community.crypto/plugins/module_utils/crypto/module_backends/crl_info.py

# Copyright (c) 2020, Felix Fontein <felix@fontein.de>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later

from __future__ import annotations

import typing as t

from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_crl import (
    TIMESTAMP_FORMAT,
    cryptography_decode_revoked_certificate,
    cryptography_dump_revoked,
    cryptography_get_signature_algorithm_oid_from_crl,
)
from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
    cryptography_oid_to_name,
)
from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import (
    identify_pem_format,
)
from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
    assert_required_cryptography_version,
)


if t.TYPE_CHECKING:
    from ansible.module_utils.basic import AnsibleModule
    from cryptography.hazmat.primitives.asymmetric.types import (
        PrivateKeyTypes,
    )

    from ....plugin_utils.action_module import AnsibleActionModule
    from ....plugin_utils.filter_module import FilterModuleMock

    GeneralAnsibleModule = t.Union[AnsibleModule, AnsibleActionModule, FilterModuleMock]


# crypto_utils

MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION

try:
    from cryptography import x509
except ImportError:
    pass


class CRLInfoRetrieval:
    def __init__(
        self,
        module: GeneralAnsibleModule,
        content: bytes,
        list_revoked_certificates: bool = True,
    ) -> None:
        # content must be a bytes string
        self.module = module
        self.content = content
        self.list_revoked_certificates = list_revoked_certificates
        self.name_encoding = module.params.get("name_encoding", "ignore")

    def get_info(self) -> dict[str, t.Any]:
        self.crl_pem = identify_pem_format(self.content)
        try:
            if self.crl_pem:
                self.crl = x509.load_pem_x509_crl(self.content)
            else:
                self.crl = x509.load_der_x509_crl(self.content)
        except ValueError as e:
            self.module.fail_json(msg=f"Error while decoding CRL: {e}")

        result: dict[str, t.Any] = {
            "changed": False,
            "format": "pem" if self.crl_pem else "der",
            "last_update": None,
            "next_update": None,
            "digest": None,
            "issuer_ordered": None,
            "issuer": None,
        }

        result["last_update"] = self.crl.last_update.strftime(TIMESTAMP_FORMAT)
        result["next_update"] = (
            self.crl.next_update.strftime(TIMESTAMP_FORMAT)
            if self.crl.next_update
            else None
        )
        result["digest"] = cryptography_oid_to_name(
            cryptography_get_signature_algorithm_oid_from_crl(self.crl)
        )
        issuer = []
        for attribute in self.crl.issuer:
            issuer.append([cryptography_oid_to_name(attribute.oid), attribute.value])
        result["issuer_ordered"] = issuer
        result["issuer"] = {}
        for k, v in issuer:
            result["issuer"][k] = v
        if self.list_revoked_certificates:
            result["revoked_certificates"] = []
            for cert in self.crl:
                entry = cryptography_decode_revoked_certificate(cert)
                result["revoked_certificates"].append(
                    cryptography_dump_revoked(entry, idn_rewrite=self.name_encoding)
                )

        return result


def get_crl_info(
    module: GeneralAnsibleModule, content: bytes, list_revoked_certificates: bool = True
) -> dict[str, t.Any]:
    assert_required_cryptography_version(
        module, minimum_cryptography_version=MINIMAL_CRYPTOGRAPHY_VERSION
    )
    info = CRLInfoRetrieval(
        module, content, list_revoked_certificates=list_revoked_certificates
    )
    return info.get_info()