
======

3
CHANGELOG.rst.license Normal file
View File

@@ -0,0 +1,3 @@
GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
SPDX-License-Identifier: GPL-3.0-or-later
SPDX-FileCopyrightText: Ansible Project

202
LICENSES/Apache-2.0.txt Normal file
View File

@@ -0,0 +1,202 @@
Apache License
Version 2.0, January 2004
https://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

0
simplified_bsd.txt → LICENSES/BSD-2-Clause.txt
View File

27
LICENSES/BSD-3-Clause.txt Normal file
View File

@@ -0,0 +1,27 @@
Copyright (c) Individual contributors.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of PyCA Cryptography nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

1
LICENSES/GPL-3.0-or-later.txt Symbolic link
View File

@@ -0,0 +1 @@
../COPYING

0
PSF-license.txt → LICENSES/PSF-2.0.txt
View File

27
README.md
View File

@@ -1,6 +1,13 @@
<!--
Copyright (c) Ansible Project
GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
SPDX-License-Identifier: GPL-3.0-or-later
-->
# Ansible Community Crypto Collection
[![Build Status](https://dev.azure.com/ansible/community.crypto/_apis/build/status/CI?branchName=main)](https://dev.azure.com/ansible/community.crypto/_build?definitionId=21)
[![EOL CI](https://github.com/ansible-collections/community.crypto/workflows/EOL%20CI/badge.svg?event=push)](https://github.com/ansible-collections/community.crypto/actions)
[![Codecov](https://img.shields.io/codecov/c/github/ansible-collections/community.crypto)](https://codecov.io/gh/ansible-collections/community.crypto)
Provides modules for [Ansible](https://www.ansible.com/community) for various cryptographic operations.
@@ -11,7 +18,7 @@ Please note that this collection does **not** support Windows targets.
## Tested with Ansible
Tested with the current Ansible 2.9, ansible-base 2.10, ansible-core 2.11, ansible-core 2.12 and ansible-core 2.13 releases and the current development version of ansible-core. Ansible versions before 2.9.10 are not supported.
Tested with the current Ansible 2.9, ansible-base 2.10, ansible-core 2.11, ansible-core 2.12, ansible-core 2.13, and ansible-core 2.14 releases and the current development version of ansible-core. Ansible versions before 2.9.10 are not supported.
## External requirements
@@ -19,6 +26,16 @@ The exact requirements for every module are listed in the module documentation.
Most modules require a recent enough version of [the Python cryptography library](https://pypi.org/project/cryptography/). See the module documentations for the minimal version supported for each module.
## Collection Documentation
Browsing the [**latest** collection documentation](https://docs.ansible.com/ansible/latest/collections/community/crypto) will show docs for the _latest version released in the Ansible package_, not the latest version of the collection released on Galaxy.
Browsing the [**devel** collection documentation](https://docs.ansible.com/ansible/devel/collections/community/crypto) shows docs for the _latest version released on Galaxy_.
We also separately publish [**latest commit** collection documentation](https://ansible-collections.github.io/community.crypto/branch/main/) which shows docs for the _latest commit in the `main` branch_.
If you use the Ansible package and do not update collections independently, use **latest**. If you install or update this collection directly from Galaxy, use **devel**. If you are looking to contribute, use **latest commit**.
## Included content
- OpenSSL / PKI modules:
@@ -108,6 +125,10 @@ In 2.0.0, the following notable features will be removed:
## Licensing
GNU General Public License v3.0 or later.
This collection is primarily licensed and distributed as a whole under the GNU General Public License v3.0 or later.
See [COPYING](https://www.gnu.org/licenses/gpl-3.0.txt) to see the full text.
See [LICENSES/GPL-3.0-or-later.txt](https://github.com/ansible-collections/community.crypto/blob/main/COPYING) for the full text.
Parts of the collection are licensed under the [Apache 2.0 license](https://github.com/ansible-collections/community.crypto/blob/main/LICENSES/Apache-2.0.txt) (`plugins/module_utils/crypto/_obj2txt.py` and `plugins/module_utils/crypto/_objects_data.py`), the [BSD 2-Clause license](https://github.com/ansible-collections/community.crypto/blob/main/LICENSES/BSD-2-Clause.txt) (`plugins/module_utils/ecs/api.py`), the [BSD 3-Clause license](https://github.com/ansible-collections/community.crypto/blob/main/LICENSES/BSD-3-Clause.txt) (`plugins/module_utils/crypto/_obj2txt.py`), and the [PSF 2.0 license](https://github.com/ansible-collections/community.crypto/blob/main/LICENSES/PSF-2.0.txt) (`plugins/module_utils/_version.py`). This only applies to vendored files in ``plugins/module_utils/`` and to the ECS module utils.
Almost all files have a machine readable `SDPX-License-Identifier:` comment denoting its respective license(s) or an equivalent entry in an accompanying `.license` file. Only changelog fragments (which will not be part of a release) are covered by a blanket statement in `.reuse/dep5`. Right now a few vendored PEM files do not have licensing information as well. This conforms to the [REUSE specification](https://reuse.software/spec/) up to the aforementioned PEM files.

192
changelogs/changelog.yaml
View File

@@ -737,6 +737,59 @@ releases:
name: openssl_privatekey_convert
namespace: ''
release_date: '2022-01-10'
2.10.0:
changes:
bugfixes:
- openssl_csr, openssl_csr_pipe - prevent invalid values for ``crl_distribution_points``
that do not have one of ``full_name``, ``relative_name``, and ``crl_issuer``
(https://github.com/ansible-collections/community.crypto/pull/560).
- openssl_publickey_info - do not crash with internal error when public key
cannot be parsed (https://github.com/ansible-collections/community.crypto/pull/551).
release_summary: Bugfix and feature release.
fragments:
- 2.10.0.yml
- 551-publickey-info.yml
- 560-openssl_csr-crl_distribution_points.yml
plugins:
filter:
- description: Retrieve information from OpenSSL Certificate Signing Requests
(CSR)
name: openssl_csr_info
namespace: null
- description: Retrieve information from OpenSSL private keys
name: openssl_privatekey_info
namespace: null
- description: Retrieve information from OpenSSL public keys in PEM format
name: openssl_publickey_info
namespace: null
- description: Split PEM file contents into multiple objects
name: split_pem
namespace: null
- description: Retrieve information from X.509 certificates in PEM format
name: x509_certificate_info
namespace: null
- description: Retrieve information from X.509 CRLs in PEM format
name: x509_crl_info
namespace: null
release_date: '2023-01-02'
2.11.0:
changes:
bugfixes:
- action plugin helper - fix handling of deprecations for ansible-core 2.14.2
(https://github.com/ansible-collections/community.crypto/pull/572).
- execution environment binary dependencies (bindep.txt) - fix ``python3-pyOpenSSL``
dependency resolution on RHEL 9+ / CentOS Stream 9+ platforms (https://github.com/ansible-collections/community.crypto/pull/575).
- various plugins - remove unnecessary imports (https://github.com/ansible-collections/community.crypto/pull/569).
minor_changes:
- get_certificate - adds ``ciphers`` option for custom cipher selection (https://github.com/ansible-collections/community.crypto/pull/571).
release_summary: Feature and bugfix release.
fragments:
- 2.11.0.yml
- 571_get_certificate_ciphers.yaml
- 572-action-module.yml
- 575-bindep-python3-pyOpenSSL.yml
- remove-unneeded-imports.yml
release_date: '2023-02-23'
2.2.0:
changes:
bugfixes:
@@ -885,3 +938,142 @@ releases:
- 457-certificate_complete_chain-unsupported-algorithm.yml
- simplified-bsd-license.yml
release_date: '2022-06-02'
2.3.3:
changes:
bugfixes:
- Include ``Apache-2.0.txt`` file for ``plugins/module_utils/crypto/_obj2txt.py``
and ``plugins/module_utils/crypto/_objects_data.py``.
- openssl_csr - the module no longer crashes with 'permitted_subtrees/excluded_subtrees
must be a non-empty list or None' if only one of ``name_constraints_permitted``
and ``name_constraints_excluded`` is provided (https://github.com/ansible-collections/community.crypto/issues/481).
- x509_crl - do not crash when signing CRL with Ed25519 or Ed448 keys (https://github.com/ansible-collections/community.crypto/issues/473,
https://github.com/ansible-collections/community.crypto/pull/474).
release_summary: Bugfix release.
fragments:
- 2.3.3.yml
- 474-x509_crl-ed25519-ed448.yml
- 481-fix-excluded_subtrees-must-be-a-non-empty-list-or-None.yml
- apache-license.yml
release_date: '2022-06-17'
2.3.4:
changes:
release_summary: 'Re-release of what was intended to be 2.3.3.
A mistake during the release process caused the 2.3.3 tag to end up on the
commit for 1.9.17, which caused the release pipeline to re-publish 1.9.17
as 2.3.3.
This release is identical to what should have been 2.3.3, except that the
version number has been bumped to 2.3.4 and this changelog entry for 2.3.4
has been added.
'
fragments:
- 2.3.4.yml
release_date: '2022-06-21'
2.4.0:
changes:
bugfixes:
- openssl_pkcs12 - when using the pyOpenSSL backend, do not crash when trying
to read non-existing other certificates (https://github.com/ansible-collections/community.crypto/issues/486,
https://github.com/ansible-collections/community.crypto/pull/487).
deprecated_features:
- Support for Ansible 2.9 and ansible-base 2.10 is deprecated, and will be removed
in the next major release (community.crypto 3.0.0). Some modules might still
work with these versions afterwards, but we will no longer keep compatibility
code that was needed to support them (https://github.com/ansible-collections/community.crypto/pull/460).
release_summary: Deprecation and bugfix release. No new features this time.
fragments:
- 2.4.0.yml
- 487-openssl_pkcs12-other-certs-crash.yml
- deprecate-ansible-2.9-2.10.yml
release_date: '2022-07-09'
2.5.0:
changes:
minor_changes:
- All software licenses are now in the ``LICENSES/`` directory of the collection
root. Moreover, ``SPDX-License-Identifier:`` is used to declare the applicable
license for every file that is not automatically generated (https://github.com/ansible-collections/community.crypto/pull/491).
release_summary: Maintenance release with improved licensing declaration and
documentation fixes.
fragments:
- 2.5.0.yml
- 491-licenses.yml
release_date: '2022-08-04'
2.6.0:
changes:
minor_changes:
- acme* modules - support the HTTP 429 Too Many Requests response status (https://github.com/ansible-collections/community.crypto/pull/508).
- openssh_keypair - added ``pkcs1``, ``pkcs8``, and ``ssh`` to the available
choices for the ``private_key_format`` option (https://github.com/ansible-collections/community.crypto/pull/511).
release_summary: Feature release.
fragments:
- 2.6.0.yml
- 508-acme-429.yml
- 511-openssh_keypair-private_key_format_options.yml
release_date: '2022-09-19'
2.7.0:
changes:
bugfixes:
- openssl_privatekey_pipe - ensure compatibility with newer versions of ansible-core
(https://github.com/ansible-collections/community.crypto/pull/515).
minor_changes:
- acme* modules - also support the HTTP 503 Service Unavailable and 408 Request
Timeout response status for automatic retries (https://github.com/ansible-collections/community.crypto/pull/513).
release_summary: Feature release.
fragments:
- 2.7.0.yml
- 513-acme-503.yml
- 515-action-module-compat.yml
release_date: '2022-09-23'
2.7.1:
changes:
bugfixes:
- acme_* modules - improve feedback when importing ``cryptography`` does not
work (https://github.com/ansible-collections/community.crypto/issues/518,
https://github.com/ansible-collections/community.crypto/pull/519).
release_summary: Maintenance release.
fragments:
- 2.7.1.yml
- 519-acme-cryptography.yml
release_date: '2022-10-17'
2.8.0:
changes:
minor_changes:
- acme_* modules - handle more gracefully if CA's new nonce call does not return
a nonce (https://github.com/ansible-collections/community.crypto/pull/525).
- acme_* modules - include symbolic HTTP status codes in error and log messages
when available (https://github.com/ansible-collections/community.crypto/pull/524).
- openssl_pkcs12 - add option ``encryption_level`` which allows to chose ``compatibility2022``
when cryptography >= 38.0.0 is used to enable a more backwards compatible
encryption algorithm. If cryptography uses OpenSSL 3.0.0 or newer, the default
algorithm is not compatible with older software (https://github.com/ansible-collections/community.crypto/pull/523).
release_summary: Feature release.
fragments:
- 2.8.0.yml
- 523-pkcs12-compat.yml
- 524-acme-http-errors.yml
- 525-acme-no-nonce.yml
release_date: '2022-11-02'
2.8.1:
changes:
release_summary: Maintenance release with improved documentation.
fragments:
- 2.8.1.yml
release_date: '2022-11-06'
2.9.0:
changes:
minor_changes:
- x509_certificate_info - adds ``issuer_uri`` field in return value based on
Authority Information Access data (https://github.com/ansible-collections/community.crypto/pull/530).
release_summary: Regular feature release.
fragments:
- 2.9.0.yml
- aia_issuer.yaml
release_date: '2022-11-27'

