internet/community.general
3
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2026-04-19 23:31:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

openssl_*: add backup option (#54294)

Browse Source
This commit is contained in:
Felix Fontein
2019-03-30 15:38:43 +01:00
committed by René Moser
parent 5517b0384f
commit 188903448a
19 changed files with 494 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
lib/ansible/modules/crypto/openssl_certificate.py
View File

@@ -28,6 +28,9 @@ description:
- Many properties that can be specified in this module are for validation of an
existing or newly generated certificate. The proper place to specify them, if you
want to receive a certificate with these properties is a CSR (Certificate Signing Request).
- "Please note that the module regenerates existing certificate if it doesn't match the module's
options, or if it seems to be corrupt. If you are concerned that this could overwrite
your existing certificate, consider using the I(backup) option."
- It uses the pyOpenSSL or cryptography python library to interact with OpenSSL.
- If both the cryptography and PyOpenSSL libraries are available (and meet the minimum version requirements)
cryptography will be preferred as a backend over PyOpenSSL (unless the backend is forced with C(select_crypto_backend))
@@ -359,6 +362,15 @@ options:
choices: [ auto, cryptography, pyopenssl ]
version_added: "2.8"
backup:
description:
- Create a backup file including a timestamp so you can get the original
certificate back if you overwrote it with a new one by accident.
- This is not used by the C(assertonly) provider.
type: bool
default: no
version_added: "2.8"
extends_documentation_fragment: files
notes:
- All ASN.1 TIME values should be specified following the YYYYMMDDHHMMSSZ pattern.
@@ -510,6 +522,11 @@ filename:
returned: changed or success
type: str
sample: /etc/ssl/crt/www.ansible.com.crt
backup_file:
description: Name of backup file created.
returned: changed and if I(backup) is C(yes)
type: str
sample: /path/to/www.ansible.com.crt.2019-03-09@11:22~
'''
@@ -576,6 +593,9 @@ class Certificate(crypto_utils.OpenSSLObject):
self.backend = backend
self.module = module
self.backup = module.params['backup']
self.backup_file = None
def get_relative_time_option(self, input_string, input_name):
"""Return an ASN1 formatted string if a relative timespec
or an ASN1 formatted string is provided."""
@@ -663,6 +683,11 @@ class Certificate(crypto_utils.OpenSSLObject):
return False
return True
def remove(self, module):
if self.backup:
self.backup_file = module.backup_local(self.path)
super(Certificate, self).remove(module)
def check(self, module, perms_required=True):
"""Ensure the resource is in its desired state."""
@@ -711,6 +736,8 @@ class CertificateAbsent(Certificate):
'privatekey': self.privatekey_path,
'csr': self.csr_path
}
if self.backup_file:
result['backup_file'] = self.backup_file
return result
@@ -769,6 +796,8 @@ class SelfSignedCertificateCryptography(Certificate):
self.cert = certificate
if self.backup:
self.backup_file = module.backup_local(self.path)
crypto_utils.write_file(module, certificate.public_bytes(Encoding.PEM))
self.changed = True
else:
@@ -786,6 +815,8 @@ class SelfSignedCertificateCryptography(Certificate):
'privatekey': self.privatekey_path,
'csr': self.csr_path
}
if self.backup_file:
result['backup_file'] = self.backup_file
if check_mode:
result.update({
@@ -847,6 +878,8 @@ class SelfSignedCertificate(Certificate):
cert.sign(self.privatekey, self.digest)
self.cert = cert
if self.backup:
self.backup_file = module.backup_local(self.path)
crypto_utils.write_file(module, crypto.dump_certificate(crypto.FILETYPE_PEM, self.cert))
self.changed = True
@@ -862,6 +895,8 @@ class SelfSignedCertificate(Certificate):
'privatekey': self.privatekey_path,
'csr': self.csr_path
}
if self.backup_file:
result['backup_file'] = self.backup_file
if check_mode:
result.update({
@@ -935,6 +970,8 @@ class OwnCACertificateCryptography(Certificate):
self.cert = certificate
if self.backup:
self.backup_file = module.backup_local(self.path)
crypto_utils.write_file(module, certificate.public_bytes(Encoding.PEM))
self.changed = True
else:
@@ -954,6 +991,8 @@ class OwnCACertificateCryptography(Certificate):
'ca_cert': self.ca_cert_path,
'ca_privatekey': self.ca_privatekey_path
}
if self.backup_file:
result['backup_file'] = self.backup_file
if check_mode:
result.update({
@@ -1024,6 +1063,8 @@ class OwnCACertificate(Certificate):
cert.sign(self.ca_privatekey, self.digest)
self.cert = cert
if self.backup:
self.backup_file = module.backup_local(self.path)
crypto_utils.write_file(module, crypto.dump_certificate(crypto.FILETYPE_PEM, self.cert))
self.changed = True
@@ -1041,6 +1082,8 @@ class OwnCACertificate(Certificate):
'ca_cert': self.ca_cert_path,
'ca_privatekey': self.ca_privatekey_path
}
if self.backup_file:
result['backup_file'] = self.backup_file
if check_mode:
result.update({
@@ -1614,6 +1657,8 @@ class AcmeCertificate(Certificate):
self.csr_path,
self.challenge_path),
check_rc=True)[1]
if self.backup:
self.backup_file = module.backup_local(self.path)
crypto_utils.write_file(module, to_bytes(crt))
self.changed = True
except OSError as exc:
@@ -1632,6 +1677,8 @@ class AcmeCertificate(Certificate):
'accountkey': self.accountkey_path,
'csr': self.csr_path,
}
if self.backup_file:
result['backup_file'] = self.backup_file
return result
@@ -1644,6 +1691,7 @@ def main():
provider=dict(type='str', choices=['acme', 'assertonly', 'ownca', 'selfsigned']),
force=dict(type='bool', default=False,),
csr_path=dict(type='path'),
backup=dict(type='bool', default=False),
select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'cryptography', 'pyopenssl']),
# General properties of a certificate

