From 7a1fb24aa4449c398eb6cfd267c2476420ee118c Mon Sep 17 00:00:00 2001 From: Rich Megginson Date: Fri, 15 Dec 2023 17:00:35 -0700 Subject: [PATCH] ci: Use supported ansible-lint action; run ansible-lint against the collection The old ansible-community ansible-lint is deprecated. There is a new ansible-lint github action. The new ansible-lint has several checks related to ansible-test and the ignore files. Many of our ignore settings are not allowed any more and are required to be fixed or addressed in the Ansible preferred way. The python imports have to be wrapped in a try/except ImportError, and where possible, an error must be returned from the module explaining what was not able to be imported. The result of this is that the .sanity files can be reduced to the bare minimum which will greatly reduce the maintenance burden of those files, make it easier to support newer versions of Ansible, and make it easier to import the system roles collection into Galaxy and Automation Hub. `distutils.version` is deprecated, and it is a hard error in python 3.12 Instead, use `packaging.version` - unfortunately, this means having to add a dependency on `python3-packaging` on platforms that support it - notably, there is no python-packaging available on EL7, so fall back to using `distutils.version` there. The latest Ansible repo gating tests run ansible-lint against the collection format instead of against individual roles. We have to convert the role to collection format before running ansible-test. Role developers can run this locally using `tox -e collection,ansible-lint-collection` See https://github.com/linux-system-roles/tox-lsr/pull/125 Add `---` doc start to .markdownlint.yaml Signed-off-by: Rich Megginson --- .markdownlint.yaml | 1 + .ostree/packages-runtime-CentOS-9.txt | 1 + .ostree/packages-runtime-Fedora.txt | 1 + .ostree/packages-runtime-RedHat-9.txt | 1 + .sanity-ansible-ignore-2.10.txt | 25 ------ .sanity-ansible-ignore-2.11.txt | 30 ------- .sanity-ansible-ignore-2.12.txt | 34 -------- .sanity-ansible-ignore-2.13.txt | 34 -------- .sanity-ansible-ignore-2.14.txt | 33 -------- .sanity-ansible-ignore-2.15.txt | 33 -------- .sanity-ansible-ignore-2.16.txt | 1 + .sanity-ansible-ignore-2.9.txt | 26 ------ library/certificate_request.py | 78 +++++++++-------- .../certificate_lsr/providers/base.py | 83 ++++++++++++++++--- .../certificate_lsr/providers/certmonger.py | 40 +++++++-- tests/tests_include_vars_from_parent.yml | 9 ++ vars/CentOS_9.yml | 5 ++ vars/Fedora.yml | 5 ++ vars/RedHat_9.yml | 5 ++ vars/main.yml | 6 +- 20 files changed, 185 insertions(+), 266 deletions(-) create mode 100644 .sanity-ansible-ignore-2.16.txt create mode 100644 vars/CentOS_9.yml create mode 100644 vars/Fedora.yml create mode 100644 vars/RedHat_9.yml diff --git a/.markdownlint.yaml b/.markdownlint.yaml index 4f8a979..6bf4ccd 100644 --- a/.markdownlint.yaml +++ b/.markdownlint.yaml @@ -1,3 +1,4 @@ +--- # Default state for all rules default: true diff --git a/.ostree/packages-runtime-CentOS-9.txt b/.ostree/packages-runtime-CentOS-9.txt index 449febc..35de0c3 100644 --- a/.ostree/packages-runtime-CentOS-9.txt +++ b/.ostree/packages-runtime-CentOS-9.txt @@ -1,3 +1,4 @@ python3-cryptography python3-dbus +python3-packaging python3-pyasn1 diff --git a/.ostree/packages-runtime-Fedora.txt b/.ostree/packages-runtime-Fedora.txt index 449febc..35de0c3 100644 --- a/.ostree/packages-runtime-Fedora.txt +++ b/.ostree/packages-runtime-Fedora.txt @@ -1,3 +1,4 @@ python3-cryptography python3-dbus +python3-packaging python3-pyasn1 diff --git a/.ostree/packages-runtime-RedHat-9.txt b/.ostree/packages-runtime-RedHat-9.txt index 449febc..35de0c3 100644 --- a/.ostree/packages-runtime-RedHat-9.txt +++ b/.ostree/packages-runtime-RedHat-9.txt @@ -1,3 +1,4 @@ python3-cryptography python3-dbus +python3-packaging python3-pyasn1 diff --git a/.sanity-ansible-ignore-2.10.txt b/.sanity-ansible-ignore-2.10.txt index b9e0e33..b3c573d 100644 --- a/.sanity-ansible-ignore-2.10.txt +++ b/.sanity-ansible-ignore-2.10.txt @@ -1,26 +1 @@ -plugins/module_utils/certificate_lsr/providers/base.py import-2.6!skip -plugins/module_utils/certificate_lsr/providers/base.py import-2.7!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.5!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.6!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.7!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.8!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-2.6!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-2.7!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.5!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.6!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.7!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.8!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-2.6!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-2.7!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.5!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.6!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.7!