3
changelogs/changelog.yaml.license Normal file
View File

@@ -0,0 +1,3 @@
GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
SPDX-License-Identifier: GPL-3.0-or-later
SPDX-FileCopyrightText: Ansible Project

5
changelogs/config.yaml
View File

@@ -1,3 +1,8 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
changelog_filename_template: ../CHANGELOG.rst
changelog_filename_version_depth: 0
changes_file: changelog.yaml

4
docs/docsite/extra-docs.yml
View File

@@ -1,4 +1,8 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
sections:
- title: Scenario Guides
toctree:

4
docs/docsite/links.yml
View File

@@ -1,4 +1,8 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
edit_on_github:
repository: ansible-collections/community.crypto
branch: main

7
docs/docsite/rst/guide_ownca.rst
View File

@@ -1,3 +1,8 @@
..
Copyright (c) Ansible Project
GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
SPDX-License-Identifier: GPL-3.0-or-later
.. _ansible_collections.community.crypto.docsite.guide_ownca:
How to create a small CA
@@ -29,7 +34,7 @@ The following instructions show how to set up a simple self-signed CA certificat
use_common_name_for_san: false # since we do not specify SANs, don't use CN as a SAN
basic_constraints:
- 'CA:TRUE'
basic_constraints_critical: yes
basic_constraints_critical: true
key_usage:
- keyCertSign
key_usage_critical: true

5
docs/docsite/rst/guide_selfsigned.rst
View File

@@ -1,3 +1,8 @@
..
Copyright (c) Ansible Project
GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
SPDX-License-Identifier: GPL-3.0-or-later
.. _ansible_collections.community.crypto.docsite.guide_selfsigned:
How to create self-signed certificates

15
galaxy.yml
View File

@@ -1,11 +1,22 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
namespace: community
name: crypto
version: 2.3.2
version: 2.11.0
readme: README.md
authors:
- Ansible (github.com/ansible)
description: null
license_file: COPYING
license:
- GPL-3.0-or-later
- Apache-2.0
- BSD-2-Clause
- BSD-3-Clause
- PSF-2.0
#license_file: COPYING
tags:
- acme
- certificate

9
meta/ee-bindep.txt
View File

@@ -1,3 +1,7 @@
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
cryptsetup [platform:dpkg]
cryptsetup [platform:rpm]
openssh-client [platform:dpkg]
@@ -7,4 +11,7 @@ openssl [platform:rpm]
python3-cryptography [platform:dpkg]
python3-cryptography [platform:rpm]
python3-openssl [platform:dpkg]
python3-pyOpenSSL [platform:rpm]
# On RHEL 9+ and CentOS Stream 9+, python3-pyOpenSSL is part of EPEL
python3-pyOpenSSL [platform:rpm !platform:rhel !platform:centos]
python3-pyOpenSSL [platform:rhel-6 platform:centos-6 platform:rhel-7 platform:centos-7 platform:rhel-8 platform:centos-8]
python3-pyOpenSSL [platform:rhel platform:centos !platform:rhel-6 !platform:centos-6 !platform:rhel-7 !platform:centos-7 !platform:rhel-8 !platform:centos-8 epel]

4
meta/ee-requirements.txt
View File

@@ -1 +1,5 @@
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
PyYAML

4
meta/execution-environment.yml
View File

@@ -1,4 +1,8 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
version: 1
dependencies:
python: meta/ee-requirements.txt

16
meta/runtime.yml
View File

@@ -1,13 +1,17 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
requires_ansible: '>=2.9.10'
action_groups:
acme:
- acme_inspect
- acme_certificate_revoke
- acme_certificate
- acme_account
- acme_account_facts
- acme_account_info
- acme_inspect
- acme_certificate_revoke
- acme_certificate
- acme_account
- acme_account_info
plugin_routing:
modules:

5
plugins/action/openssl_privatekey_pipe.py
View File

@@ -1,7 +1,8 @@
# -*- coding: utf-8 -*-
# Copyright: (c) 2020, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

11
plugins/doc_fragments/acme.py
View File

@@ -1,7 +1,8 @@
# -*- coding: utf-8 -*-
# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
@@ -104,6 +105,8 @@ options:
U(https://api.buypass.com/acme/directory)."
- "For B(ZeroSSL), the production directory URL for ACME v2 is
U(https://acme.zerossl.com/v2/DV90)."
- "For B(Sectigo), the production directory URL for ACME v2 is
U(https://acme-qa.secure.trust-provider.com/v2/DV)."
- The notes for this module contain a list of ACME services this module has
been tested against.
required: true
@@ -111,10 +114,10 @@ options:
validate_certs:
description:
- Whether calls to the ACME directory will validate TLS certificates.
- "B(Warning:) Should B(only ever) be set to C(no) for testing purposes,
- "B(Warning:) Should B(only ever) be set to C(false) for testing purposes,
for example when testing against a local Pebble server."
type: bool
default: yes
default: true
select_crypto_backend:
description:
- Determines which crypto backend to use.

85
plugins/doc_fragments/attributes.py Normal file
View File

@@ -0,0 +1,85 @@
# -*- coding: utf-8 -*-
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
class ModuleDocFragment(object):
# Standard documentation fragment
DOCUMENTATION = r'''
options: {}
attributes:
check_mode:
description: Can run in C(check_mode) and return changed status prediction without modifying target.
diff_mode:
description: Will return details on what has changed (or possibly needs changing in C(check_mode)), when in diff mode.
'''
# Should be used together with the standard fragment
INFO_MODULE = r'''
options: {}
attributes:
check_mode:
support: full
details:
- This action does not modify state.
diff_mode:
support: N/A
details:
- This action does not modify state.
'''
ACTIONGROUP_ACME = r'''
options: {}
attributes:
action_group:
description: Use C(group/acme) or C(group/community.crypto.acme) in C(module_defaults) to set defaults for this module.
support: full
membership:
- community.crypto.acme
- acme
'''
FACTS = r'''
options: {}
attributes:
facts:
description: Action returns an C(ansible_facts) dictionary that will update existing host facts.
'''
# Should be used together with the standard fragment and the FACTS fragment
FACTS_MODULE = r'''
options: {}
attributes:
check_mode:
support: full
details:
- This action does not modify state.
diff_mode:
support: N/A
details:
- This action does not modify state.
facts:
support: full
'''
FILES = r'''
options: {}
attributes:
safe_file_operations:
description: Uses Ansible's strict file operation functions to ensure proper permissions and avoid data corruption.
'''
FLOW = r'''
options: {}
attributes:
action:
description: Indicates this has a corresponding action plugin so some parts of the options can be executed on the controller.
async:
description: Supports being used with the C(async) keyword.
'''

3
plugins/doc_fragments/ecs_credential.py
View File

@@ -1,7 +1,8 @@
# -*- coding: utf-8 -*-
# Copyright (c), Entrust Datacard Corporation, 2019
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type

15
plugins/doc_fragments/module_certificate.py
View File

@@ -1,8 +1,9 @@
# -*- coding: utf-8 -*-
# Copyright: (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
# Copyright: (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
# Copyright (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
@@ -22,7 +23,7 @@ options:
description:
- Generate the certificate, even if it already exists.
type: bool
default: no
default: false
csr_path:
description:
@@ -109,9 +110,9 @@ options:
- Include the intermediate certificate to the generated certificate
- This is only used by the C(acme) provider.
- Note that this is only available for older versions of C(acme-tiny).
New versions include the chain automatically, and setting I(acme_chain) to C(yes) results in an error.
New versions include the chain automatically, and setting I(acme_chain) to C(true) results in an error.
type: bool
default: no
default: false
acme_directory:
description:
@@ -313,7 +314,7 @@ options:
- This is only used by the C(ownca) provider.
- Note that this is only supported if the C(cryptography) backend is used!
type: bool
default: yes
default: true
'''
BACKEND_SELFSIGNED_DOCUMENTATION = r'''

13
plugins/doc_fragments/module_csr.py
View File

@@ -1,7 +1,8 @@
# -*- coding: utf-8 -*-
# Copyrigt: (c) 2017, Yanis Guenane <yanis+ansible@guenane.org>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2017, Yanis Guenane <yanis+ansible@guenane.org>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
@@ -121,10 +122,10 @@ options:
aliases: [ subjectAltName_critical ]
use_common_name_for_san:
description:
- If set to C(yes), the module will fill the common name in for
- If set to C(true), the module will fill the common name in for
C(subject_alt_name) with C(DNS:) prefix if no SAN is specified.
type: bool
default: yes
default: true
aliases: [ useCommonNameForSAN ]
key_usage:
description:
@@ -218,7 +219,7 @@ options:
certificates or for own CAs."
- Note that this is only supported if the C(cryptography) backend is used!
type: bool
default: no
default: false
subject_key_identifier:
description:
- The subject key identifier as a hex string, where two bytes are separated by colons.
@@ -226,7 +227,7 @@ options:
- "Please note that commercial CAs ignore this value, respectively use a value of their
own choice. Specifying this option is mostly useful for self-signed certificates
or for own CAs."
- Note that this option can only be used if I(create_subject_key_identifier) is C(no).
- Note that this option can only be used if I(create_subject_key_identifier) is C(false).
- Note that this is only supported if the C(cryptography) backend is used!
type: str
authority_key_identifier:

7
plugins/doc_fragments/module_privatekey.py
View File

@@ -1,7 +1,8 @@
# -*- coding: utf-8 -*-
# Copyright: (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
@@ -128,7 +129,7 @@ options:
is protected by an unknown passphrase, or when they key is not protected by a passphrase,
but a passphrase is specified. Make sure you have a B(backup) when using this option!
- If set to C(always), the module will always regenerate the key. This is equivalent to
setting I(force) to C(yes).
setting I(force) to C(true).
- Note that if I(format_mismatch) is set to C(convert) and everything matches except the
format, the key will always be converted, except if I(regenerate) is set to C(always).
type: str

5
plugins/doc_fragments/module_privatekey_convert.py
View File

@@ -1,7 +1,8 @@
# -*- coding: utf-8 -*-
# Copyright: (c) 2022, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2022, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

5
plugins/doc_fragments/name_encoding.py
View File

@@ -1,7 +1,8 @@
# -*- coding: utf-8 -*-
# Copyright: (c) 2022, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2022, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