28
lib/ansible/modules/crypto/openssl_csr.py
View File

@@ -21,6 +21,9 @@ description:
- It uses the pyOpenSSL python library to interact with openssl. This module supports
the subjectAltName, keyUsage, extendedKeyUsage, basicConstraints and OCSP Must Staple
extensions.
- "Please note that the module regenerates existing CSR if it doesn't match the module's
options, or if it seems to be corrupt. If you are concerned that this could overwrite
your existing CSR, consider using the I(backup) option."
requirements:
- Either cryptography >= 1.3
- Or pyOpenSSL >= 0.15
@@ -190,6 +193,13 @@ options:
default: auto
choices: [ auto, cryptography, pyopenssl ]
version_added: '2.8'
backup:
description:
- Create a backup file including a timestamp so you can get the original
CSR back if you overwrote it with a new one by accident.
type: bool
default: no
version_added: "2.8"
extends_documentation_fragment:
- files
notes:
@@ -311,6 +321,11 @@ ocsp_must_staple:
returned: changed or success
type: bool
sample: false
backup_file:
description: Name of backup file created.
returned: changed and if I(backup) is C(yes)
type: str
sample: /path/to/www.ansible.com.csr.2019-03-09@11:22~
'''
import abc
@@ -394,6 +409,9 @@ class CertificateSigningRequestBase(crypto_utils.OpenSSLObject):
self.request = None
self.privatekey = None
self.backup = module.params['backup']
self.backup_file = None
self.subject = [
('C', module.params['country_name']),
('ST', module.params['state_or_province_name']),
@@ -422,6 +440,8 @@ class CertificateSigningRequestBase(crypto_utils.OpenSSLObject):
'''Generate the certificate signing request.'''
if not self.check(module, perms_required=False) or self.force:
result = self._generate_csr()
if self.backup:
self.backup_file = module.backup_local(self.path)
crypto_utils.write_file(module, result)
self.changed = True
@@ -448,6 +468,11 @@ class CertificateSigningRequestBase(crypto_utils.OpenSSLObject):
return self._check_csr()
def remove(self, module):
if self.backup:
self.backup_file = module.backup_local(self.path)
super(CertificateSigningRequestBase, self).remove(module)
def dump(self):
'''Serialize the object into a dictionary.'''
@@ -462,6 +487,8 @@ class CertificateSigningRequestBase(crypto_utils.OpenSSLObject):
'ocspMustStaple': self.ocspMustStaple,
'changed': self.changed
}
if self.backup_file:
result['backup_file'] = self.backup_file
return result
@@ -829,6 +856,7 @@ def main():
basic_constraints_critical=dict(type='bool', default=False, aliases=['basicConstraints_critical']),
ocsp_must_staple=dict(type='bool', default=False, aliases=['ocspMustStaple']),
ocsp_must_staple_critical=dict(type='bool', default=False, aliases=['ocspMustStaple_critical']),
backup=dict(type='bool', default=False),
select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'cryptography', 'pyopenssl']),
),
add_file_common_args=True,

