cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

openssl_privatekey: Standardize implementaton of the module

Browse source 
The OpenSSLObject class has been merged[1]. This commit makes the
openssl_privatekey rely on this class and standardize the way openssl
module should be written.

Co-Authored-By: Christian Pointner <cpointner@mgit.at>

[1] https://github.com/ansible/ansible/pull/26945
This commit is contained in:
Yanis Guenane 2017-07-24 10:49:22 +02:00 committed by Michael Scherer
parent 9c50933a80
commit d72ac0b391
3 changed files with 74 additions and 50 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
lib/ansible/module_utils/crypto.py
View file

@ -95,11 +95,20 @@ class OpenSSLObject(object):
self.changed = False self.changed = False
self.check_mode = check_mode self.check_mode = check_mode
@abc.abstractmethod def check(self, module, perms_required=True):
def check(self):
"""Ensure the resource is in its desired state.""" """Ensure the resource is in its desired state."""
pass def _check_state():
return os.path.exists(self.path)
def _check_perms(module):
file_args = module.load_file_common_arguments(module.params)
return not module.set_fs_attributes_if_different(file_args, False)
if not perms_required:
return _check_state()
return _check_state() and _check_perms(module)
@abc.abstractmethod @abc.abstractmethod
def dump(self): def dump(self):