313
plugins/filter/openssl_csr_info.py Normal file
View File

@@ -0,0 +1,313 @@
# -*- coding: utf-8 -*-
# Copyright (c) 2022, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
name: openssl_csr_info
short_description: Retrieve information from OpenSSL Certificate Signing Requests (CSR)
version_added: 2.10.0
author:
- Felix Fontein (@felixfontein)
description:
- Provided an OpenSSL Certificate Signing Requests (CSR), retrieve information.
- This is a filter version of the M(community.crypto.openssl_csr_info) module.
options:
_input:
description:
- The content of the OpenSSL CSR.
type: string
required: true
extends_documentation_fragment:
- community.crypto.name_encoding
seealso:
- module: community.crypto.openssl_csr_info
'''
EXAMPLES = '''
- name: Show the Subject Alt Names of the CSR
ansible.builtin.debug:
msg: >-
{{
(
lookup('ansible.builtin.file', '/path/to/cert.csr')
| community.crypto.openssl_csr_info
).subject_alt_name | join(', ')
}}
'''
RETURN = '''
_value:
description:
- Information on the certificate.
type: dict
contains:
signature_valid:
description:
- Whether the CSR's signature is valid.
- In case the check returns C(false), the module will fail.
returned: success
type: bool
basic_constraints:
description: Entries in the C(basic_constraints) extension, or C(none) if extension is not present.
returned: success
type: list
elements: str
sample: ['CA:TRUE', 'pathlen:1']
basic_constraints_critical:
description: Whether the C(basic_constraints) extension is critical.
returned: success
type: bool
extended_key_usage:
description: Entries in the C(extended_key_usage) extension, or C(none) if extension is not present.
returned: success
type: list
elements: str
sample: [Biometric Info, DVCS, Time Stamping]
extended_key_usage_critical:
description: Whether the C(extended_key_usage) extension is critical.
returned: success
type: bool
extensions_by_oid:
description: Returns a dictionary for every extension OID
returned: success
type: dict
contains:
critical:
description: Whether the extension is critical.
returned: success
type: bool
value:
description:
- The Base64 encoded value (in DER format) of the extension.
- B(Note) that depending on the C(cryptography) version used, it is
not possible to extract the ASN.1 content of the extension, but only
to provide the re-encoded content of the extension in case it was
parsed by C(cryptography). This should usually result in exactly the
same value, except if the original extension value was malformed.
returned: success
type: str
sample: "MAMCAQU="
sample: {"1.3.6.1.5.5.7.1.24": { "critical": false, "value": "MAMCAQU="}}
key_usage:
description: Entries in the C(key_usage) extension, or C(none) if extension is not present.
returned: success
type: str
sample: [Key Agreement, Data Encipherment]
key_usage_critical:
description: Whether the C(key_usage) extension is critical.
returned: success
type: bool
subject_alt_name:
description:
- Entries in the C(subject_alt_name) extension, or C(none) if extension is not present.
- See I(name_encoding) for how IDNs are handled.
returned: success
type: list
elements: str
sample: ["DNS:www.ansible.com", "IP:1.2.3.4"]
subject_alt_name_critical:
description: Whether the C(subject_alt_name) extension is critical.
returned: success
type: bool
ocsp_must_staple:
description: C(true) if the OCSP Must Staple extension is present, C(none) otherwise.
returned: success
type: bool
ocsp_must_staple_critical:
description: Whether the C(ocsp_must_staple) extension is critical.
returned: success
type: bool
name_constraints_permitted:
description: List of permitted subtrees to sign certificates for.
returned: success
type: list
elements: str
sample: ['email:.somedomain.com']
name_constraints_excluded:
description:
- List of excluded subtrees the CA cannot sign certificates for.
- Is C(none) if extension is not present.
- See I(name_encoding) for how IDNs are handled.
returned: success
type: list
elements: str
sample: ['email:.com']
name_constraints_critical:
description:
- Whether the C(name_constraints) extension is critical.
- Is C(none) if extension is not present.
returned: success
type: bool
subject:
description:
- The CSR's subject as a dictionary.
- Note that for repeated values, only the last one will be returned.
returned: success
type: dict
sample: {"commonName": "www.example.com", "emailAddress": "test@example.com"}
subject_ordered:
description: The CSR's subject as an ordered list of tuples.
returned: success
type: list
elements: list
sample: [["commonName", "www.example.com"], ["emailAddress": "test@example.com"]]
public_key:
description: CSR's public key in PEM format
returned: success
type: str
sample: "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A..."
public_key_type:
description:
- The CSR's public key's type.
- One of C(RSA), C(DSA), C(ECC), C(Ed25519), C(X25519), C(Ed448), or C(X448).
- Will start with C(unknown) if the key type cannot be determined.
returned: success
type: str
sample: RSA
public_key_data:
description:
- Public key data. Depends on the public key's type.
returned: success
type: dict
contains:
size:
description:
- Bit size of modulus (RSA) or prime number (DSA).
type: int
returned: When C(public_key_type=RSA) or C(public_key_type=DSA)
modulus:
description:
- The RSA key's modulus.
type: int
returned: When C(public_key_type=RSA)
exponent:
description:
- The RSA key's public exponent.
type: int
returned: When C(public_key_type=RSA)
p:
description:
- The C(p) value for DSA.
- This is the prime modulus upon which arithmetic takes place.
type: int
returned: When C(public_key_type=DSA)
q:
description:
- The C(q) value for DSA.
- This is a prime that divides C(p - 1), and at the same time the order of the subgroup of the
multiplicative group of the prime field used.
type: int
returned: When C(public_key_type=DSA)
g:
description:
- The C(g) value for DSA.
- This is the element spanning the subgroup of the multiplicative group of the prime field used.
type: int
returned: When C(public_key_type=DSA)
curve:
description:
- The curve's name for ECC.
type: str
returned: When C(public_key_type=ECC)
exponent_size:
description:
- The maximum number of bits of a private key. This is basically the bit size of the subgroup used.
type: int
returned: When C(public_key_type=ECC)
x:
description:
- The C(x) coordinate for the public point on the elliptic curve.
type: int
returned: When C(public_key_type=ECC)
y:
description:
- For C(public_key_type=ECC), this is the C(y) coordinate for the public point on the elliptic curve.
- For C(public_key_type=DSA), this is the publicly known group element whose discrete logarithm w.r.t. C(g) is the private key.
type: int
returned: When C(public_key_type=DSA) or C(public_key_type=ECC)
public_key_fingerprints:
description:
- Fingerprints of CSR's public key.
- For every hash algorithm available, the fingerprint is computed.
returned: success
type: dict
sample: "{'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63',
'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1..."
subject_key_identifier:
description:
- The CSR's subject key identifier.
- The identifier is returned in hexadecimal, with C(:) used to separate bytes.
- Is C(none) if the C(SubjectKeyIdentifier) extension is not present.
returned: success
type: str
sample: '00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33'
authority_key_identifier:
description:
- The CSR's authority key identifier.
- The identifier is returned in hexadecimal, with C(:) used to separate bytes.
- Is C(none) if the C(AuthorityKeyIdentifier) extension is not present.
returned: success
type: str
sample: '00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33'
authority_cert_issuer:
description:
- The CSR's authority cert issuer as a list of general names.
- Is C(none) if the C(AuthorityKeyIdentifier) extension is not present.
- See I(name_encoding) for how IDNs are handled.
returned: success
type: list
elements: str
sample: ["DNS:www.ansible.com", "IP:1.2.3.4"]
authority_cert_serial_number:
description:
- The CSR's authority cert serial number.
- Is C(none) if the C(AuthorityKeyIdentifier) extension is not present.
returned: success
type: int
sample: 12345
'''
from ansible.errors import AnsibleFilterError
from ansible.module_utils.six import string_types
from ansible.module_utils.common.text.converters import to_bytes, to_native
from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
OpenSSLObjectError,
)
from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.csr_info import (
get_csr_info,
)
from ansible_collections.community.crypto.plugins.plugin_utils.filter_module import FilterModuleMock
def openssl_csr_info_filter(data, name_encoding='ignore'):
'''Extract information from X.509 PEM certificate.'''
if not isinstance(data, string_types):
raise AnsibleFilterError('The community.crypto.openssl_csr_info input must be a text type, not %s' % type(data))
if not isinstance(name_encoding, string_types):
raise AnsibleFilterError('The name_encoding option must be of a text type, not %s' % type(name_encoding))
name_encoding = to_native(name_encoding)
if name_encoding not in ('ignore', 'idna', 'unicode'):
raise AnsibleFilterError('The name_encoding option must be one of the values "ignore", "idna", or "unicode", not "%s"' % name_encoding)
module = FilterModuleMock({'name_encoding': name_encoding})
try:
return get_csr_info(module, 'cryptography', content=to_bytes(data), validate_signature=True)
except OpenSSLObjectError as exc:
raise AnsibleFilterError(to_native(exc))
class FilterModule(object):
'''Ansible jinja2 filters'''
def filters(self):
return {
'openssl_csr_info': openssl_csr_info_filter,
}

193
plugins/filter/openssl_privatekey_info.py Normal file
View File

@@ -0,0 +1,193 @@
# -*- coding: utf-8 -*-
# Copyright (c) 2022, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
name: openssl_privatekey_info
short_description: Retrieve information from OpenSSL private keys
version_added: 2.10.0
author:
- Felix Fontein (@felixfontein)
description:
- Provided an OpenSSL private keys, retrieve information.
- This is a filter version of the M(community.crypto.openssl_privatekey_info) module.
options:
_input:
description:
- The content of the OpenSSL private key.
type: string
required: true
passphrase:
description:
- The passphrase for the private key.
type: str
return_private_key_data:
description:
- Whether to return private key data.
- Only set this to C(true) when you want private information about this key to
be extracted.
- "B(WARNING:) you have to make sure that private key data is not accidentally logged!"
type: bool
default: false
extends_documentation_fragment:
- community.crypto.name_encoding
seealso:
- module: community.crypto.openssl_privatekey_info
'''
EXAMPLES = '''
- name: Show the Subject Alt Names of the CSR
ansible.builtin.debug:
msg: >-
{{
(
lookup('ansible.builtin.file', '/path/to/cert.csr')
| community.crypto.openssl_privatekey_info
).subject_alt_name | join(', ')
}}
'''
RETURN = '''
_value:
description:
- Information on the certificate.
type: dict
contains:
public_key:
description: Private key's public key in PEM format.
returned: success
type: str
sample: "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A..."
public_key_fingerprints:
description:
- Fingerprints of private key's public key.
- For every hash algorithm available, the fingerprint is computed.
returned: success
type: dict
sample: "{'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63',
'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1..."
type:
description:
- The key's type.
- One of C(RSA), C(DSA), C(ECC), C(Ed25519), C(X25519), C(Ed448), or C(X448).
- Will start with C(unknown) if the key type cannot be determined.
returned: success
type: str
sample: RSA
public_data:
description:
- Public key data. Depends on key type.
returned: success
type: dict
contains:
size:
description:
- Bit size of modulus (RSA) or prime number (DSA).
type: int
returned: When C(type=RSA) or C(type=DSA)
modulus:
description:
- The RSA key's modulus.
type: int
returned: When C(type=RSA)
exponent:
description:
- The RSA key's public exponent.
type: int
returned: When C(type=RSA)
p:
description:
- The C(p) value for DSA.
- This is the prime modulus upon which arithmetic takes place.
type: int
returned: When C(type=DSA)
q:
description:
- The C(q) value for DSA.
- This is a prime that divides C(p - 1), and at the same time the order of the subgroup of the
multiplicative group of the prime field used.
type: int
returned: When C(type=DSA)
g:
description:
- The C(g) value for DSA.
- This is the element spanning the subgroup of the multiplicative group of the prime field used.
type: int
returned: When C(type=DSA)
curve:
description:
- The curve's name for ECC.
type: str
returned: When C(type=ECC)
exponent_size:
description:
- The maximum number of bits of a private key. This is basically the bit size of the subgroup used.
type: int
returned: When C(type=ECC)
x:
description:
- The C(x) coordinate for the public point on the elliptic curve.
type: int
returned: When C(type=ECC)
y:
description:
- For C(type=ECC), this is the C(y) coordinate for the public point on the elliptic curve.
- For C(type=DSA), this is the publicly known group element whose discrete logarithm w.r.t. C(g) is the private key.
type: int
returned: When C(type=DSA) or C(type=ECC)
private_data:
description:
- Private key data. Depends on key type.
returned: success and when I(return_private_key_data) is set to C(true)
type: dict
'''
from ansible.errors import AnsibleFilterError
from ansible.module_utils.six import string_types
from ansible.module_utils.common.text.converters import to_bytes, to_native
from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
OpenSSLObjectError,
)
from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.privatekey_info import (
PrivateKeyParseError,
get_privatekey_info,
)
from ansible_collections.community.crypto.plugins.plugin_utils.filter_module import FilterModuleMock
def openssl_privatekey_info_filter(data, passphrase=None, return_private_key_data=False):
'''Extract information from X.509 PEM certificate.'''
if not isinstance(data, string_types):
raise AnsibleFilterError('The community.crypto.openssl_privatekey_info input must be a text type, not %s' % type(data))
if passphrase is not None and not isinstance(passphrase, string_types):
raise AnsibleFilterError('The passphrase option must be a text type, not %s' % type(passphrase))
if not isinstance(return_private_key_data, bool):
raise AnsibleFilterError('The return_private_key_data option must be a boolean, not %s' % type(return_private_key_data))
module = FilterModuleMock({})
try:
result = get_privatekey_info(module, 'cryptography', content=to_bytes(data), passphrase=passphrase, return_private_key_data=return_private_key_data)
result.pop('can_parse_key', None)
result.pop('key_is_consistent', None)
return result
except PrivateKeyParseError as exc:
raise AnsibleFilterError(exc.error_message)
except OpenSSLObjectError as exc:
raise AnsibleFilterError(to_native(exc))
class FilterModule(object):
'''Ansible jinja2 filters'''
def filters(self):
return {
'openssl_privatekey_info': openssl_privatekey_info_filter,
}

