mirror of
https://github.com/ansible-collections/community.crypto.git
synced 2026-03-26 21:33:25 +00:00
44bcc8cebc
* Add __all__ to all module and plugin utils. * Convert quite a few positional args to keyword args. * Avoid Python 3.8+ syntax.
112 lines
3.6 KiB
Python
112 lines
3.6 KiB
Python
#!/usr/bin/python
|
|
# Copyright (c) 2016 Michael Gruener <michael.gruener@chaosmoon.net>
|
|
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
from __future__ import annotations
|
|
|
|
|
|
DOCUMENTATION = r"""
|
|
module: acme_certificate_deactivate_authz
|
|
author: "Felix Fontein (@felixfontein)"
|
|
version_added: 2.20.0
|
|
short_description: Deactivate all authz for an ACME v2 order
|
|
description:
|
|
- Deactivate all authentication objects (authz) for an ACME v2 order, which effectively deactivates (invalidates) the order
|
|
itself.
|
|
- Authentication objects are bound to an account key and remain valid for a certain amount of time, and can be used to issue
|
|
certificates without having to re-authenticate the domain. This can be a security concern.
|
|
- Another reason to use this module is to deactivate an order whose processing failed when using
|
|
O(community.crypto.acme_certificate#module:include_renewal_cert_id).
|
|
seealso:
|
|
- module: community.crypto.acme_certificate
|
|
extends_documentation_fragment:
|
|
- community.crypto.acme.basic
|
|
- community.crypto.acme.account
|
|
- community.crypto.attributes
|
|
- community.crypto.attributes.actiongroup_acme
|
|
attributes:
|
|
check_mode:
|
|
support: full
|
|
diff_mode:
|
|
support: none
|
|
idempotent:
|
|
support: full
|
|
options:
|
|
order_uri:
|
|
description:
|
|
- The ACME v2 order to deactivate.
|
|
- Can be obtained from RV(community.crypto.acme_certificate#module:order_uri).
|
|
type: str
|
|
required: true
|
|
"""
|
|
|
|
EXAMPLES = r"""
|
|
---
|
|
- name: Deactivate all authzs for an order
|
|
community.crypto.acme_certificate_deactivate_authz:
|
|
account_key_content: "{{ account_private_key }}"
|
|
order_uri: "{{ certificate_result.order_uri }}"
|
|
"""
|
|
|
|
RETURN = """#"""
|
|
|
|
import typing as t
|
|
|
|
from ansible_collections.community.crypto.plugins.module_utils._acme.account import (
|
|
ACMEAccount,
|
|
)
|
|
from ansible_collections.community.crypto.plugins.module_utils._acme.acme import (
|
|
ACMEClient,
|
|
create_backend,
|
|
create_default_argspec,
|
|
)
|
|
from ansible_collections.community.crypto.plugins.module_utils._acme.errors import (
|
|
ModuleFailException,
|
|
)
|
|
from ansible_collections.community.crypto.plugins.module_utils._acme.orders import Order
|
|
|
|
|
|
def main() -> t.NoReturn:
|
|
argument_spec = create_default_argspec()
|
|
argument_spec.update_argspec(
|
|
order_uri=dict(type="str", required=True),
|
|
)
|
|
module = argument_spec.create_ansible_module(supports_check_mode=True)
|
|
|
|
backend = create_backend(module, needs_acme_v2=False)
|
|
|
|
try:
|
|
client = ACMEClient(module=module, backend=backend)
|
|
account = ACMEAccount(client=client)
|
|
|
|
dummy, account_data = account.setup_account(allow_creation=False)
|
|
if account_data is None:
|
|
raise ModuleFailException(msg="Account does not exist or is deactivated.")
|
|
|
|
order = Order.from_url(client=client, url=module.params["order_uri"])
|
|
order.load_authorizations(client=client)
|
|
|
|
changed = False
|
|
for authz in order.authorizations.values():
|
|
if not authz.can_deactivate():
|
|
continue
|
|
changed = True
|
|
if module.check_mode:
|
|
continue
|
|
try:
|
|
authz.deactivate(client=client)
|
|
except Exception:
|
|
# ignore errors
|
|
pass
|
|
if authz.status != "deactivated":
|
|
module.warn(warning=f"Could not deactivate authz object {authz.url}.")
|
|
|
|
module.exit_json(changed=changed)
|
|
except ModuleFailException as e:
|
|
e.do_fail(module=module)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|