Added get_certificate module (#41735)

* Added get_certificate module. * Fixed test against bogus_ca.pem file
2026-05-07 05:42:50 +00:00 · 2018-12-07 08:27:16 -05:00
parent c802790c90
commit 6469baf460
7 changed files with 345 additions and 0 deletions
--- a/test/integration/targets/get_certificate/aliases
+++ b/test/integration/targets/get_certificate/aliases
@@ -0,0 +1,3 @@
+shippable/posix/group1
+destructive
+needs/httptester
--- a/test/integration/targets/get_certificate/files/bogus_ca.pem
+++ b/test/integration/targets/get_certificate/files/bogus_ca.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+DCCAeACCQCWuDvGDH3otTANBgkqhkiG9w0BAQsFADA+MQswCQYDVQQGEwJV
+UzEOMAwGA1UECAwFQm9ndXMxEDAOBgNVBAcMB0JhbG9uZXkxDTALBgNVBAoMBEFD
+TUUwHhcNMTgwNzEyMTgxNDA0WhcNMjMwNzExMTgxNDA0WjA+MQswCQYDVQQGEwJV
+UzEOMAwGA1UECAwFQm9ndXMxEDAOBgNVBAcMB0JhbG9uZXkxDTALBgNVBAoMBEFD
+TUUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLTGCpn8b+/2qdpkvK
+iwXU8PMOXBOmRa+GmzxsxMr1QZcY0m6pY3uuIvqErMFf4qp4BMxQF+VpDLVJUJX/
+1oKCM7J3hEfgmKRD4RmKhBlnWVv5YGZmvlXRJBl1AsDTONZy8iKJB5NYnB3ZyrJq
+H2GAgyJ55aYckoU55vwjRzKp49dZmzX5YS04Kzzzw/SmOuW8kMypZV5TJH+NXqKc
+pw3u3cJ4yJ9DHSU5pnhC5BeKl8XDMO42jRWt5/7C7JDiCbZ9lu5jQiv/4DhsRsHF
+A8/Lgl47sNDaBMbha786I9laPHLlVycpYaP6pwtizhN9ZRTdDOHmWi/vjiamERLL
+FjjLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAA+1uj3tHaCai+A1H/kOgTN5e0eW
+/wmaxu8gNK5eiHrecNJNAlFxVTrCwhvv4nUW7NXVcW/1WUqSO0QMiPJhCsSLVAMF
+8MuYH73B+ctRqAGdeOAWF+ftCywZTEj5h5F0XiWB+TmkPlTVNShMiPFelDJpLy7u
+9MfiPEJjo4sZotQl8/pZ6R9cY6GpEXWnttcuhLJCEuiB8fWO7epiWYCt/Ak+CVmZ
+OzfI/euV6Upaen22lNu8V3ZwWEFtmU5CioKJ3S8DK5Mw/LJIJw1ZY9E+fTtn8x0k
+xlI4e7urD2FYhTdv2fFUG8Z5arb/3bICgsUYQZ+G1c3wjWtJg9zcy8hpnZQ=
+-----END CERTIFICATE-----
--- a/test/integration/targets/get_certificate/files/process_certs.py
+++ b/test/integration/targets/get_certificate/files/process_certs.py
@@ -0,0 +1,25 @@
+from sys import argv
+from subprocess import Popen, PIPE, STDOUT
+
+p = Popen(["openssl", "s_client", "-host", argv[1], "-port", "443", "-prexit", "-showcerts"], stdin=PIPE, stdout=PIPE, stderr=STDOUT)
+stdout = p.communicate(input=b'\n')[0]
+data = stdout.decode()
+
+certs = []
+cert = ""
+capturing = False
+for line in data.split('\n'):
+    if line == '-----BEGIN CERTIFICATE-----':
+        capturing = True
+
+    if capturing:
+        cert = "{0}{1}\n".format(cert, line)
+
+    if line == '-----END CERTIFICATE-----':
+        capturing = False
+        certs.append(cert)
+        cert = ""
+
+with open(argv[2], 'w') as f:
+    for cert in set(certs):
+        f.write(cert)
--- a/test/integration/targets/get_certificate/meta/main.yml
+++ b/test/integration/targets/get_certificate/meta/main.yml
@@ -0,0 +1,3 @@
+dependencies:
+  - setup_openssl
+  - prepare_http_tests
--- a/test/integration/targets/get_certificate/tasks/main.yml
+++ b/test/integration/targets/get_certificate/tasks/main.yml
@@ -0,0 +1,5 @@
+- block:
+
+    - include_tasks: ../tests/validate.yml
+
+  when: pyopenssl_version.stdout is version('0.15', '>=')
--- a/test/integration/targets/get_certificate/tests/validate.yml
+++ b/test/integration/targets/get_certificate/tests/validate.yml
@@ -0,0 +1,99 @@
+- name: Get servers certificate
+  get_certificate:
+    host: "{{ httpbin_host }}"
+    port: 443
+  register: result
+
+- debug: var=result
+
+- assert:
+    that:
+      # This module should never change anything
+      - result is not changed
+      - result is not failed
+      # We got the correct ST from the cert
+      - "'North Carolina' == result.subject.ST"
+
+- name: Connect to http port (will fail because there is no SSL cert to get)
+  get_certificate:
+    host: "{{ httpbin_host }}"
+    port: 80
+  register: result
+  ignore_errors: true
+
+- assert:
+    that:
+      - result is not changed
+      - result is failed
+      # We got the expected error message
+      - "'The handshake operation timed out' in result.msg or 'unknown protocol' in result.msg or 'wrong version number' in result.msg"
+ 
+- name: Test timeout option
+  get_certificate:
+    host: "{{ httpbin_host }}"
+    port: 1234
+    timeout: 1
+  register: result
+  ignore_errors: true
+
+- assert:
+    that:
+      - result is not changed
+      - result is failed
+      # We got the expected error message
+      - "'Failed to get cert from port with error: timed out' == result.msg or 'Connection refused' in result.msg"
+
+- name: Test failure if ca_certs is not a valid file
+  get_certificate:
+    host: "{{ httpbin_host }}"
+    port: 443
+    ca_certs: dn.e
+  register: result
+  ignore_errors: true
+
+- assert:
+    that:
+      - result is not changed
+      - result is failed
+      # We got the correct response from the module
+      - "'ca_certs file does not exist' == result.msg"
+
+- name: Download CA Cert as pem from server
+  get_url:
+    url: "http://ansible.http.tests/cacert.pem"
+    dest: "{{ output_dir }}/temp.pem"
+
+- name: Get servers certificate comparing it to its own ca_cert file
+  get_certificate:
+    ca_certs: '{{ output_dir }}/temp.pem'
+    host: "{{ httpbin_host }}"
+    port: 443
+  register: result
+
+- assert:
+    that:
+      - result is not changed
+      - result is not failed
+
+- name: Get a temp directory
+  tempfile:
+    state: directory
+  register: my_temp_dir
+
+- name: Deploy the bogus_ca.pem file
+  copy:
+    src: "bogus_ca.pem"
+    dest: "{{ my_temp_dir.path }}/bogus_ca.pem"
+
+- name: Get servers certificate comparing it to an invalid ca_cert file
+  get_certificate:
+    ca_certs: '{{ my_temp_dir.path }}/bogus_ca.pem'
+    host: "{{ httpbin_host }}"
+    port: 443
+  register: result
+  ignore_errors: true
+
+- assert:
+    that:
+      - result is not changed
+      - result.failed