162
plugins/filter/openssl_publickey_info.py Normal file
View File

@@ -0,0 +1,162 @@
# -*- coding: utf-8 -*-
# Copyright (c) 2022, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
name: openssl_publickey_info
short_description: Retrieve information from OpenSSL public keys in PEM format
version_added: 2.10.0
author:
- Felix Fontein (@felixfontein)
description:
- Provided a public key in OpenSSL PEM format, retrieve information.
- This is a filter version of the M(community.crypto.openssl_publickey_info) module.
options:
_input:
description:
- The content of the OpenSSL PEM public key.
type: string
required: true
seealso:
- module: community.crypto.openssl_publickey_info
'''
EXAMPLES = '''
- name: Show the type of a public key
ansible.builtin.debug:
msg: >-
{{
(
lookup('ansible.builtin.file', '/path/to/public-key.pem')
| community.crypto.openssl_publickey_info
).type
}}
'''
RETURN = '''
_value:
description:
- Information on the public key.
type: dict
contains:
fingerprints:
description:
- Fingerprints of public key.
- For every hash algorithm available, the fingerprint is computed.
returned: success
type: dict
sample: "{'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63',
'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1..."
type:
description:
- The key's type.
- One of C(RSA), C(DSA), C(ECC), C(Ed25519), C(X25519), C(Ed448), or C(X448).
- Will start with C(unknown) if the key type cannot be determined.
returned: success
type: str
sample: RSA
public_data:
description:
- Public key data. Depends on key type.
returned: success
type: dict
contains:
size:
description:
- Bit size of modulus (RSA) or prime number (DSA).
type: int
returned: When C(type=RSA) or C(type=DSA)
modulus:
description:
- The RSA key's modulus.
type: int
returned: When C(type=RSA)
exponent:
description:
- The RSA key's public exponent.
type: int
returned: When C(type=RSA)
p:
description:
- The C(p) value for DSA.
- This is the prime modulus upon which arithmetic takes place.
type: int
returned: When C(type=DSA)
q:
description:
- The C(q) value for DSA.
- This is a prime that divides C(p - 1), and at the same time the order of the subgroup of the
multiplicative group of the prime field used.
type: int
returned: When C(type=DSA)
g:
description:
- The C(g) value for DSA.
- This is the element spanning the subgroup of the multiplicative group of the prime field used.
type: int
returned: When C(type=DSA)
curve:
description:
- The curve's name for ECC.
type: str
returned: When C(type=ECC)
exponent_size:
description:
- The maximum number of bits of a private key. This is basically the bit size of the subgroup used.
type: int
returned: When C(type=ECC)
x:
description:
- The C(x) coordinate for the public point on the elliptic curve.
type: int
returned: When C(type=ECC)
y:
description:
- For C(type=ECC), this is the C(y) coordinate for the public point on the elliptic curve.
- For C(type=DSA), this is the publicly known group element whose discrete logarithm w.r.t. C(g) is the private key.
type: int
returned: When C(type=DSA) or C(type=ECC)
'''
from ansible.errors import AnsibleFilterError
from ansible.module_utils.six import string_types
from ansible.module_utils.common.text.converters import to_bytes, to_native
from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
OpenSSLObjectError,
)
from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.publickey_info import (
PublicKeyParseError,
get_publickey_info,
)
from ansible_collections.community.crypto.plugins.plugin_utils.filter_module import FilterModuleMock
def openssl_publickey_info_filter(data):
'''Extract information from OpenSSL PEM public key.'''
if not isinstance(data, string_types):
raise AnsibleFilterError('The community.crypto.openssl_publickey_info input must be a text type, not %s' % type(data))
module = FilterModuleMock({})
try:
return get_publickey_info(module, 'cryptography', content=to_bytes(data))
except PublicKeyParseError as exc:
raise AnsibleFilterError(exc.error_message)
except OpenSSLObjectError as exc:
raise AnsibleFilterError(to_native(exc))
class FilterModule(object):
'''Ansible jinja2 filters'''
def filters(self):
return {
'openssl_publickey_info': openssl_publickey_info_filter,
}

64
plugins/filter/split_pem.py Normal file
View File

@@ -0,0 +1,64 @@
# -*- coding: utf-8 -*-
# Copyright (c) 2022, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
name: split_pem
short_description: Split PEM file contents into multiple objects
version_added: 2.10.0
author:
- Felix Fontein (@felixfontein)
description:
- Split PEM file contents into multiple PEM objects. Comments or invalid parts are ignored.
options:
_input:
description:
- The PEM contents to split.
type: string
required: true
'''
EXAMPLES = '''
- name: Print all CA certificates
ansible.builtin.debug:
msg: '{{ item }}'
loop: >-
{{ lookup('ansible.builtin.file', '/path/to/ca-bundle.pem') | community.crypto.split_pem }}
'''
RETURN = '''
_value:
description:
- A list of PEM file contents.
type: list
elements: string
'''
from ansible.errors import AnsibleFilterError
from ansible.module_utils.six import string_types
from ansible.module_utils.common.text.converters import to_text
from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import split_pem_list
def split_pem_filter(data):
'''Split PEM file.'''
if not isinstance(data, string_types):
raise AnsibleFilterError('The community.crypto.split_pem input must be a text type, not %s' % type(data))
data = to_text(data)
return split_pem_list(data)
class FilterModule(object):
'''Ansible jinja2 filters'''
def filters(self):
return {
'split_pem': split_pem_filter,
}

346
plugins/filter/x509_certificate_info.py Normal file
View File

@@ -0,0 +1,346 @@
# -*- coding: utf-8 -*-
# Copyright (c) 2022, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
name: x509_certificate_info
short_description: Retrieve information from X.509 certificates in PEM format
version_added: 2.10.0
author:
- Felix Fontein (@felixfontein)
description:
- Provided a X.509 certificate in PEM format, retrieve information.
- This is a filter version of the M(community.crypto.x509_certificate_info) module.
options:
_input:
description:
- The content of the X.509 certificate in PEM format.
type: string
required: true
extends_documentation_fragment:
- community.crypto.name_encoding
seealso:
- module: community.crypto.x509_certificate_info
'''
EXAMPLES = '''
- name: Show the Subject Alt Names of the certificate
ansible.builtin.debug:
msg: >-
{{
(
lookup('ansible.builtin.file', '/path/to/cert.pem')
| community.crypto.x509_certificate_info
).subject_alt_name | join(', ')
}}
'''
RETURN = '''
_value:
description:
- Information on the certificate.
type: dict
contains:
expired:
description: Whether the certificate is expired (in other words, C(notAfter) is in the past).
returned: success
type: bool
basic_constraints:
description: Entries in the C(basic_constraints) extension, or C(none) if extension is not present.
returned: success
type: list
elements: str
sample: ["CA:TRUE", "pathlen:1"]
basic_constraints_critical:
description: Whether the C(basic_constraints) extension is critical.
returned: success
type: bool
extended_key_usage:
description: Entries in the C(extended_key_usage) extension, or C(none) if extension is not present.
returned: success
type: list
elements: str
sample: [Biometric Info, DVCS, Time Stamping]
extended_key_usage_critical:
description: Whether the C(extended_key_usage) extension is critical.
returned: success
type: bool
extensions_by_oid:
description: Returns a dictionary for every extension OID.
returned: success
type: dict
contains:
critical:
description: Whether the extension is critical.
returned: success
type: bool
value:
description:
- The Base64 encoded value (in DER format) of the extension.
- B(Note) that depending on the C(cryptography) version used, it is
not possible to extract the ASN.1 content of the extension, but only
to provide the re-encoded content of the extension in case it was
parsed by C(cryptography). This should usually result in exactly the
same value, except if the original extension value was malformed.
returned: success
type: str
sample: "MAMCAQU="
sample: {"1.3.6.1.5.5.7.1.24": { "critical": false, "value": "MAMCAQU="}}
key_usage:
description: Entries in the C(key_usage) extension, or C(none) if extension is not present.
returned: success
type: str
sample: [Key Agreement, Data Encipherment]
key_usage_critical:
description: Whether the C(key_usage) extension is critical.
returned: success
type: bool
subject_alt_name:
description:
- Entries in the C(subject_alt_name) extension, or C(none) if extension is not present.
- See I(name_encoding) for how IDNs are handled.
returned: success
type: list
elements: str
sample: ["DNS:www.ansible.com", "IP:1.2.3.4"]
subject_alt_name_critical:
description: Whether the C(subject_alt_name) extension is critical.
returned: success
type: bool
ocsp_must_staple:
description: C(true) if the OCSP Must Staple extension is present, C(none) otherwise.
returned: success
type: bool
ocsp_must_staple_critical:
description: Whether the C(ocsp_must_staple) extension is critical.
returned: success
type: bool
issuer:
description:
- The certificate's issuer.
- Note that for repeated values, only the last one will be returned.
returned: success
type: dict
sample: {"organizationName": "Ansible", "commonName": "ca.example.com"}
issuer_ordered:
description: The certificate's issuer as an ordered list of tuples.
returned: success
type: list
elements: list
sample: [["organizationName", "Ansible"], ["commonName": "ca.example.com"]]
subject:
description:
- The certificate's subject as a dictionary.
- Note that for repeated values, only the last one will be returned.
returned: success
type: dict
sample: {"commonName": "www.example.com", "emailAddress": "test@example.com"}
subject_ordered:
description: The certificate's subject as an ordered list of tuples.
returned: success
type: list
elements: list
sample: [["commonName", "www.example.com"], ["emailAddress": "test@example.com"]]
not_after:
description: C(notAfter) date as ASN.1 TIME.
returned: success
type: str
sample: '20190413202428Z'
not_before:
description: C(notBefore) date as ASN.1 TIME.
returned: success
type: str
sample: '20190331202428Z'
public_key:
description: Certificate's public key in PEM format.
returned: success
type: str
sample: "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A..."
public_key_type:
description:
- The certificate's public key's type.
- One of C(RSA), C(DSA), C(ECC), C(Ed25519), C(X25519), C(Ed448), or C(X448).
- Will start with C(unknown) if the key type cannot be determined.
returned: success
type: str
sample: RSA
public_key_data:
description:
- Public key data. Depends on the public key's type.
returned: success
type: dict
contains:
size:
description:
- Bit size of modulus (RSA) or prime number (DSA).
type: int
returned: When C(public_key_type=RSA) or C(public_key_type=DSA)
modulus:
description:
- The RSA key's modulus.
type: int
returned: When C(public_key_type=RSA)
exponent:
description:
- The RSA key's public exponent.
type: int
returned: When C(public_key_type=RSA)
p:
description:
- The C(p) value for DSA.
- This is the prime modulus upon which arithmetic takes place.
type: int
returned: When C(public_key_type=DSA)
q:
description:
- The C(q) value for DSA.
- This is a prime that divides C(p - 1), and at the same time the order of the subgroup of the
multiplicative group of the prime field used.
type: int
returned: When C(public_key_type=DSA)
g:
description:
- The C(g) value for DSA.
- This is the element spanning the subgroup of the multiplicative group of the prime field used.
type: int
returned: When C(public_key_type=DSA)
curve:
description:
- The curve's name for ECC.
type: str
returned: When C(public_key_type=ECC)
exponent_size:
description:
- The maximum number of bits of a private key. This is basically the bit size of the subgroup used.
type: int
returned: When C(public_key_type=ECC)
x:
description:
- The C(x) coordinate for the public point on the elliptic curve.
type: int
returned: When C(public_key_type=ECC)
y:
description:
- For C(public_key_type=ECC), this is the C(y) coordinate for the public point on the elliptic curve.
- For C(public_key_type=DSA), this is the publicly known group element whose discrete logarithm w.r.t. C(g) is the private key.
type: int
returned: When C(public_key_type=DSA) or C(public_key_type=ECC)
public_key_fingerprints:
description:
- Fingerprints of certificate's public key.
- For every hash algorithm available, the fingerprint is computed.
returned: success
type: dict
sample: "{'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63',
'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1..."
fingerprints:
description:
- Fingerprints of the DER-encoded form of the whole certificate.
- For every hash algorithm available, the fingerprint is computed.
returned: success
type: dict
sample: "{'sha256': 'd4:b3:aa:6d:c8:04:ce:4e:ba:f6:29:4d:92:a3:94:b0:c2:ff:bd:bf:33:63:11:43:34:0f:51:b0:95:09:2f:63',
'sha512': 'f7:07:4a:f0:b0:f0:e6:8b:95:5f:f9:e6:61:0a:32:68:f1..."
signature_algorithm:
description: The signature algorithm used to sign the certificate.
returned: success
type: str
sample: sha256WithRSAEncryption
serial_number:
description: The certificate's serial number.
returned: success
type: int
sample: 1234
version:
description: The certificate version.
returned: success
type: int
sample: 3
subject_key_identifier:
description:
- The certificate's subject key identifier.
- The identifier is returned in hexadecimal, with C(:) used to separate bytes.
- Is C(none) if the C(SubjectKeyIdentifier) extension is not present.
returned: success
type: str
sample: '00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33'
authority_key_identifier:
description:
- The certificate's authority key identifier.
- The identifier is returned in hexadecimal, with C(:) used to separate bytes.
- Is C(none) if the C(AuthorityKeyIdentifier) extension is not present.
returned: success
type: str
sample: '00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33'
authority_cert_issuer:
description:
- The certificate's authority cert issuer as a list of general names.
- Is C(none) if the C(AuthorityKeyIdentifier) extension is not present.
- See I(name_encoding) for how IDNs are handled.
returned: success
type: list
elements: str
sample: ["DNS:www.ansible.com", "IP:1.2.3.4"]
authority_cert_serial_number:
description:
- The certificate's authority cert serial number.
- Is C(none) if the C(AuthorityKeyIdentifier) extension is not present.
returned: success
type: int
sample: 12345
ocsp_uri:
description: The OCSP responder URI, if included in the certificate. Will be
C(none) if no OCSP responder URI is included.
returned: success
type: str
issuer_uri:
description: The Issuer URI, if included in the certificate. Will be
C(none) if no issuer URI is included.
returned: success
type: str
'''
from ansible.errors import AnsibleFilterError
from ansible.module_utils.six import string_types
from ansible.module_utils.common.text.converters import to_bytes, to_native
from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
OpenSSLObjectError,
)
from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate_info import (
get_certificate_info,
)
from ansible_collections.community.crypto.plugins.plugin_utils.filter_module import FilterModuleMock
def x509_certificate_info_filter(data, name_encoding='ignore'):
'''Extract information from X.509 PEM certificate.'''
if not isinstance(data, string_types):
raise AnsibleFilterError('The community.crypto.x509_certificate_info input must be a text type, not %s' % type(data))
if not isinstance(name_encoding, string_types):
raise AnsibleFilterError('The name_encoding option must be of a text type, not %s' % type(name_encoding))
name_encoding = to_native(name_encoding)
if name_encoding not in ('ignore', 'idna', 'unicode'):
raise AnsibleFilterError('The name_encoding option must be one of the values "ignore", "idna", or "unicode", not "%s"' % name_encoding)
module = FilterModuleMock({'name_encoding': name_encoding})
try:
return get_certificate_info(module, 'cryptography', content=to_bytes(data))
except OpenSSLObjectError as exc:
raise AnsibleFilterError(to_native(exc))
class FilterModule(object):
'''Ansible jinja2 filters'''
def filters(self):
return {
'x509_certificate_info': x509_certificate_info_filter,
}