108
lib/ansible/modules/crypto/openssl_privatekey.py
View file

@ -132,9 +132,11 @@ fingerprint:
sha512: "fd:ed:5e:39:48:5f:9f:fe:7f:25:06:3f:79:08:cd:ee:a5:e7:b3:3d:13:82:87:1f:84:e1:f5:c7:28:77:53:94:86:56:38:69:f0:d9:35:22:01:1e:a6:60:...:0f:9b" sha512: "fd:ed:5e:39:48:5f:9f:fe:7f:25:06:3f:79:08:cd:ee:a5:e7:b3:3d:13:82:87:1f:84:e1:f5:c7:28:77:53:94:86:56:38:69:f0:d9:35:22:01:1e:a6:60:...:0f:9b"
''' '''
import errno import os
from ansible.module_utils import crypto as crypto_utils
from ansible.module_utils._text import to_native
from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.crypto import get_fingerprint
from ansible.module_utils.pycompat24 import get_exception from ansible.module_utils.pycompat24 import get_exception
try: try:
@ -144,44 +146,42 @@ except ImportError:
else: else:
pyopenssl_found = True pyopenssl_found = True
import os
from ansible.module_utils._text import to_native
class PrivateKeyError(crypto_utils.OpenSSLObjectError):
class PrivateKeyError(Exception):
pass pass
class PrivateKey(object): class PrivateKey(crypto_utils.OpenSSLObject):
def __init__(self, module): def __init__(self, module):
super(PrivateKey, self).__init__(
module.params['path'],
module.params['state'],
module.params['force'],
module.check_mode
)
self.size = module.params['size'] self.size = module.params['size']
self.state = module.params['state']
self.name = os.path.basename(module.params['path'])
self.type = module.params['type']
self.force = module.params['force']
self.path = module.params['path']
self.passphrase = module.params['passphrase'] self.passphrase = module.params['passphrase']
self.cipher = module.params['cipher'] self.cipher = module.params['cipher']
self.mode = module.params['mode']
self.changed = True
self.privatekey = None self.privatekey = None
self.fingerprint = {} self.fingerprint = {}
self.check_mode = module.check_mode
self.mode = module.params['mode']
if not self.mode:
self.mode = int('0600', 8)
self.type = crypto.TYPE_RSA
if module.params['type'] == 'DSA':
self.type = crypto.TYPE_DSA
def generate(self, module): def generate(self, module):
"""Generate a keypair.""" """Generate a keypair."""
if not os.path.exists(self.path) or self.force: if not self.check(module, perms_required=False) or self.force:
self.privatekey = crypto.PKey() self.privatekey = crypto.PKey()
if self.type == 'RSA':
crypto_type = crypto.TYPE_RSA
else:
crypto_type = crypto.TYPE_DSA
try: try:
self.privatekey.generate_key(crypto_type, self.size) self.privatekey.generate_key(self.type, self.size)
except (TypeError, ValueError) as exc: except (TypeError, ValueError) as exc:
raise PrivateKeyError(exc) raise PrivateKeyError(exc)
@ -196,46 +196,63 @@ class PrivateKey(object):
os.write(privatekey_file, crypto.dump_privatekey(crypto.FILETYPE_PEM, self.privatekey, **extras)) os.write(privatekey_file, crypto.dump_privatekey(crypto.FILETYPE_PEM, self.privatekey, **extras))
os.close(privatekey_file) os.close(privatekey_file)
self.changed = True
except IOError as exc: except IOError as exc:
self.remove() self.remove()
raise PrivateKeyError(exc) raise PrivateKeyError(exc)
else:
self.changed = False
self.fingerprint = get_fingerprint(self.path, self.passphrase) self.fingerprint = crypto_utils.get_fingerprint(self.path, self.passphrase)
file_args = module.load_file_common_arguments(module.params) file_args = module.load_file_common_arguments(module.params)
if module.set_fs_attributes_if_different(file_args, False): if module.set_fs_attributes_if_different(file_args, False):
self.changed = True self.changed = True
def remove(self): def check(self, module, perms_required=True):
"""Remove the private key from the filesystem.""" """Ensure the resource is in its desired state."""
try: state_and_perms = super(PrivateKey, self).check(module, perms_required)
os.remove(self.path)
except OSError as exc: def _check_size(privatekey):
if exc.errno != errno.ENOENT: return self.size == privatekey.bits()
raise PrivateKeyError(exc)
else: def _check_type(privatekey):
self.changed = False return self.type == privatekey.type()
def _check_passphrase():
try:
crypto_utils.load_privatekey(self.path, self.passphrase)
return True
except crypto.Error:
return False
if not state_and_perms or not _check_passphrase():
return False
privatekey = crypto_utils.load_privatekey(self.path, self.passphrase)
return _check_size(privatekey) and _check_type(privatekey)
def dump(self): def dump(self):
"""Serialize the object into a dictionary.""" """Serialize the object into a dictionary."""
result = { result = {
'size': self.size, 'size': self.size,
'type': self.type,
'filename': self.path, 'filename': self.path,
'changed': self.changed, 'changed': self.changed,
'fingerprint': self.fingerprint, 'fingerprint': self.fingerprint,
} }
if self.type == crypto.TYPE_RSA:
result['type'] = 'RSA'
else:
result['type'] = 'DSA'
return result return result
def main(): def main():
module = AnsibleModule( module = AnsibleModule(
argument_spec = dict( argument_spec=dict(
state=dict(default='present', choices=['present', 'absent'], type='str'), state=dict(default='present', choices=['present', 'absent'], type='str'),
size=dict(default=4096, type='int'), size=dict(default=4096, type='int'),
type=dict(default='RSA', choices=['RSA', 'DSA'], type='str'), type=dict(default='RSA', choices=['RSA', 'DSA'], type='str'),
@ -244,29 +261,28 @@ def main():
passphrase=dict(type='str', no_log=True), passphrase=dict(type='str', no_log=True),
cipher=dict(type='str'), cipher=dict(type='str'),
), ),
supports_check_mode = True, supports_check_mode=True,
add_file_common_args = True, add_file_common_args=True,
required_together=[['cipher', 'passphrase']], required_together=[['cipher', 'passphrase']],
) )
if not pyopenssl_found: if not pyopenssl_found:
module.fail_json(msg='the python pyOpenSSL module is required') module.fail_json(msg='the python pyOpenSSL module is required')
path = module.params['path']
base_dir = os.path.dirname(module.params['path']) base_dir = os.path.dirname(module.params['path'])
if not os.path.isdir(base_dir): if not os.path.isdir(base_dir):
module.fail_json(name=base_dir, msg='The directory %s does not exist or the file is not a directory' % base_dir) module.fail_json(
name=base_dir,
if not module.params['mode']: msg='The directory %s does not exist or the file is not a directory' % base_dir
module.params['mode'] = int('0600', 8) )
private_key = PrivateKey(module) private_key = PrivateKey(module)
if private_key.state == 'present': if private_key.state == 'present':
if module.check_mode: if module.check_mode:
result = private_key.dump() result = private_key.dump()
result['changed'] = module.params['force'] or not os.path.exists(path) result['changed'] = module.params['force'] or not private_key.check(module)
module.exit_json(**result) module.exit_json(**result)
try: try:
@ -277,7 +293,7 @@ def main():
if module.check_mode: if module.check_mode:
result = private_key.dump() result = private_key.dump()
result['changed'] = os.path.exists(path) result['changed'] = os.path.exists(module.params['path'])
module.exit_json(**result) module.exit_json(**result)
try: try:

1
test/sanity/pep8/legacy-files.txt
View file

@ -209,7 +209,6 @@ lib/ansible/modules/clustering/consul_session.py
lib/ansible/modules/clustering/kubernetes.py lib/ansible/modules/clustering/kubernetes.py
lib/ansible/modules/clustering/pacemaker_cluster.py lib/ansible/modules/clustering/pacemaker_cluster.py
lib/ansible/modules/commands/command.py lib/ansible/modules/commands/command.py
lib/ansible/modules/crypto/openssl_privatekey.py
lib/ansible/modules/crypto/openssl_publickey.py lib/ansible/modules/crypto/openssl_publickey.py
lib/ansible/modules/database/misc/elasticsearch_plugin.py lib/ansible/modules/database/misc/elasticsearch_plugin.py
lib/ansible/modules/database/misc/kibana_plugin.py lib/ansible/modules/database/misc/kibana_plugin.py