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.8!skip -plugins/modules/certificate_request.py import-2.6!skip -plugins/modules/certificate_request.py import-2.7!skip -plugins/modules/certificate_request.py import-3.5!skip -plugins/modules/certificate_request.py import-3.6!skip -plugins/modules/certificate_request.py import-3.7!skip -plugins/modules/certificate_request.py import-3.8!skip plugins/modules/certificate_request.py validate-modules:missing-gplv3-license -plugins/modules/certificate_request.py validate-modules:import-error diff --git a/.sanity-ansible-ignore-2.11.txt b/.sanity-ansible-ignore-2.11.txt index 9641d3d..b3c573d 100644 --- a/.sanity-ansible-ignore-2.11.txt +++ b/.sanity-ansible-ignore-2.11.txt @@ -1,31 +1 @@ -plugins/module_utils/certificate_lsr/providers/base.py compile-2.6!skip -plugins/module_utils/certificate_lsr/providers/base.py import-2.6!skip -plugins/module_utils/certificate_lsr/providers/base.py import-2.7!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.5!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.6!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.7!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.8!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.9!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-2.6!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-2.7!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.5!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.6!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.7!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.8!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.9!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-2.6!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-2.7!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.5!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.6!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.7!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.8!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.9!skip -plugins/modules/certificate_request.py import-2.6!skip -plugins/modules/certificate_request.py import-2.7!skip -plugins/modules/certificate_request.py import-3.5!skip -plugins/modules/certificate_request.py import-3.6!skip -plugins/modules/certificate_request.py import-3.7!skip -plugins/modules/certificate_request.py import-3.8!skip -plugins/modules/certificate_request.py import-3.9!skip plugins/modules/certificate_request.py validate-modules:missing-gplv3-license -plugins/modules/certificate_request.py validate-modules:import-error diff --git a/.sanity-ansible-ignore-2.12.txt b/.sanity-ansible-ignore-2.12.txt index 043aeb8..b3c573d 100644 --- a/.sanity-ansible-ignore-2.12.txt +++ b/.sanity-ansible-ignore-2.12.txt @@ -1,35 +1 @@ -plugins/module_utils/certificate_lsr/providers/base.py compile-2.6!skip -plugins/module_utils/certificate_lsr/providers/base.py import-2.6!skip -plugins/module_utils/certificate_lsr/providers/base.py import-2.7!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.5!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.6!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.7!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.8!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.9!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.10!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-2.6!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-2.7!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.5!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.6!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.7!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.8!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.9!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.10!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-2.6!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-2.7!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.5!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.6!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.7!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.8!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.9!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.10!skip -plugins/modules/certificate_request.py import-2.6!skip -plugins/modules/certificate_request.py import-2.7!skip -plugins/modules/certificate_request.py import-3.5!skip -plugins/modules/certificate_request.py import-3.6!skip -plugins/modules/certificate_request.py import-3.7!skip -plugins/modules/certificate_request.py import-3.8!skip -plugins/modules/certificate_request.py import-3.9!skip -plugins/modules/certificate_request.py import-3.10!skip plugins/modules/certificate_request.py validate-modules:missing-gplv3-license -plugins/modules/certificate_request.py validate-modules:import-error diff --git a/.sanity-ansible-ignore-2.13.txt b/.sanity-ansible-ignore-2.13.txt index 043aeb8..b3c573d 100644 --- a/.sanity-ansible-ignore-2.13.txt +++ b/.sanity-ansible-ignore-2.13.txt @@ -1,35 +1 @@ -plugins/module_utils/certificate_lsr/providers/base.py compile-2.6!skip -plugins/module_utils/certificate_lsr/providers/base.py import-2.6!skip -plugins/module_utils/certificate_lsr/providers/base.py import-2.7!