196
plugins/filter/x509_crl_info.py Normal file
View File

@@ -0,0 +1,196 @@
# -*- coding: utf-8 -*-
# Copyright (c) 2022, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
name: x509_crl_info
short_description: Retrieve information from X.509 CRLs in PEM format
version_added: 2.10.0
author:
- Felix Fontein (@felixfontein)
description:
- Provided a X.509 crl in PEM format, retrieve information.
- This is a filter version of the M(community.crypto.x509_crl_info) module.
options:
_input:
description:
- The content of the X.509 CRL in PEM format.
type: string
required: true
list_revoked_certificates:
description:
- If set to C(false), the list of revoked certificates is not included in the result.
- This is useful when retrieving information on large CRL files. Enumerating all revoked
certificates can take some time, including serializing the result as JSON, sending it to
the Ansible controller, and decoding it again.
type: bool
default: true
version_added: 1.7.0
extends_documentation_fragment:
- community.crypto.name_encoding
seealso:
- module: community.crypto.x509_crl_info
'''
EXAMPLES = '''
- name: Show the Organization Name of the CRL's subject
ansible.builtin.debug:
msg: >-
{{
(
lookup('ansible.builtin.file', '/path/to/cert.pem')
| community.crypto.x509_crl_info
).issuer.organizationName
}}
'''
RETURN = '''
_value:
description:
- Information on the CRL.
type: dict
contains:
format:
description:
- Whether the CRL is in PEM format (C(pem)) or in DER format (C(der)).
returned: success
type: str
sample: pem
issuer:
description:
- The CRL's issuer.
- Note that for repeated values, only the last one will be returned.
- See I(name_encoding) for how IDNs are handled.
returned: success
type: dict
sample: {"organizationName": "Ansible", "commonName": "ca.example.com"}
issuer_ordered:
description: The CRL's issuer as an ordered list of tuples.
returned: success
type: list
elements: list
sample: [["organizationName", "Ansible"], ["commonName": "ca.example.com"]]
last_update:
description: The point in time from which this CRL can be trusted as ASN.1 TIME.
returned: success
type: str
sample: '20190413202428Z'
next_update:
description: The point in time from which a new CRL will be issued and the client has to check for it as ASN.1 TIME.
returned: success
type: str
sample: '20190413202428Z'
digest:
description: The signature algorithm used to sign the CRL.
returned: success
type: str
sample: sha256WithRSAEncryption
revoked_certificates:
description: List of certificates to be revoked.
returned: success if I(list_revoked_certificates=true)
type: list
elements: dict
contains:
serial_number:
description: Serial number of the certificate.
type: int
sample: 1234
revocation_date:
description: The point in time the certificate was revoked as ASN.1 TIME.
type: str
sample: '20190413202428Z'
issuer:
description:
- The certificate's issuer.
- See I(name_encoding) for how IDNs are handled.
type: list
elements: str
sample: ["DNS:ca.example.org"]
issuer_critical:
description: Whether the certificate issuer extension is critical.
type: bool
sample: false
reason:
description:
- The value for the revocation reason extension.
- One of C(unspecified), C(key_compromise), C(ca_compromise), C(affiliation_changed), C(superseded),
C(cessation_of_operation), C(certificate_hold), C(privilege_withdrawn), C(aa_compromise), and
C(remove_from_crl).
type: str
sample: key_compromise
reason_critical:
description: Whether the revocation reason extension is critical.
type: bool
sample: false
invalidity_date:
description: |
The point in time it was known/suspected that the private key was compromised
or that the certificate otherwise became invalid as ASN.1 TIME.
type: str
sample: '20190413202428Z'
invalidity_date_critical:
description: Whether the invalidity date extension is critical.
type: bool
sample: false
'''
import base64
import binascii
from ansible.errors import AnsibleFilterError
from ansible.module_utils.six import string_types
from ansible.module_utils.common.text.converters import to_bytes, to_native
from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
OpenSSLObjectError,
)
from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import (
identify_pem_format,
)
from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.crl_info import (
get_crl_info,
)
from ansible_collections.community.crypto.plugins.plugin_utils.filter_module import FilterModuleMock
def x509_crl_info_filter(data, name_encoding='ignore', list_revoked_certificates=True):
'''Extract information from X.509 PEM certificate.'''
if not isinstance(data, string_types):
raise AnsibleFilterError('The community.crypto.x509_crl_info input must be a text type, not %s' % type(data))
if not isinstance(name_encoding, string_types):
raise AnsibleFilterError('The name_encoding option must be of a text type, not %s' % type(name_encoding))
if not isinstance(list_revoked_certificates, bool):
raise AnsibleFilterError('The list_revoked_certificates option must be a boolean, not %s' % type(list_revoked_certificates))
name_encoding = to_native(name_encoding)
if name_encoding not in ('ignore', 'idna', 'unicode'):
raise AnsibleFilterError('The name_encoding option must be one of the values "ignore", "idna", or "unicode", not "%s"' % name_encoding)
data = to_bytes(data)
if not identify_pem_format(data):
try:
data = base64.b64decode(to_native(data))
except (binascii.Error, TypeError, ValueError, UnicodeEncodeError) as e:
pass
module = FilterModuleMock({'name_encoding': name_encoding})
try:
return get_crl_info(module, content=data, list_revoked_certificates=list_revoked_certificates)
except OpenSSLObjectError as exc:
raise AnsibleFilterError(to_native(exc))
class FilterModule(object):
'''Ansible jinja2 filters'''
def filters(self):
return {
'x509_crl_info': x509_crl_info_filter,
}

4
plugins/module_utils/_version.py
View File

@@ -3,7 +3,9 @@
# Implements multiple version numbering conventions for the
# Python Module Distribution Utilities.
#
# PSF License (see PSF-license.txt or https://opensource.org/licenses/Python-2.0)
# Copyright (c) 2001-2022 Python Software Foundation. All rights reserved.
# PSF License (see LICENSES/PSF-2.0.txt or https://opensource.org/licenses/Python-2.0)
# SPDX-License-Identifier: PSF-2.0
#
"""Provides classes to represent module version numbers (one class for

7
plugins/module_utils/acme/account.py
View File

@@ -1,8 +1,9 @@
# -*- coding: utf-8 -*-
# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# Copyright: (c) 2021 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# Copyright (c) 2021 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

