From 531e0560cb28114d5474851d9615ae2e42c96034 Mon Sep 17 00:00:00 2001 From: Florian Paul Hoberg Date: Wed, 4 Sep 2019 14:07:20 +0200 Subject: [PATCH] add trustcacerts option for JAVA keytool (#61750) * add trustcacerts option for JAVA keytool * fixed whitespace * added type in documentation --- lib/ansible/modules/system/java_cert.py | 31 +++++++++++++++++++++---- 1 file changed, 27 insertions(+), 4 deletions(-) diff --git a/lib/ansible/modules/system/java_cert.py b/lib/ansible/modules/system/java_cert.py index 804c1bebab4..233dcc3bdda 100644 --- a/lib/ansible/modules/system/java_cert.py +++ b/lib/ansible/modules/system/java_cert.py @@ -41,6 +41,12 @@ options: - Imported certificate alias. - The alias is used when checking for the presence of a certificate in the keystore. type: str + trust_cacert: + description: + - Trust imported cert as CAcert. + type: bool + default: False + version_added: "2.10" pkcs12_path: description: - Local path to load PKCS12 keystore from. @@ -107,6 +113,16 @@ EXAMPLES = r''' executable: /usr/lib/jvm/jre7/bin/keytool state: absent +- name: Import trusted CA from SSL certificate + java_cert: + cert_path: /opt/certs/rootca.crt + keystore_path: /tmp/cacerts + keystore_pass: changeit + keystore_create: yes + state: present + cert_alias: LE_RootCA + trust_cacert: True + - name: Import SSL certificate from google.com to a keystore, create it if it doesn't exist java_cert: cert_url: google.com @@ -183,7 +199,7 @@ def check_cert_present(module, executable, keystore_path, keystore_pass, alias, return False -def import_cert_url(module, executable, url, port, keystore_path, keystore_pass, alias, keystore_type): +def import_cert_url(module, executable, url, port, keystore_path, keystore_pass, alias, keystore_type, trust_cacert): ''' Import certificate from URL into keystore located at keystore_path ''' https_proxy = os.getenv("https_proxy") @@ -209,6 +225,8 @@ def import_cert_url(module, executable, url, port, keystore_path, keystore_pass, "-storepass '%s' -alias '%s' %s") % (executable, keystore_path, keystore_pass, alias, get_keystore_type(keystore_type)) + if trust_cacert: + import_cmd = import_cmd + " -trustcacerts" # Fetch SSL certificate from remote host. (_, fetch_out, _) = module.run_command(fetch_cmd, check_rc=True) @@ -227,7 +245,7 @@ def import_cert_url(module, executable, url, port, keystore_path, keystore_pass, error=import_err) -def import_cert_path(module, executable, path, keystore_path, keystore_pass, alias, keystore_type): +def import_cert_path(module, executable, path, keystore_path, keystore_pass, alias, keystore_type, trust_cacert): ''' Import certificate from path into keystore located on keystore_path as alias ''' import_cmd = ("%s -importcert -noprompt -keystore '%s' " @@ -235,6 +253,9 @@ def import_cert_path(module, executable, path, keystore_path, keystore_pass, ali keystore_pass, path, alias, get_keystore_type(keystore_type)) + if trust_cacert: + import_cmd = import_cmd + " -trustcacerts" + # Use local certificate from local path and import it to a java keystore (import_rc, import_out, import_err) = module.run_command(import_cmd, check_rc=False) @@ -311,6 +332,7 @@ def main(): cert_port=dict(type='int', default=443), keystore_path=dict(type='path'), keystore_pass=dict(type='str', required=True, no_log=True), + trust_cacert=dict(type='bool', default=False), keystore_create=dict(type='bool', default=False), keystore_type=dict(type='str'), executable=dict(type='str', default='keytool'), @@ -336,6 +358,7 @@ def main(): pkcs12_alias = module.params.get('pkcs12_alias', '1') cert_alias = module.params.get('cert_alias') or url + trust_cacert = module.params.get('trust_cacert') keystore_path = module.params.get('keystore_path') keystore_pass = module.params.get('keystore_pass') @@ -373,11 +396,11 @@ def main(): if path: import_cert_path(module, executable, path, keystore_path, - keystore_pass, cert_alias, keystore_type) + keystore_pass, cert_alias, keystore_type, trust_cacert) if url: import_cert_url(module, executable, url, port, keystore_path, - keystore_pass, cert_alias, keystore_type) + keystore_pass, cert_alias, keystore_type, trust_cacert) module.exit_json(changed=False)