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.5!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.6!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.7!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.8!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.9!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.10!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-2.6!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-2.7!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.5!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.6!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.7!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.8!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.9!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.10!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-2.6!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-2.7!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.5!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.6!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.7!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.8!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.9!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.10!skip -plugins/modules/certificate_request.py import-2.6!skip -plugins/modules/certificate_request.py import-2.7!skip -plugins/modules/certificate_request.py import-3.5!skip -plugins/modules/certificate_request.py import-3.6!skip -plugins/modules/certificate_request.py import-3.7!skip -plugins/modules/certificate_request.py import-3.8!skip -plugins/modules/certificate_request.py import-3.9!skip -plugins/modules/certificate_request.py import-3.10!skip plugins/modules/certificate_request.py validate-modules:missing-gplv3-license -plugins/modules/certificate_request.py validate-modules:import-error diff --git a/.sanity-ansible-ignore-2.14.txt b/.sanity-ansible-ignore-2.14.txt index d3e70d0..b3c573d 100644 --- a/.sanity-ansible-ignore-2.14.txt +++ b/.sanity-ansible-ignore-2.14.txt @@ -1,34 +1 @@ -plugins/module_utils/certificate_lsr/providers/base.py import-2.7!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.5!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.6!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.7!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.8!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.9!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.10!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.11!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-2.7!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.5!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.6!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.7!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.8!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.9!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.10!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.11!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-2.7!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.5!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.6!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.7!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.8!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.9!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.10!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.11!skip -plugins/modules/certificate_request.py import-2.7!skip -plugins/modules/certificate_request.py import-3.5!skip -plugins/modules/certificate_request.py import-3.6!skip -plugins/modules/certificate_request.py import-3.7!skip -plugins/modules/certificate_request.py import-3.8!skip -plugins/modules/certificate_request.py import-3.9!skip -plugins/modules/certificate_request.py import-3.10!skip -plugins/modules/certificate_request.py import-3.11!skip plugins/modules/certificate_request.py validate-modules:missing-gplv3-license -plugins/modules/certificate_request.py validate-modules:import-error diff --git a/.sanity-ansible-ignore-2.15.txt b/.sanity-ansible-ignore-2.15.txt index d3e70d0..b3c573d 100644 --- a/.sanity-ansible-ignore-2.15.txt +++ b/.sanity-ansible-ignore-2.15.txt @@ -1,34 +1 @@ -plugins/module_utils/certificate_lsr/providers/base.py import-2.7!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.5!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.6!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.7!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.8!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.9!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.10!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.11!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-2.7!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.5!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.6!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.7!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.8!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.9!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.10!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.11!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-2.7!