78
plugins/module_utils/acme/acme.py
View File

@@ -1,8 +1,9 @@
# -*- coding: utf-8 -*-
# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# Copyright: (c) 2021 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# Copyright (c) 2021 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
@@ -12,6 +13,7 @@ import copy
import datetime
import json
import locale
import time
import traceback
from ansible.module_utils.basic import missing_required_lib
@@ -25,6 +27,8 @@ from ansible_collections.community.crypto.plugins.module_utils.acme.backend_open
from ansible_collections.community.crypto.plugins.module_utils.acme.backend_cryptography import (
CryptographyBackend,
CRYPTOGRAPHY_ERROR,
CRYPTOGRAPHY_MINIMAL_VERSION,
CRYPTOGRAPHY_VERSION,
HAS_CURRENT_CRYPTOGRAPHY,
)
@@ -34,6 +38,7 @@ from ansible_collections.community.crypto.plugins.module_utils.acme.errors impor
NetworkException,
ModuleFailException,
KeyParsingError,
format_http_status,
)
from ansible_collections.community.crypto.plugins.module_utils.acme.utils import (
@@ -41,12 +46,34 @@ from ansible_collections.community.crypto.plugins.module_utils.acme.utils import
)
try:
import ipaddress
import ipaddress # noqa: F401, pylint: disable=unused-import
except ImportError:
HAS_IPADDRESS = False
IPADDRESS_IMPORT_ERROR = traceback.format_exc()
else:
HAS_IPADDRESS = True
IPADDRESS_IMPORT_ERROR = None
RETRY_STATUS_CODES = (408, 429, 503)
def _decode_retry(module, response, info, retry_count):
if info['status'] not in RETRY_STATUS_CODES:
return False
if retry_count >= 5:
raise ACMEProtocolException(module, msg='Giving up after 5 retries', info=info, response=response)
# 429 and 503 should have a Retry-After header (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Retry-After)
try:
retry_after = min(max(1, int(info.get('retry-after'))), 60)
except (TypeError, ValueError) as dummy:
retry_after = 10
module.log('Retrieved a %s HTTP status on %s, retrying in %s seconds' % (format_http_status(info['status']), info['url'], retry_after))
time.sleep(retry_after)
return True
def _assert_fetch_url_success(module, response, info, allow_redirect=False, allow_client_error=True, allow_server_error=True):
@@ -105,10 +132,22 @@ class ACMEDirectory(object):
url = self.directory_root if self.version == 1 else self.directory['newNonce']
if resource is not None:
url = resource
dummy, info = fetch_url(self.module, url, method='HEAD', timeout=self.request_timeout)
if info['status'] not in (200, 204):
raise NetworkException("Failed to get replay-nonce, got status {0}".format(info['status']))
return info['replay-nonce']
retry_count = 0
while True:
response, info = fetch_url(self.module, url, method='HEAD', timeout=self.request_timeout)
if _decode_retry(self.module, response, info, retry_count):
retry_count += 1
continue
if info['status'] not in (200, 204):
raise NetworkException("Failed to get replay-nonce, got status {0}".format(format_http_status(info['status'])))
if 'replay-nonce' in info:
return info['replay-nonce']
self.module.log(
'HEAD to {0} did return status {1}, but no replay-nonce header!'.format(url, format_http_status(info['status'])))
if retry_count >= 5:
raise ACMEProtocolException(
self.module, msg='Was not able to obtain nonce, giving up after 5 retries', info=info, response=response)
retry_count += 1
class ACMEClient(object):
@@ -240,6 +279,9 @@ class ACMEClient(object):
'Content-Type': 'application/jose+json',
}
resp, info = fetch_url(self.module, url, data=data, headers=headers, method='POST', timeout=self.request_timeout)
if _decode_retry(self.module, resp, info, failed_tries):
failed_tries += 1
continue
_assert_fetch_url_success(self.module, resp, info)
result = {}
@@ -298,7 +340,12 @@ class ACMEClient(object):
if get_only:
# Perform unauthenticated GET
resp, info = fetch_url(self.module, uri, method='GET', headers=headers, timeout=self.request_timeout)
retry_count = 0
while True:
resp, info = fetch_url(self.module, uri, method='GET', headers=headers, timeout=self.request_timeout)
if not _decode_retry(self.module, resp, info, retry_count):
break
retry_count += 1
_assert_fetch_url_success(self.module, resp, info)
@@ -362,8 +409,19 @@ def create_backend(module, needs_acme_v2):
# Create backend object
if backend == 'cryptography':
if CRYPTOGRAPHY_ERROR is not None:
# Either we couldn't import cryptography at all, or there was an unexpected error
if CRYPTOGRAPHY_VERSION is None:
msg = missing_required_lib('cryptography')
else:
msg = 'Unexpected error while preparing cryptography: {0}'.format(CRYPTOGRAPHY_ERROR.splitlines()[-1])
module.fail_json(msg=msg, exception=CRYPTOGRAPHY_ERROR)
if not HAS_CURRENT_CRYPTOGRAPHY:
module.fail_json(msg=missing_required_lib('cryptography'))
# We succeeded importing cryptography, but its version is too old.
module.fail_json(
msg='Found cryptography, but only version {0}. {1}'.format(
CRYPTOGRAPHY_VERSION,
missing_required_lib('cryptography >= {0}'.format(CRYPTOGRAPHY_MINIMAL_VERSION))))
module.debug('Using cryptography backend (library version {0})'.format(CRYPTOGRAPHY_VERSION))
module_backend = CryptographyBackend(module)
elif backend == 'openssl':

26
plugins/module_utils/acme/backend_cryptography.py
View File

@@ -1,8 +1,9 @@
# -*- coding: utf-8 -*-
# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# Copyright: (c) 2021 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# Copyright (c) 2021 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
@@ -13,6 +14,7 @@ import binascii
import datetime
import os
import sys
import traceback
from ansible.module_utils.common.text.converters import to_bytes, to_native, to_text
@@ -47,6 +49,9 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import
extract_first_pem,
)
CRYPTOGRAPHY_MINIMAL_VERSION = '1.5'
CRYPTOGRAPHY_ERROR = None
try:
import cryptography
import cryptography.hazmat.backends
@@ -59,13 +64,18 @@ try:
import cryptography.hazmat.primitives.serialization
import cryptography.x509
import cryptography.x509.oid
CRYPTOGRAPHY_VERSION = cryptography.__version__
HAS_CURRENT_CRYPTOGRAPHY = (LooseVersion(CRYPTOGRAPHY_VERSION) >= LooseVersion('1.5'))
if HAS_CURRENT_CRYPTOGRAPHY:
_cryptography_backend = cryptography.hazmat.backends.default_backend()
except Exception as dummy:
except ImportError as dummy:
HAS_CURRENT_CRYPTOGRAPHY = False
CRYPTOGRAPHY_VERSION = None
CRYPTOGRAPHY_ERROR = traceback.format_exc()
else:
CRYPTOGRAPHY_VERSION = cryptography.__version__
HAS_CURRENT_CRYPTOGRAPHY = (LooseVersion(CRYPTOGRAPHY_VERSION) >= LooseVersion(CRYPTOGRAPHY_MINIMAL_VERSION))
try:
if HAS_CURRENT_CRYPTOGRAPHY:
_cryptography_backend = cryptography.hazmat.backends.default_backend()
except Exception as dummy:
CRYPTOGRAPHY_ERROR = traceback.format_exc()
if sys.version_info[0] >= 3:

7
plugins/module_utils/acme/backend_openssl_cli.py
View File

@@ -1,8 +1,9 @@
# -*- coding: utf-8 -*-
# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# Copyright: (c) 2021 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# Copyright (c) 2021 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

7
plugins/module_utils/acme/backends.py
View File

@@ -1,8 +1,9 @@
# -*- coding: utf-8 -*-
# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# Copyright: (c) 2021 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# Copyright (c) 2021 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

7
plugins/module_utils/acme/certificates.py
View File

@@ -1,8 +1,9 @@
# -*- coding: utf-8 -*-
# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# Copyright: (c) 2021 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# Copyright (c) 2021 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

7
plugins/module_utils/acme/challenges.py
View File

@@ -1,8 +1,9 @@
# -*- coding: utf-8 -*-
# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# Copyright: (c) 2021 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# Copyright (c) 2021 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

24
plugins/module_utils/acme/errors.py
View File

@@ -1,14 +1,23 @@
# -*- coding: utf-8 -*-
# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# Copyright: (c) 2021 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# Copyright (c) 2021 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
from ansible.module_utils.common.text.converters import to_text
from ansible.module_utils.six import binary_type, PY3
from ansible.module_utils.six.moves.http_client import responses as http_responses
def format_http_status(status_code):
expl = http_responses.get(status_code)
if not expl:
return str(status_code)
return '%d %s' % (status_code, expl)
def format_error_problem(problem, subproblem_prefix=''):
@@ -86,9 +95,10 @@ class ACMEProtocolException(ModuleFailException):
extras['http_status'] = code
if code is not None and code >= 400 and content_json is not None and 'type' in content_json:
if 'status' in content_json and content_json['status'] != code:
code = 'status {problem_code} (HTTP status: {http_code})'.format(http_code=code, problem_code=content_json['status'])
code = 'status {problem_code} (HTTP status: {http_code})'.format(
http_code=format_http_status(code), problem_code=content_json['status'])
else:
code = 'status {problem_code}'.format(problem_code=code)
code = 'status {problem_code}'.format(problem_code=format_http_status(code))
subproblems = content_json.pop('subproblems', None)
add_msg = ' {problem}.'.format(problem=format_error_problem(content_json))
extras['problem'] = content_json
@@ -102,12 +112,12 @@ class ACMEProtocolException(ModuleFailException):
problem=format_error_problem(problem, subproblem_prefix='{0}.'.format(index)),
)
else:
code = 'HTTP status {code}'.format(code=code)
code = 'HTTP status {code}'.format(code=format_http_status(code))
if content_json is not None:
add_msg = ' The JSON error result: {content}'.format(content=content_json)
elif content is not None:
add_msg = ' The raw error result: {content}'.format(content=to_text(content))
msg = '{msg} for {url} with {code}'.format(msg=msg, url=url, code=code)
msg = '{msg} for {url} with {code}'.format(msg=msg, url=url, code=format_http_status(code))
elif content_json is not None:
add_msg = ' The JSON result: {content}'.format(content=content_json)
elif content is not None:

9
plugins/module_utils/acme/io.py
View File

@@ -1,9 +1,10 @@
# -*- coding: utf-8 -*-
# Copyright: (c) 2013, Romeo Theriault <romeot () hawaii.edu>
# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# Copyright: (c) 2021 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2013, Romeo Theriault <romeot () hawaii.edu>
# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# Copyright (c) 2021 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

7
plugins/module_utils/acme/orders.py
View File

@@ -1,8 +1,9 @@
# -*- coding: utf-8 -*-
# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# Copyright: (c) 2021 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# Copyright (c) 2021 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

7
plugins/module_utils/acme/utils.py
View File

@@ -1,8 +1,9 @@
# -*- coding: utf-8 -*-
# Copyright: (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# Copyright: (c) 2021 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
# Copyright (c) 2021 Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

5
plugins/module_utils/crypto/_asn1.py
View File

@@ -1,7 +1,8 @@
# -*- coding: utf-8 -*-
# (c) 2020, Jordan Borean <jborean93@gmail.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2020, Jordan Borean <jborean93@gmail.com>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

10
plugins/module_utils/crypto/_obj2txt.py
View File

@@ -1,7 +1,17 @@
# This code is part of Ansible, but is an independent component.
# This particular file snippet, and this file snippet only, is licensed under the
# Apache 2.0 License. Modules you write using this snippet, which is embedded
# dynamically by Ansible, still belong to the author of the module, and may assign
# their own license to the complete work.
# This excerpt is dual licensed under the terms of the Apache License, Version
# 2.0, and the BSD License. See the LICENSE file at
# https://github.com/pyca/cryptography/blob/master/LICENSE for complete details.
#
# The Apache 2.0 license has been included as LICENSES/Apache-2.0.txt in this collection.
# The BSD License license has been included as LICENSES/BSD-3-Clause.txt in this collection.
# SPDX-License-Identifier: Apache-2.0 OR BSD-3-Clause
#
# Adapted from cryptography's hazmat/backends/openssl/decode_asn1.py
#
# Copyright (c) 2015, 2016 Paul Kehrer (@reaperhulk)

17
plugins/module_utils/crypto/_objects.py
View File

@@ -1,19 +1,8 @@
# -*- coding: utf-8 -*-
#
# (c) 2019, Felix Fontein <felix@fontein.de>
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# Copyright (c) 2019, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

