add openssh_cert module (#49605)

* add openssh_cert module

* fix some linter issues

* address review feedback

* add basis for integration tests

* change valid datetime formats

* handle principals as set not as list

* handle principals as set not as list

* handle principals as set not as list

test/integration/targets/openssh_cert/aliases

@@ -0,0 +1,2 @@
+shippable/posix/group1
+destructive

test/integration/targets/openssh_cert/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - setup_ssh_keygen

test/integration/targets/openssh_cert/tasks/main.yml

@@ -0,0 +1,297 @@
+- name: openssh_cert integration tests
+  when: not (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "6")
+  block:
+  - name: Generate keypair (check mode)
+    openssh_keypair:
+      path: '{{ output_dir }}/id_key'
+      type: rsa
+    check_mode: yes
+  - name: Generate keypair
+    openssh_keypair:
+      path: '{{ output_dir }}/id_key'
+      type: rsa
+  - name: Generate keypair (idempotent)
+    openssh_keypair:
+      path: '{{ output_dir }}/id_key'
+      type: rsa
+  - name: Generate keypair (idempotent, check mode)
+    openssh_keypair:
+      path: '{{ output_dir }}/id_key'
+      type: rsa
+    check_mode: yes
+  - name: Generate always valid cert (check mode)
+    openssh_cert:
+      type: user
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert'
+      valid_from: always
+      valid_to: forever
+    check_mode: yes
+  - name: Generate always valid cert
+    openssh_cert:
+      type: user
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert'
+      valid_from: always
+      valid_to: forever
+  - name: Generate always valid cert (idempotent)
+    openssh_cert:
+      type: user
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert'
+      valid_from: always
+      valid_to: forever
+  - name: Generate always valid cert (idempotent, check mode)
+    openssh_cert:
+      type: user
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert'
+      valid_from: always
+      valid_to: forever
+    check_mode: yes
+  - name: Generate restricted validity cert with valid_at (check mode)
+    openssh_cert:
+      type: host
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert'
+      valid_from: +0s
+      valid_to: +32w
+      valid_at: +2w
+    check_mode: yes
+  - name: Generate restricted validity cert with valid_at
+    openssh_cert:
+      type: host
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert'
+      valid_from: +0s
+      valid_to: +32w
+      valid_at: +2w
+  - name: Generate restricted validity cert with valid_at (idempotent)
+    openssh_cert:
+      type: host
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert'
+      valid_from: +0s
+      valid_to: +32w
+      valid_at: +2w
+  - name: Generate restricted validity cert with valid_at (idempotent, check mode)
+    openssh_cert:
+      type: host
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert'
+      valid_from: +0s
+      valid_to: +32w
+      valid_at: +2w
+    check_mode: yes
+  - name: Generate always valid cert only for example.com and examplehost (check mode)
+    openssh_cert:
+      type: host
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert'
+      valid_from: always
+      valid_to: forever
+      principals:
+          - example.com
+          - examplehost
+    check_mode: yes
+  - name: Generate always valid cert only for example.com and examplehost
+    openssh_cert:
+      type: host
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert'
+      valid_from: always
+      valid_to: forever
+      principals:
+          - example.com
+          - examplehost
+  - name: Generate always valid cert only for example.com and examplehost (idempotent)
+    openssh_cert:
+      type: host
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert'
+      valid_from: always
+      valid_to: forever
+      principals:
+          - example.com
+          - examplehost
+  - name: Generate always valid cert only for example.com and examplehost (idempotent, check mode)
+    openssh_cert:
+      type: host
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert'
+      valid_from: always
+      valid_to: forever
+      principals:
+          - example.com
+          - examplehost
+    check_mode: yes
+  - name: Generate always valid cert only for example.com and examplehost (idempotent, switch)
+    openssh_cert:
+      type: host
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert'
+      valid_from: always
+      valid_to: forever
+      principals:
+          - examplehost
+          - example.com