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.5!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.6!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.7!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.8!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.9!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.10!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.11!skip -plugins/modules/certificate_request.py import-2.7!skip -plugins/modules/certificate_request.py import-3.5!skip -plugins/modules/certificate_request.py import-3.6!skip -plugins/modules/certificate_request.py import-3.7!skip -plugins/modules/certificate_request.py import-3.8!skip -plugins/modules/certificate_request.py import-3.9!skip -plugins/modules/certificate_request.py import-3.10!skip -plugins/modules/certificate_request.py import-3.11!skip plugins/modules/certificate_request.py validate-modules:missing-gplv3-license -plugins/modules/certificate_request.py validate-modules:import-error diff --git a/.sanity-ansible-ignore-2.16.txt b/.sanity-ansible-ignore-2.16.txt new file mode 100644 index 0000000..b3c573d --- /dev/null +++ b/.sanity-ansible-ignore-2.16.txt @@ -0,0 +1 @@ +plugins/modules/certificate_request.py validate-modules:missing-gplv3-license diff --git a/.sanity-ansible-ignore-2.9.txt b/.sanity-ansible-ignore-2.9.txt index 9e2becd..b3c573d 100644 --- a/.sanity-ansible-ignore-2.9.txt +++ b/.sanity-ansible-ignore-2.9.txt @@ -1,27 +1 @@ -plugins/module_utils/certificate_lsr/providers/base.py compile-2.6!skip -plugins/module_utils/certificate_lsr/providers/base.py import-2.6!skip -plugins/module_utils/certificate_lsr/providers/base.py import-2.7!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.5!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.6!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.7!skip -plugins/module_utils/certificate_lsr/providers/base.py import-3.8!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-2.6!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-2.7!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.5!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.6!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.7!skip -plugins/module_utils/certificate_lsr/providers/certmonger.py import-3.8!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-2.6!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-2.7!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.5!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.6!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.7!skip -plugins/module_utils/certificate_lsr/providers/providers.py import-3.8!skip -plugins/modules/certificate_request.py import-2.6!skip -plugins/modules/certificate_request.py import-2.7!skip -plugins/modules/certificate_request.py import-3.5!skip -plugins/modules/certificate_request.py import-3.6!skip -plugins/modules/certificate_request.py import-3.7!skip -plugins/modules/certificate_request.py import-3.8!skip plugins/modules/certificate_request.py validate-modules:missing-gplv3-license -plugins/modules/certificate_request.py validate-modules:import-error diff --git a/library/certificate_request.py b/library/certificate_request.py index ffe2ed2..d77ce40 100644 --- a/library/certificate_request.py +++ b/library/certificate_request.py @@ -30,71 +30,76 @@ where files will be stored or a just a simple file name to be stored in I(directory). required: true + type: str dns: description: - Domain (or list of domains) to be included in the certificate. Also can provide the default value for I(common_name). - required: false + type: list + elements: str ip: description: - IP (or list of IPs) to be included in the certificate. IPs can be IPv4, IPv6 or both. Also can provide the default value for I(common_name). - required: false + type: list + elements: str email: description: - Email (or list of emails) to be included in the certificate. Also can provide the default value for I(common_name). - required: false + type: list + elements: str owner: description: - User name (or user id) for the certificate and key files. - required: false + type: str group: description: - Group name (or group id) for the certificate and key files. - required: false + type: str mode: description: - The file system permissions for the certificate and key files. type: raw - required: false common_name: description: - Common Name requested for the certificate subject. - required: false + type: str key_size: description: - Generate keys with a specific keysize in bits, by default 2048. - required: false + type: int ca: description: - CA that will issue the certificate. The available options will vary depending on each provider. + type: str required: true provider: description: - The underlying method used to request and manage the certificate. - required: false + type: str default: certmonger directory: description: - Directory where certificate and key will be stored. Only used if I(name) is not an absolute path. - required: false + type: str default: /etc/pki/tls provider_config_directory: description: - Directory where pre/post run scripts will be stored. - required: false + type: str default: /etc/certmonger principal: description: - Kerberos principal. - required: false + type: list + elements: str key_usage: description: - Allowed Key Usage for the certificate. @@ -108,7 +113,8 @@ - cRLSign - encipherOnly - decipherOnly - required: false + type: list + elements: str default: - digitalSignature - keyEncipherment @@ -116,54 +122,55 @@ description: - Extended Key Usage attributes to be present in the certificate request. - required: false default: - id-kp-serverAuth - id-kp-clientAuth + type: list + elements: str auto_renew: description: - Indicates if the certificate should be renewed automatically before it expires. - required: false + type: bool default: true wait: description: - If the role should block while waiting for the certificate to be issued. - required: false + type: bool default: true country: description: - Country requested for the certificate subject. - required: false + type: str state: description: - State requested for the certificate subject. - required: false + type: str locality: description: - Locality requested for the certificate subject (usually city). - required: false + type: str organization: description: - Organization requested for the certificate subject. - required: false + type: str organizational_unit: description: - Organizational unit requested for the certificate subject. - required: false + type: str contact_email: description: - Contact email requested for the certificate subject. - required: false + type: str run_before: description: - Command that should run before saving the certificate. - required: false + type: str run_after: description: - Command that should run after saving the certificate. - required: false + type: str __header: description: - Ansible ansible_managed string to put in header of file @@ -256,7 +263,7 @@ certificate_request: name: mycert dns: www.example.com - auto_renew: no + auto_renew: false ca: self-sign # Not wait for certificate to be issued @@ -264,7 +271,7 @@ certificate_request: name: single-example dns: www.example.com - wait: no + wait: false ca: self-sign # Certificate with more subject data @@ -344,9 +351,9 @@ def _get_argument_spec(): """Return a dict with the module arguments.""" return dict( name=dict(type="str", required=True), - dns=dict(type="list"), - ip=dict(type="list"), - email=dict(type="list"), + dns=dict(type="list", elements="str"), + ip=dict(type="list", elements="str"), + email=dict(type="list", elements="str"), common_name=dict(type="str"), country=dict(type="str"), state=dict(type="str"), @@ -362,16 +369,21 @@ def _get_argument_spec(): owner=dict(type="str"), group=dict(type="str"), mode=dict(type="raw"), - principal=dict(type="list"), + principal=dict(type="list", elements="str"), key_usage=dict( - type="list", choices=KEY_USAGE_CHOICES, default=KEY_USAGE_DEFAULTS + type="list", + choices=KEY_USAGE_CHOICES, + default=KEY_USAGE_DEFAULTS, + elements="str", + ), + extended_key_usage=dict( + type="list", default=EXTENDED_KEY_USAGE_DEFAULTS, elements="str" ), - extended_key_usage=dict(type="list", default=EXTENDED_KEY_USAGE_DEFAULTS), auto_renew=dict(type="bool", default=True), wait=dict(type="bool", default=True), run_before=dict(type="str"), run_after=dict(type="str"), - __header=dict(type="str"), + __header=dict(type="str", required=True), ) @property diff --git a/module_utils/certificate_lsr/providers/base.py b/module_utils/certificate_lsr/providers/base.py index faf1ba3..4a51467 100644 --- a/module_utils/certificate_lsr/providers/base.py +++ b/module_utils/certificate_lsr/providers/base.py @@ -8,18 +8,84 @@ import hashlib import os -import ipaddress +import traceback + +try: + import ipaddress +except ImportError: + HAS_IPADDRESS = False + IPADDRESS_IMPORT_ERROR = traceback.format_exc() +else: + HAS_IPADDRESS = True + IPADDRESS_IMPORT_ERROR = None from abc import ABCMeta, abstractmethod from pprint import pformat -from cryptography import x509 -from cryptography.hazmat.backends import default_backend -from cryptography.x509.oid import NameOID, ObjectIdentifier -from pyasn1.codec.der import decoder -from pyasn1.type import char, namedtype, tag, univ +# for ansible-test import/compile functionality +def fake_func(*args, **kwargs): + return None + + +class FakeSubClass(object): + def __init__(self, *args): + pass + + def __getattr__(self, value): + if value == "subtype": + return fake_func + else: + return object + + +class FakeBaseClass(object): + def __getattr__(self, value): + if value == "oid": + return FakeBaseClass() + elif value.endswith("OID"): + return FakeSubClass() + else: + return FakeSubClass + + +# for ansible-test import/compile functionality + + +try: + from cryptography import x509 + from cryptography.hazmat.backends import default_backend + from cryptography.x509.oid import NameOID, ObjectIdentifier +except ImportError: + HAS_CRYPTOGRAPHY = False + CRYPTOGRAPHY_IMPORT_ERROR = traceback.format_exc() + x509 = FakeBaseClass() + ANY_EXTENDED_KEY_USAGE = None + IPSEC_END_SYSTEM = None + IPSEC_TUNNEL = None + IPSEC_USER = None +else: + HAS_CRYPTOGRAPHY = True + CRYPTOGRAPHY_IMPORT_ERROR = None + ANY_EXTENDED_KEY_USAGE = ObjectIdentifier("2.5.29.37.0") + IPSEC_END_SYSTEM = ObjectIdentifier("1.3.6.1.5.5.7.3.5") + IPSEC_TUNNEL = ObjectIdentifier("1.3.6.1.5.5.7.3.6") + IPSEC_USER = ObjectIdentifier("1.3.6.1.5.5.7.3.7") + +try: + from pyasn1.codec.der import decoder + from pyasn1.type import char, namedtype, tag, univ +except ImportError: + HAS_PYASN1 = False + PYASN1_IMPORT_ERROR = traceback.format_exc() + univ = FakeBaseClass() + namedtype = FakeBaseClass() + tag = FakeBaseClass() + char = FakeBaseClass() +else: + HAS_PYASN1 = True + PYASN1_IMPORT_ERROR = None from ansible.module_utils.six import PY2 from ansible.module_utils._text import to_bytes, to_text @@ -27,11 +93,6 @@ if PY2: FileNotFoundError = IOError # pylint: disable=redefined-builtin -ANY_EXTENDED_KEY_USAGE = ObjectIdentifier("2.5.29.37.0") -IPSEC_END_SYSTEM = ObjectIdentifier("1.3.6.1.5.5.7.3.5") -IPSEC_TUNNEL = ObjectIdentifier("1.3.6.1.5.5.7.3.6") -IPSEC_USER = ObjectIdentifier("1.3.6.1.5.5.7.3.7") - def _escape_dn_value(val): """Escape special characters in RFC4514 Distinguished Name value.""" diff --git a/module_utils/certificate_lsr/providers/certmonger.py b/module_utils/certificate_lsr/providers/certmonger.py index 7fe27c6..3023fed 100644 --- a/module_utils/certificate_lsr/providers/certmonger.py +++ b/module_utils/certificate_lsr/providers/certmonger.py @@ -6,9 +6,39 @@ __metaclass__ = type -from distutils.version import StrictVersion - -import dbus +import traceback + +# Yes, yes, yes - distutils is deprecated - but we still have to support +# older platforms which do not have packaging.version - so tell ansible-test +# with newer python to shut up +try: + from packaging.version import Version as CertificateVersion +except ImportError: + import warnings + + warnings.filterwarnings("ignore", category=DeprecationWarning) + try: + from distutils.version import StrictVersion as CertificateVersion + except ImportError: + HAS_PACKAGING = False + PACKAGING_IMPORT_ERROR = traceback.format_exc() + else: + HAS_PACKAGING = True + PACKAGING_IMPORT_ERROR = None + # re-enable deprecation warnings for other code + warnings.filterwarnings("default", category=DeprecationWarning) +else: + HAS_PACKAGING = True + PACKAGING_IMPORT_ERROR = None + +try: + import dbus +except ImportError: + HAS_DBUS = False + DBUS_IMPORT_ERROR = traceback.format_exc() +else: + HAS_DBUS = True + DBUS_IMPORT_ERROR = None from ansible.module_utils.certificate_lsr.providers import base @@ -73,7 +103,7 @@ def certmonger_version(self): ret, out, err = self._run_command(certmonger_version_cmd, check_rc=False) if ret == 0 and not err: version_str = out.split(" ")[1] - self._version = StrictVersion(version_str) + self._version = CertificateVersion(version_str) else: self.module.fail_json( msg="Could not get certmonger version using '{0}'".format( @@ -265,7 +295,7 @@ def request_certificate(self): # Set certificate key size key_size = self.module.params.get("key_size") - allow_key_size_update = self.certmonger_version >= StrictVersion("0.79.0") + allow_key_size_update = self.certmonger_version >= CertificateVersion("0.79.0") if key_size is not None and not allow_key_size_update: self.module.fail_json( msg="Your certmonger version does not support attribute 'key_size'" diff --git a/tests/tests_include_vars_from_parent.yml b/tests/tests_include_vars_from_parent.yml index bc841df..b486789 100644 --- a/tests/tests_include_vars_from_parent.yml +++ b/tests/tests_include_vars_from_parent.yml @@ -38,9 +38,18 @@ varfiles: "{{ [facts['distribution']] | product(separators) | map('join') | product(versions) | map('join') | list + [facts['distribution'], facts['os_family']] }}" + register: __varfiles_created - name: Import role import_role: name: caller vars: roletoinclude: linux-system-roles.certificate + + - name: Cleanup + file: + path: "{{ item.dest }}" + state: absent + loop: "{{ __varfiles_created.results }}" + delegate_to: localhost + when: inventory_hostname == ansible_play_hosts_all[0] diff --git a/vars/CentOS_9.yml b/vars/CentOS_9.yml new file mode 100644 index 0000000..52feefa --- /dev/null +++ b/vars/CentOS_9.yml @@ -0,0 +1,5 @@ +# SPDX-License-Identifier: MIT +--- +__certificate_certmonger_packages: + - certmonger + - python3-packaging diff --git a/vars/Fedora.yml b/vars/Fedora.yml new file mode 100644 index 0000000..52feefa --- /dev/null +++ b/vars/Fedora.yml @@ -0,0 +1,5 @@ +# SPDX-License-Identifier: MIT +--- +__certificate_certmonger_packages: + - certmonger + - python3-packaging diff --git a/vars/RedHat_9.yml b/vars/RedHat_9.yml new file mode 100644 index 0000000..52feefa --- /dev/null +++ b/vars/RedHat_9.yml @@ -0,0 +1,5 @@ +# SPDX-License-Identifier: MIT +--- +__certificate_certmonger_packages: + - certmonger + - python3-packaging diff --git a/vars/main.yml b/vars/main.yml index 490a031..4977cb7 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -4,10 +4,12 @@ __certificate_provider_default: certmonger +__certificate_certmonger_packages: + - certmonger + __certificate_provider_vars: certmonger: - packages: - - certmonger + packages: "{{ __certificate_certmonger_packages }}" service: certmonger config_dir: /etc/certmonger/ hooks_dirs_owner: root