26
lib/ansible/modules/crypto/openssl_dhparam.py
View File

@@ -19,6 +19,9 @@ short_description: Generate OpenSSL Diffie-Hellman Parameters
description:
- This module allows one to (re)generate OpenSSL DH-params.
- This module uses file common arguments to specify generated file permissions.
- "Please note that the module regenerates existing DH params if they don't
match the module's options. If you are concerned that this could overwrite
your existing DH params, consider using the I(backup) option."
requirements:
- OpenSSL
author:
@@ -46,6 +49,13 @@ options:
- Name of the file in which the generated parameters will be saved.
type: path
required: true
backup:
description:
- Create a backup file including a timestamp so you can get the original
DH params back if you overwrote them with new ones by accident.
type: bool
default: no
version_added: "2.8"
extends_documentation_fragment:
- files
seealso:
@@ -83,6 +93,11 @@ filename:
returned: changed or success
type: str
sample: /etc/ssl/dhparams.pem
backup_file:
description: Name of backup file created.
returned: changed and if I(backup) is C(yes)
type: str
sample: /path/to/dhparams.pem.2019-03-09@11:22~
'''
import os
@@ -107,6 +122,9 @@ class DHParameter(object):
self.changed = False
self.openssl_bin = module.get_bin_path('openssl', True)
self.backup = module.params['backup']
self.backup_file = None
def generate(self, module):
"""Generate a keypair."""
changed = False
@@ -122,6 +140,8 @@ class DHParameter(object):
rc, dummy, err = module.run_command(command, check_rc=False)
if rc != 0:
raise DHParameterError(to_native(err))
if self.backup:
self.backup_file = module.backup_local(self.path)
try:
module.atomic_move(tmpsrc, self.path)
except Exception as e:
@@ -137,6 +157,8 @@ class DHParameter(object):
self.changed = changed
def remove(self, module):
if self.backup:
self.backup_file = module.backup_local(self.path)
try:
os.remove(self.path)
self.changed = True
@@ -186,6 +208,9 @@ class DHParameter(object):
'filename': self.path,
'changed': self.changed,
}
if self.backup_file:
result['backup_file'] = self.backup_file
return result
@@ -198,6 +223,7 @@ def main():
size=dict(type='int', default=4096),
force=dict(type='bool', default=False),
path=dict(type='path', required=True),
backup=dict(type='bool', default=False),
),
supports_check_mode=True,
add_file_common_args=True,

25
lib/ansible/modules/crypto/openssl_pkcs12.py
View File

@@ -86,6 +86,13 @@ options:
description:
- PKCS#12 file path to parse.
type: path
backup:
description:
- Create a backup file including a timestamp so you can get the original
output file back if you overwrote it with a new one by accident.
type: bool
default: no
version_added: "2.8"
extends_documentation_fragment:
- files
seealso:
@@ -155,6 +162,11 @@ privatekey:
returned: changed or success
type: str
sample: /etc/ssl/private/ansible.com.pem
backup_file:
description: Name of backup file created.
returned: changed and if I(backup) is C(yes)
type: str
sample: /path/to/ansible.com.pem.2019-03-09@11:22~
'''
import stat
@@ -203,6 +215,9 @@ class Pkcs(crypto_utils.OpenSSLObject):
if module.params['mode'] is None:
module.params['mode'] = '0400'
self.backup = module.params['backup']
self.backup_file = None
def check(self, module, perms_required=True):
"""Ensure the resource is in its desired state."""
@@ -232,6 +247,8 @@ class Pkcs(crypto_utils.OpenSSLObject):
}
if self.privatekey_path:
result['privatekey_path'] = self.privatekey_path
if self.backup_file:
result['backup_file'] = self.backup_file
return result
@@ -261,12 +278,19 @@ class Pkcs(crypto_utils.OpenSSLObject):
except crypto_utils.OpenSSLBadPassphraseError as exc:
raise PkcsError(exc)
if self.backup:
self.backup_file = module.backup_local(self.path)
crypto_utils.write_file(
module,
self.pkcs12.export(self.passphrase, self.iter_size, self.maciter_size),
0o600
)
def remove(self, module):
if self.backup:
self.backup_file = module.backup_local(self.path)
super(Pkcs, self).remove(module)
def parse(self, module):
"""Read PKCS#12 file."""
@@ -301,6 +325,7 @@ def main():
privatekey_path=dict(type='path'),
state=dict(type='str', default='present', choices=['absent', 'present']),
src=dict(type='path'),
backup=dict(type='bool', default=False),
)
required_if = [