9
plugins/module_utils/crypto/_objects_data.py
View File

@@ -1,3 +1,9 @@
# This code is part of Ansible, but is an independent component.
# This particular file snippet, and this file snippet only, is licensed under the
# Apache 2.0 License. Modules you write using this snippet, which is embedded
# dynamically by Ansible, still belong to the author of the module, and may assign
# their own license to the complete work.
# This has been extracted from the OpenSSL project's objects.txt:
# https://github.com/openssl/openssl/blob/9537fe5757bb07761fa275d779bbd40bcf5530e4/crypto/objects/objects.txt
# Extracted with https://gist.github.com/felixfontein/376748017ad65ead093d56a45a5bf376
@@ -5,7 +11,8 @@
# In case the following data structure has any copyrightable content, note that it is licensed as follows:
# Copyright (c) the OpenSSL contributors
# Licensed under the Apache License 2.0
# https://github.com/openssl/openssl/blob/master/LICENSE
# SPDX-License-Identifier: Apache-2.0
# https://github.com/openssl/openssl/blob/master/LICENSE.txt or LICENSES/Apache-2.0.txt
from __future__ import absolute_import, division, print_function
__metaclass__ = type

19
plugins/module_utils/crypto/basic.py
View File

@@ -1,20 +1,9 @@
# -*- coding: utf-8 -*-
#
# (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
# (c) 2020, Felix Fontein <felix@fontein.de>
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# Copyright (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

17
plugins/module_utils/crypto/cryptography_crl.py
View File

@@ -1,19 +1,8 @@
# -*- coding: utf-8 -*-
#
# (c) 2019, Felix Fontein <felix@fontein.de>
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# Copyright (c) 2019, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

27
plugins/module_utils/crypto/cryptography_support.py
View File

@@ -1,19 +1,8 @@
# -*- coding: utf-8 -*-
#
# (c) 2019, Felix Fontein <felix@fontein.de>
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# Copyright (c) 2019, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
@@ -25,7 +14,7 @@ import re
import sys
import traceback
from ansible.module_utils.common.text.converters import to_text, to_bytes
from ansible.module_utils.common.text.converters import to_text, to_bytes, to_native
from ansible.module_utils.six.moves.urllib.parse import urlparse, urlunparse, ParseResult
from ._asn1 import serialize_asn1_string_as_der
@@ -149,7 +138,7 @@ def cryptography_get_extensions_from_cert(cert):
der = backend._ffi.buffer(data.data, data.length)[:]
entry = dict(
critical=(crit == 1),
value=base64.b64encode(der),
value=to_native(base64.b64encode(der)),
)
try:
oid = obj2txt(backend._lib, backend._ffi, backend._lib.X509_EXTENSION_get_object(ext))
@@ -166,7 +155,7 @@ def cryptography_get_extensions_from_cert(cert):
for ext in cert.extensions:
result[ext.oid.dotted_string] = dict(
critical=ext.critical,
value=base64.b64encode(ext.value.public_bytes()),
value=to_native(base64.b64encode(ext.value.public_bytes())),
)
return result
@@ -209,7 +198,7 @@ def cryptography_get_extensions_from_csr(csr):
der = backend._ffi.buffer(data.data, data.length)[:]
entry = dict(
critical=(crit == 1),
value=base64.b64encode(der),
value=to_native(base64.b64encode(der)),
)
try:
oid = obj2txt(backend._lib, backend._ffi, backend._lib.X509_EXTENSION_get_object(ext))
@@ -226,7 +215,7 @@ def cryptography_get_extensions_from_csr(csr):
for ext in csr.extensions:
result[ext.oid.dotted_string] = dict(
critical=ext.critical,
value=base64.b64encode(ext.value.public_bytes()),
value=to_native(base64.b64encode(ext.value.public_bytes())),
)
return result

17
plugins/module_utils/crypto/math.py
View File

@@ -1,19 +1,8 @@
# -*- coding: utf-8 -*-
#
# (c) 2019, Felix Fontein <felix@fontein.de>
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# Copyright (c) 2019, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

7
plugins/module_utils/crypto/module_backends/certificate.py
View File

@@ -1,8 +1,9 @@
# -*- coding: utf-8 -*-
# Copyright: (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
# Copyright: (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
# Copyright (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

7
plugins/module_utils/crypto/module_backends/certificate_acme.py
View File

@@ -1,8 +1,9 @@
# -*- coding: utf-8 -*-
# Copyright: (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
# Copyright: (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
# Copyright (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

7
plugins/module_utils/crypto/module_backends/certificate_entrust.py
View File

@@ -1,8 +1,9 @@
# -*- coding: utf-8 -*-
# Copyright: (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
# Copyright: (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
# Copyright (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

27
plugins/module_utils/crypto/module_backends/certificate_info.py
View File

@@ -1,9 +1,10 @@
# -*- coding: utf-8 -*-
#
# Copyright: (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
# Copyright: (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
# Copyright: (c) 2020, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
# Copyright (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
@@ -138,6 +139,10 @@ class CertificateInfoRetrieval(object):
def _get_ocsp_uri(self):
pass
@abc.abstractmethod
def _get_issuer_uri(self):
pass
def get_info(self, prefer_one_fingerprint=False):
result = dict()
self.cert = load_certificate(None, content=self.content, backend=self.backend)
@@ -166,7 +171,7 @@ class CertificateInfoRetrieval(object):
result['not_after'] = not_after.strftime(TIMESTAMP_FORMAT)
result['expired'] = not_after < datetime.datetime.utcnow()
result['public_key'] = self._get_public_key_pem()
result['public_key'] = to_native(self._get_public_key_pem())
public_key_info = get_publickey_info(
self.module,
@@ -199,6 +204,7 @@ class CertificateInfoRetrieval(object):
result['serial_number'] = self._get_serial_number()
result['extensions_by_oid'] = self._get_all_extensions()
result['ocsp_uri'] = self._get_ocsp_uri()
result['issuer_uri'] = self._get_issuer_uri()
return result
@@ -364,6 +370,17 @@ class CertificateInfoRetrievalCryptography(CertificateInfoRetrieval):
pass
return None
def _get_issuer_uri(self):
try:
ext = self.cert.extensions.get_extension_for_class(x509.AuthorityInformationAccess)
for desc in ext.value:
if desc.access_method == x509.oid.AuthorityInformationAccessOID.CA_ISSUERS:
if isinstance(desc.access_location, x509.UniformResourceIdentifier):
return desc.access_location.value
except x509.ExtensionNotFound as dummy:
pass
return None
def get_certificate_info(module, backend, content, prefer_one_fingerprint=False):
if backend == 'cryptography':

7
plugins/module_utils/crypto/module_backends/certificate_ownca.py
View File

@@ -1,8 +1,9 @@
# -*- coding: utf-8 -*-
# Copyright: (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
# Copyright: (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
# Copyright (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

7
plugins/module_utils/crypto/module_backends/certificate_selfsigned.py
View File

@@ -1,8 +1,9 @@
# -*- coding: utf-8 -*-
# Copyright: (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
# Copyright: (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
# Copyright (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

5
plugins/module_utils/crypto/module_backends/common.py
View File

@@ -1,7 +1,8 @@
# -*- coding: utf-8 -*-
#
# Copyright: (c) 2020, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

5
plugins/module_utils/crypto/module_backends/crl_info.py
View File

@@ -1,7 +1,8 @@
# -*- coding: utf-8 -*-
#
# Copyright: (c) 2020, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

26
plugins/module_utils/crypto/module_backends/csr.py
View File

@@ -1,8 +1,9 @@
# -*- coding: utf-8 -*-
#
# Copyright: (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
# Copyright: (c) 2020, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
@@ -269,8 +270,12 @@ def parse_crl_distribution_points(module, crl_distribution_points):
reasons=None,
)
if parse_crl_distribution_point['full_name'] is not None:
if not parse_crl_distribution_point['full_name']:
raise OpenSSLObjectError('full_name must not be empty')
params['full_name'] = [cryptography_get_name(name, 'full name') for name in parse_crl_distribution_point['full_name']]
if parse_crl_distribution_point['relative_name'] is not None:
if not parse_crl_distribution_point['relative_name']:
raise OpenSSLObjectError('relative_name must not be empty')
try:
params['relative_name'] = cryptography_parse_relative_distinguished_name(parse_crl_distribution_point['relative_name'])
except Exception:
@@ -279,6 +284,8 @@ def parse_crl_distribution_points(module, crl_distribution_points):
raise OpenSSLObjectError('Cannot specify relative_name for cryptography < 1.6')
raise
if parse_crl_distribution_point['crl_issuer'] is not None:
if not parse_crl_distribution_point['crl_issuer']:
raise OpenSSLObjectError('crl_issuer must not be empty')
params['crl_issuer'] = [cryptography_get_name(name, 'CRL issuer') for name in parse_crl_distribution_point['crl_issuer']]
if parse_crl_distribution_point['reasons'] is not None:
reasons = []
@@ -286,7 +293,7 @@ def parse_crl_distribution_points(module, crl_distribution_points):
reasons.append(REVOCATION_REASON_MAP[reason])
params['reasons'] = frozenset(reasons)
result.append(cryptography.x509.DistributionPoint(**params))
except OpenSSLObjectError as e:
except (OpenSSLObjectError, ValueError) as e:
raise OpenSSLObjectError('Error while parsing CRL distribution point #{index}: {error}'.format(index=index, error=e))
return result
@@ -345,8 +352,8 @@ class CertificateSigningRequestCryptographyBackend(CertificateSigningRequestBack
if self.name_constraints_permitted or self.name_constraints_excluded:
try:
csr = csr.add_extension(cryptography.x509.NameConstraints(
[cryptography_get_name(name, 'name constraints permitted') for name in self.name_constraints_permitted],
[cryptography_get_name(name, 'name constraints excluded') for name in self.name_constraints_excluded],
[cryptography_get_name(name, 'name constraints permitted') for name in self.name_constraints_permitted] or None,
[cryptography_get_name(name, 'name constraints excluded') for name in self.name_constraints_excluded] or None,
), critical=self.name_constraints_critical)
except TypeError as e:
raise OpenSSLObjectError('Error while parsing name constraint: {0}'.format(e))
@@ -498,8 +505,8 @@ class CertificateSigningRequestCryptographyBackend(CertificateSigningRequestBack
def _check_nameConstraints(extensions):
current_nc_ext = _find_extension(extensions, cryptography.x509.NameConstraints)
current_nc_perm = [to_text(altname) for altname in current_nc_ext.value.permitted_subtrees] if current_nc_ext else []
current_nc_excl = [to_text(altname) for altname in current_nc_ext.value.excluded_subtrees] if current_nc_ext else []
current_nc_perm = [to_text(altname) for altname in current_nc_ext.value.permitted_subtrees or []] if current_nc_ext else []
current_nc_excl = [to_text(altname) for altname in current_nc_ext.value.excluded_subtrees or []] if current_nc_ext else []
nc_perm = [to_text(cryptography_get_name(altname, 'name constraints permitted')) for altname in self.name_constraints_permitted]
nc_excl = [to_text(cryptography_get_name(altname, 'name constraints excluded')) for altname in self.name_constraints_excluded]
if set(nc_perm) != set(current_nc_perm) or set(nc_excl) != set(current_nc_excl):
@@ -650,7 +657,8 @@ def get_csr_argument_spec():
'aa_compromise',
]),
),
mutually_exclusive=[('full_name', 'relative_name')]
mutually_exclusive=[('full_name', 'relative_name')],
required_one_of=[('full_name', 'relative_name', 'crl_issuer')],
),
select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'cryptography']),
),

11
plugins/module_utils/crypto/module_backends/csr_info.py
View File

@@ -1,9 +1,10 @@
# -*- coding: utf-8 -*-
#
# Copyright: (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
# Copyright: (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
# Copyright: (c) 2020, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
# Copyright (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
@@ -132,7 +133,7 @@ class CSRInfoRetrieval(object):
result['name_constraints_critical'],
) = self._get_name_constraints()
result['public_key'] = self._get_public_key_pem()
result['public_key'] = to_native(self._get_public_key_pem())
public_key_info = get_publickey_info(
self.module,

