openssl_certificate, fixed has_expired to check the cert expiration date (#53168)

This commit is contained in:
Andrea Tartaglia 2019-03-01 23:37:28 +00:00 committed by René Moser
parent 1ba1f712fd
commit d5d92e4a70
4 changed files with 57 additions and 6 deletions

View file

@ -0,0 +1,2 @@
bugfixes:
- openssl_certificate - ``has_expired`` correctly checks if the certificate is expired or not

View file

@ -229,7 +229,8 @@ options:
has_expired:
description:
- Checks if the certificate is expired/not expired at the time the module is executed.
- Checks if the certificate is expired/not expired at the time the module is executed. This only applies to
the C(assertonly) provider.
type: bool
default: no
@ -830,11 +831,18 @@ class AssertOnlyCertificate(Certificate):
)
def _validate_has_expired():
if self.has_expired:
if self.has_expired != self.cert.has_expired():
self.message.append(
'Certificate expiration check failed (certificate expiration is %s, expected %s)' % (self.cert.has_expired(), self.has_expired)
)
# The following 3 lines are the same as the current PyOpenSSL code for cert.has_expired().
# Older version of PyOpenSSL have a buggy implementation,
# to avoid issues with those we added the code from a more recent release here.
time_string = to_native(self.cert.get_notAfter())
not_after = datetime.datetime.strptime(time_string, "%Y%m%d%H%M%SZ")
cert_expired = not_after < datetime.datetime.utcnow()
if self.has_expired != cert_expired:
self.message.append(
'Certificate expiration check failed (certificate expiration is %s, expected %s)' % (cert_expired, self.has_expired)
)
def _validate_version():
if self.version:

View file

@ -0,0 +1,39 @@
---
- name: Generate privatekey
openssl_privatekey:
path: '{{ output_dir }}/has_expired_privatekey.pem'
- name: Generate CSR
openssl_csr:
path: '{{ output_dir }}/has_expired_csr.csr'
privatekey_path: '{{ output_dir }}/has_expired_privatekey.pem'
subject:
commonName: www.example.com
- name: Generate expired selfsigned certificate
openssl_certificate:
path: '{{ output_dir }}/has_expired_cert.pem'
csr_path: '{{ output_dir }}/has_expired_csr.csr'
privatekey_path: '{{ output_dir }}/has_expired_privatekey.pem'
provider: selfsigned
selfsigned_digest: sha256
selfsigned_not_after: "-1s"
- name: "Check task fails because cert is expired (has_expired: false)"
openssl_certificate:
provider: assertonly
path: "{{ output_dir }}/has_expired_cert.pem"
has_expired: false
ignore_errors: true
register: expired_cert_check
- name: Ensure previous task failed
assert:
that: expired_cert_check is failed
- name: "Check expired cert check is ignored (has_expired: true)"
openssl_certificate:
provider: assertonly
path: "{{ output_dir }}/has_expired_cert.pem"
has_expired: true
register: expired_cert_skip

View file

@ -1,6 +1,8 @@
---
- block:
- import_tasks: expired.yml
- import_tasks: selfsigned.yml
- import_tasks: ownca.yml