2
lib/ansible/modules/crypto/openssl_privatekey.py
View File

@@ -26,7 +26,7 @@ description:
- "Please note that the module regenerates private keys if they don't match
the module's options. In particular, if you provide another passphrase
(or specify none), change the keysize, etc., the private key will be
regenerated. If you are concerned that this could overwrite your private key,
regenerated. If you are concerned that this could **overwrite your private key**,
consider using the I(backup) option."
- The module can use the cryptography Python library, or the pyOpenSSL Python
library. By default, it tries to detect which one is available. This can be

25
lib/ansible/modules/crypto/openssl_publickey.py
View File

@@ -59,6 +59,13 @@ options:
- The passphrase for the private key.
type: str
version_added: "2.4"
backup:
description:
- Create a backup file including a timestamp so you can get the original
public key back if you overwrote it with a different one by accident.
type: bool
default: no
version_added: "2.8"
extends_documentation_fragment:
- files
seealso:
@@ -129,6 +136,11 @@ fingerprint:
sha256: "41:ab:c7:cb:d5:5f:30:60:46:99:ac:d4:00:70:cf:a1:76:4f:24:5d:10:24:57:5d:51:6e:09:97:df:2f:de:c7"
sha384: "85:39:50:4e:de:d9:19:33:40:70:ae:10:ab:59:24:19:51:c3:a2:e4:0b:1c:b1:6e:dd:b3:0c:d9:9e:6a:46:af:da:18:f8:ef:ae:2e:c0:9a:75:2c:9b:b3:0f:3a:5f:3d"
sha512: "fd:ed:5e:39:48:5f:9f:fe:7f:25:06:3f:79:08:cd:ee:a5:e7:b3:3d:13:82:87:1f:84:e1:f5:c7:28:77:53:94:86:56:38:69:f0:d9:35:22:01:1e:a6:60:...:0f:9b"
backup_file:
description: Name of backup file created.
returned: changed and if I(backup) is C(yes)
type: str
sample: /path/to/publickey.pem.2019-03-09@11:22~
'''
import os
@@ -169,6 +181,9 @@ class PublicKey(crypto_utils.OpenSSLObject):
self.privatekey = None
self.fingerprint = {}
self.backup = module.params['backup']
self.backup_file = None
def generate(self, module):
"""Generate the public key."""
@@ -197,6 +212,8 @@ class PublicKey(crypto_utils.OpenSSLObject):
)
publickey_content = crypto.dump_publickey(crypto.FILETYPE_PEM, self.privatekey)
if self.backup:
self.backup_file = module.backup_local(self.path)
crypto_utils.write_file(module, publickey_content)
self.changed = True
@@ -253,6 +270,11 @@ class PublicKey(crypto_utils.OpenSSLObject):
return _check_privatekey()
def remove(self, module):
if self.backup:
self.backup_file = module.backup_local(self.path)
super(PublicKey, self).remove(module)
def dump(self):
"""Serialize the object into a dictionary."""
@@ -263,6 +285,8 @@ class PublicKey(crypto_utils.OpenSSLObject):
'changed': self.changed,
'fingerprint': self.fingerprint,
}
if self.backup_file:
result['backup_file'] = self.backup_file
return result
@@ -277,6 +301,7 @@ def main():
privatekey_path=dict(type='path'),
format=dict(type='str', default='PEM', choices=['OpenSSH', 'PEM']),
privatekey_passphrase=dict(type='str', no_log=True),
backup=dict(type='bool', default=False),
),
supports_check_mode=True,
add_file_common_args=True,