+  - name: Generate OpenSSH host Certificate that is valid from 21.1.2001 to 21.1.2019 (check mode)
+    openssh_cert:
+      type: host
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert'
+      valid_from: "2001-01-21"
+      valid_to: "2019-01-21"
+    check_mode: yes
+  - name: Generate OpenSSH host Certificate that is valid from 21.1.2001 to 21.1.2019
+    openssh_cert:
+      type: host
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert'
+      valid_from: "2001-01-21"
+      valid_to: "2019-01-21"
+  - name: Generate OpenSSH host Certificate that is valid from 21.1.2001 to 21.1.2019 (idempotent)
+    openssh_cert:
+      type: host
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert'
+      valid_from: "2001-01-21"
+      valid_to: "2019-01-21"
+  - name: Generate OpenSSH host Certificate that is valid from 21.1.2001 to 21.1.2019 (idempotent, check mode)
+    openssh_cert:
+      type: host
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert'
+      valid_from: "2001-01-21"
+      valid_to: "2019-01-21"
+    check_mode: yes
+  - name: Generate an OpenSSH user Certificate with clear and force-command option (check mode)
+    openssh_cert:
+      type: user
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert'
+      options:
+          - "clear"
+          - "force-command=/tmp/bla/foo"
+      valid_from: "2001-01-21"
+      valid_to: "2019-01-21"
+    check_mode: yes
+  - name: Generate an OpenSSH user Certificate with clear and force-command option
+    openssh_cert:
+      type: user
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert'
+      options:
+          - "clear"
+          - "force-command=/tmp/bla/foo"
+      valid_from: "2001-01-21"
+      valid_to: "2019-01-21"
+  - name: Generate an OpenSSH user Certificate with clear and force-command option (idempotent)
+    openssh_cert:
+      type: user
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert'
+      options:
+          - "clear"
+          - "force-command=/tmp/bla/foo"
+      valid_from: "2001-01-21"
+      valid_to: "2019-01-21"
+  - name: Generate an OpenSSH user Certificate with clear and force-command option (idempotent, check mode)
+    openssh_cert:
+      type: user
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert'
+      options:
+          - "clear"
+          - "force-command=/tmp/bla/foo"
+      valid_from: "2001-01-21"
+      valid_to: "2019-01-21"
+    check_mode: yes
+  - name: Generate an OpenSSH user Certificate with clear and force-command option (idempotent, switch)
+    openssh_cert:
+      type: user
+      signing_key: '{{ output_dir }}/id_key'
+      public_key: '{{ output_dir }}/id_key.pub'
+      path: '{{ output_dir }}/id_cert'
+      options:
+          - "force-command=/tmp/bla/foo"
+          - "clear"
+      valid_from: "2001-01-21"
+      valid_to: "2019-01-21"
+  - name: Remove certificate (check mode)
+    openssh_cert:
+      state: absent
+      path: '{{ output_dir }}/id_cert'
+      #type: user
+      #signing_key: '{{ output_dir }}/id_key'
+      #public_key: '{{ output_dir }}/id_key.pub'
+      #valid_from: "2001-01-21"
+      #valid_to: "2019-01-21"
+    check_mode: yes
+  - name: Remove certificate
+    openssh_cert:
+      state: absent
+      path: '{{ output_dir }}/id_cert'
+      #type: user
+      #signing_key: '{{ output_dir }}/id_key'
+      #public_key: '{{ output_dir }}/id_key.pub'
+      #valid_from: "2001-01-21"
+      #valid_to: "2019-01-21"
+  - name: Remove certificate (idempotent)
+    openssh_cert:
+      state: absent
+      path: '{{ output_dir }}/id_cert'
+      #type: user
+      #signing_key: '{{ output_dir }}/id_key'
+      #public_key: '{{ output_dir }}/id_key.pub'
+      #valid_from: "2001-01-21"
+      #valid_to: "2019-01-21"
+  - name: Remove certificate (idempotent, check mode)
+    openssh_cert:
+      state: absent
+      path: '{{ output_dir }}/id_cert'
+      #type: user
+      #signing_key: '{{ output_dir }}/id_key'
+      #public_key: '{{ output_dir }}/id_key.pub'
+      #valid_from: "2001-01-21"
+      #valid_to: "2019-01-21"
+    check_mode: yes
+  - name: Remove keypair (check mode)
+    openssh_keypair:
+      path: '{{ output_dir }}/id_key'
+      state: absent
+    check_mode: yes
+  - name: Remove keypair
+    openssh_keypair:
+      path: '{{ output_dir }}/id_key'
+      state: absent
+  - name: Remove keypair (idempotent)
+    openssh_keypair:
+      path: '{{ output_dir }}/id_key'
+      state: absent
+  - name: Remove keypair (idempotent, check mode)
+    openssh_keypair:
+      path: '{{ output_dir }}/id_key'
+      state: absent
+    check_mode: yes