13
plugins/module_utils/crypto/module_backends/privatekey.py
View File

@@ -1,8 +1,9 @@
# -*- coding: utf-8 -*-
#
# Copyright: (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
# Copyright: (c) 2020, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
@@ -174,7 +175,7 @@ class PrivateKeyBackend:
return True
self.module.fail_json(msg='Unable to read the key. The key is protected with a another passphrase / no passphrase or broken.'
' Will not proceed. To force regeneration, call the module with `generate`'
' set to `full_idempotence` or `always`, or with `force=yes`.')
' set to `full_idempotence` or `always`, or with `force=true`.')
self._ensure_existing_private_key_loaded()
if self.regenerate != 'never':
if not self._check_size_and_type():
@@ -182,7 +183,7 @@ class PrivateKeyBackend:
return True
self.module.fail_json(msg='Key has wrong type and/or size.'
' Will not proceed. To force regeneration, call the module with `generate`'
' set to `partial_idempotence`, `full_idempotence` or `always`, or with `force=yes`.')
' set to `partial_idempotence`, `full_idempotence` or `always`, or with `force=true`.')
# During generation step, regenerate if format does not match and format_mismatch == 'regenerate'
if self.format_mismatch == 'regenerate' and self.regenerate != 'never':
if not self._check_format():
@@ -190,7 +191,7 @@ class PrivateKeyBackend:
return True
self.module.fail_json(msg='Key has wrong format.'
' Will not proceed. To force regeneration, call the module with `generate`'
' set to `partial_idempotence`, `full_idempotence` or `always`, or with `force=yes`.'
' set to `partial_idempotence`, `full_idempotence` or `always`, or with `force=true`.'
' To convert the key, set `format_mismatch` to `convert`.')
return False

5
plugins/module_utils/crypto/module_backends/privatekey_convert.py
View File

@@ -1,7 +1,8 @@
# -*- coding: utf-8 -*-
#
# Copyright: (c) 2022, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2022, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

11
plugins/module_utils/crypto/module_backends/privatekey_info.py
View File

@@ -1,9 +1,10 @@
# -*- coding: utf-8 -*-
#
# Copyright: (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
# Copyright: (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
# Copyright: (c) 2020, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2016-2017, Yanis Guenane <yanis+ansible@guenane.org>
# Copyright (c) 2017, Markus Teufelberger <mteufelberger+ansible@mgit.at>
# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
@@ -213,7 +214,7 @@ class PrivateKeyInfoRetrieval(object):
except OpenSSLObjectError as exc:
raise PrivateKeyParseError(to_native(exc), result)
result['public_key'] = self._get_public_key(binary=False)
result['public_key'] = to_native(self._get_public_key(binary=False))
pk = self._get_public_key(binary=True)
result['public_key_fingerprints'] = get_fingerprint_of_bytes(
pk, prefer_one=prefer_one_fingerprint) if pk is not None else dict()

7
plugins/module_utils/crypto/module_backends/publickey_info.py
View File

@@ -1,7 +1,8 @@
# -*- coding: utf-8 -*-
#
# Copyright: (c) 2020-2021, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# Copyright (c) 2020-2021, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
@@ -111,7 +112,7 @@ class PublicKeyInfoRetrieval(object):
try:
self.key = load_publickey(content=self.content, backend=self.backend)
except OpenSSLObjectError as e:
raise PublicKeyParseError(to_native(e))
raise PublicKeyParseError(to_native(e), {})
pk = self._get_public_key(binary=True)
result['fingerprints'] = get_fingerprint_of_bytes(

19
plugins/module_utils/crypto/openssh.py
View File

@@ -1,24 +1,13 @@
# -*- coding: utf-8 -*-
#
# (c) 2020, Doug Stanley <doug+ansible@technologixllc.com>
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# Copyright (c) 2020, Doug Stanley <doug+ansible@technologixllc.com>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
# This import is only to maintain backwards compatibility
from ansible_collections.community.crypto.plugins.module_utils.openssh.utils import (
from ansible_collections.community.crypto.plugins.module_utils.openssh.utils import ( # noqa: F401, pylint: disable=unused-import
parse_openssh_version
)

17
plugins/module_utils/crypto/pem.py
View File

@@ -1,19 +1,8 @@
# -*- coding: utf-8 -*-
#
# (c) 2019, Felix Fontein <felix@fontein.de>
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# Copyright (c) 2019, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

17
plugins/module_utils/crypto/support.py
View File

@@ -1,19 +1,8 @@
# -*- coding: utf-8 -*-
#
# (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# Copyright (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

21
plugins/module_utils/ecs/api.py
View File

@@ -7,25 +7,8 @@
# their own license to the complete work.
#
# Copyright (c), Entrust Datacard Corporation, 2019
# Simplified BSD License (see simplified_bsd.txt or https://opensource.org/licenses/BSD-2-Clause)
# Redistribution and use in source and binary forms, with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Simplified BSD License (see LICENSES/BSD-2-Clause.txt or https://opensource.org/licenses/BSD-2-Clause)
# SPDX-License-Identifier: BSD-2-Clause
from __future__ import absolute_import, division, print_function

17
plugins/module_utils/io.py
View File

@@ -1,19 +1,8 @@
# -*- coding: utf-8 -*-
#
# (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# Copyright (c) 2016, Yanis Guenane <yanis+ansible@guenane.org>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

39
plugins/module_utils/openssh/backends/common.py
View File

@@ -1,19 +1,8 @@
# -*- coding: utf-8 -*-
#
# Copyright: (c) 2021, Andrew Pantuso (@ajpantuso) <ajpantuso@gmail.com>
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# Copyright (c) 2021, Andrew Pantuso (@ajpantuso) <ajpantuso@gmail.com>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
@@ -230,10 +219,11 @@ class KeygenCommand(object):
class PrivateKey(object):
def __init__(self, size, key_type, fingerprint):
def __init__(self, size, key_type, fingerprint, format=''):
self._size = size
self._type = key_type
self._fingerprint = fingerprint
self._format = format
@property
def size(self):
@@ -247,6 +237,10 @@ class PrivateKey(object):
def fingerprint(self):
return self._fingerprint
@property
def format(self):
return self._format
@classmethod
def from_string(cls, string):
properties = string.split()
@@ -262,6 +256,7 @@ class PrivateKey(object):
'size': self._size,
'type': self._type,
'fingerprint': self._fingerprint,
'format': self._format,
}
@@ -335,3 +330,17 @@ class PublicKey(object):
'comment': self._comment,
'public_key': self._data,
}
def parse_private_key_format(path):
with open(path, 'r') as file:
header = file.readline().strip()
if header == '-----BEGIN OPENSSH PRIVATE KEY-----':
return 'SSH'
elif header == '-----BEGIN PRIVATE KEY-----':
return 'PKCS8'
elif header == '-----BEGIN RSA PRIVATE KEY-----':
return 'PKCS1'
return ''

49
plugins/module_utils/openssh/backends/keypair_backend.py
View File

@@ -1,20 +1,9 @@
# -*- coding: utf-8 -*-
#
# Copyright: (c) 2018, David Kainz <dkainz@mgit.at> <dave.jokain@gmx.at>
# Copyright: (c) 2021, Andrew Pantuso (@ajpantuso) <ajpantuso@gmail.com>
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# Copyright (c) 2018, David Kainz <dkainz@mgit.at> <dave.jokain@gmx.at>
# Copyright (c) 2021, Andrew Pantuso (@ajpantuso) <ajpantuso@gmail.com>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
@@ -42,6 +31,7 @@ from ansible_collections.community.crypto.plugins.module_utils.openssh.backends.
OpensshModule,
PrivateKey,
PublicKey,
parse_private_key_format,
)
from ansible_collections.community.crypto.plugins.module_utils.openssh.utils import (
any_in,
@@ -163,7 +153,7 @@ class KeypairBackend(OpensshModule):
self.module.fail_json(
msg="Unable to read the key. The key is protected with a passphrase or broken. " +
"Will not proceed. To force regeneration, call the module with `generate` " +
"set to `full_idempotence` or `always`, or with `force=yes`."
"set to `full_idempotence` or `always`, or with `force=true`."
)
@abc.abstractmethod
@@ -178,7 +168,7 @@ class KeypairBackend(OpensshModule):
self.module.fail_json(
msg="Key has wrong type and/or size. Will not proceed. " +
"To force regeneration, call the module with `generate` set to " +
"`partial_idempotence`, `full_idempotence` or `always`, or with `force=yes`."
"`partial_idempotence`, `full_idempotence` or `always`, or with `force=true`."
)
return self.original_private_key is None
elif self.regenerate in ('partial_idempotence', 'full_idempotence'):
@@ -193,8 +183,13 @@ class KeypairBackend(OpensshModule):
return all([
self.size == self.original_private_key.size,
self.type == self.original_private_key.type,
self._private_key_valid_backend(),
])
@abc.abstractmethod
def _private_key_valid_backend(self):
pass
@OpensshModule.trigger_change
@OpensshModule.skip_if_check_mode
def _generate(self):
@@ -317,6 +312,12 @@ class KeypairBackendOpensshBin(KeypairBackend):
def __init__(self, module):
super(KeypairBackendOpensshBin, self).__init__(module)
if self.module.params['private_key_format'] != 'auto':
self.module.fail_json(
msg="'auto' is the only valid option for " +
"'private_key_format' when 'backend' is not 'cryptography'"
)
self.ssh_keygen = KeygenCommand(self.module)
def _generate_keypair(self, private_key_path):
@@ -340,6 +341,9 @@ class KeypairBackendOpensshBin(KeypairBackend):
except (IOError, OSError) as e:
self.module.fail_json(msg=to_native(e))
def _private_key_valid_backend(self):
return True
class KeypairBackendCryptography(KeypairBackend):
def __init__(self, module):
@@ -371,6 +375,8 @@ class KeypairBackendCryptography(KeypairBackend):
"or for ed25519 keys"
)
)
else:
result = key_format.upper()
return result
@@ -397,6 +403,7 @@ class KeypairBackendCryptography(KeypairBackend):
size=keypair.size,
key_type=keypair.key_type,
fingerprint=keypair.fingerprint,
format=parse_private_key_format(self.private_key_path)
)
def _get_public_key(self):
@@ -439,6 +446,14 @@ class KeypairBackendCryptography(KeypairBackend):
except (IOError, OSError) as e:
self.module.fail_json(msg=to_native(e))
def _private_key_valid_backend(self):
# avoids breaking behavior and prevents
# automatic conversions with OpenSSH upgrades
if self.module.params['private_key_format'] == 'auto':
return True
return self.private_key_format == self.original_private_key.format
def select_backend(module, backend):
can_use_cryptography = HAS_OPENSSH_SUPPORT

17
plugins/module_utils/openssh/certificate.py
View File

@@ -1,19 +1,8 @@
# -*- coding: utf-8 -*-
#
# Copyright: (c) 2021, Andrew Pantuso (@ajpantuso) <ajpantuso@gmail.com>
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# Copyright (c) 2021, Andrew Pantuso (@ajpantuso) <ajpantuso@gmail.com>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

17
plugins/module_utils/openssh/cryptography.py
View File

@@ -1,19 +1,8 @@
# -*- coding: utf-8 -*-
#
# Copyright: (c) 2021, Andrew Pantuso (@ajpantuso) <ajpantuso@gmail.com>
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# Copyright (c) 2021, Andrew Pantuso (@ajpantuso) <ajpantuso@gmail.com>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

19
plugins/module_utils/openssh/utils.py
View File

@@ -1,20 +1,9 @@
# -*- coding: utf-8 -*-
#
# Copyright: (c) 2020, Doug Stanley <doug+ansible@technologixllc.com>
# Copyright: (c) 2021, Andrew Pantuso (@ajpantuso) <ajpantuso@gmail.com>
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# Copyright (c) 2020, Doug Stanley <doug+ansible@technologixllc.com>
# Copyright (c) 2021, Andrew Pantuso (@ajpantuso) <ajpantuso@gmail.com>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type

Some files were not shown because too many files have changed in this diff Show More