a2d34e914e
* Ansible files module sanity pep8 fixes * Ansible system module and playbook base.py * Undo empty lines not required by sanity checks * Undo empty lines not required by sanity checks * Undo empty lines not required by sanity checks * Undo empty lines not required by sanity checks * Undo empty lines not required by sanity checks * Undo empty lines not required by sanity checks * Undo empty lines not required by sanity checks * Undo empty lines not required by sanity checks * Undo empty lines not required by sanity checks * Undo empty lines not required by sanity checks * Undo empty lines not required by sanity checks * Various changes * Various changes * Various changes * Various changes * Undo blank lines not required by sanity checks * Various changes * Various changes * Various changes * Various changes * Various changes * Undo blank line changes not required by sanity checks * Various changes * Various changes * Various changes * Various changes * Various changes * Missing piece after merge * Blank lines * Blank line * Line too long * Fix typo * Unnecessary quotes * Fix example error
356 lines
13 KiB
Python
356 lines
13 KiB
Python
#!/usr/bin/python
|
|
#
|
|
# Copyright: (c) 2013, RSD Services S.A
|
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
|
|
from __future__ import absolute_import, division, print_function
|
|
__metaclass__ = type
|
|
|
|
ANSIBLE_METADATA = {'metadata_version': '1.1',
|
|
'status': ['preview'],
|
|
'supported_by': 'community'}
|
|
|
|
DOCUMENTATION = '''
|
|
---
|
|
module: java_cert
|
|
version_added: '2.3'
|
|
short_description: Uses keytool to import/remove key from java keystore(cacerts)
|
|
description:
|
|
- This is a wrapper module around keytool. Which can be used to import/remove
|
|
certificates from a given java keystore.
|
|
options:
|
|
cert_url:
|
|
description:
|
|
- Basic URL to fetch SSL certificate from. One of cert_url or cert_path is required to load certificate.
|
|
cert_port:
|
|
description:
|
|
- Port to connect to URL. This will be used to create server URL:PORT
|
|
default: 443
|
|
cert_path:
|
|
description:
|
|
- Local path to load certificate from. One of cert_url or cert_path is required to load certificate.
|
|
cert_alias:
|
|
description:
|
|
- Imported certificate alias.
|
|
pkcs12_path:
|
|
description:
|
|
- Local path to load PKCS12 keystore from.
|
|
version_added: "2.4"
|
|
pkcs12_password:
|
|
description:
|
|
- Password for importing from PKCS12 keystore.
|
|
default: ''
|
|
version_added: "2.4"
|
|
pkcs12_alias:
|
|
description:
|
|
- Alias in the PKCS12 keystore.
|
|
default: 1
|
|
version_added: "2.4"
|
|
keystore_path:
|
|
description:
|
|
- Path to keystore.
|
|
keystore_pass:
|
|
description:
|
|
- Keystore password.
|
|
required: true
|
|
keystore_create:
|
|
description:
|
|
- Create keystore if it doesn't exist
|
|
executable:
|
|
description:
|
|
- Path to keytool binary if not used we search in PATH for it.
|
|
default: keytool
|
|
state:
|
|
description:
|
|
- Defines action which can be either certificate import or removal.
|
|
choices: [ absent, present ]
|
|
default: present
|
|
author:
|
|
- Adam Hamsik (@haad)
|
|
'''
|
|
|
|
EXAMPLES = '''
|
|
- name: Import SSL certificate from google.com to a given cacerts keystore
|
|
java_cert:
|
|
cert_url: google.com
|
|
cert_port: 443
|
|
keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts
|
|
keystore_pass: changeit
|
|
state: present
|
|
|
|
- name: Remove certificate with given alias from a keystore
|
|
java_cert:
|
|
cert_url: google.com
|
|
keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts
|
|
keystore_pass: changeit
|
|
executable: /usr/lib/jvm/jre7/bin/keytool
|
|
state: absent
|
|
|
|
- name: Import SSL certificate from google.com to a keystore, create it if it doesn't exist
|
|
java_cert:
|
|
cert_url: google.com
|
|
keystore_path: /tmp/cacerts
|
|
keystore_pass: changeit
|
|
keystore_create: yes
|
|
state: present
|
|
|
|
- name: Import a pkcs12 keystore with a specified alias, create it if it doesn't exist
|
|
java_cert:
|
|
pkcs12_path: "/tmp/importkeystore.p12"
|
|
cert_alias: default
|
|
keystore_path: /opt/wildfly/standalone/configuration/defaultkeystore.jks
|
|
keystore_pass: changeit
|
|
keystore_create: yes
|
|
state: present
|
|
'''
|
|
|
|
RETURN = '''
|
|
msg:
|
|
description: Output from stdout of keytool command after execution of given command.
|
|
returned: success
|
|
type: string
|
|
sample: "Module require existing keystore at keystore_path '/tmp/test/cacerts'"
|
|
|
|
rc:
|
|
description: Keytool command execution return value
|
|
returned: success
|
|
type: int
|
|
sample: "0"
|
|
|
|
cmd:
|
|
description: Executed command to get action done
|
|
returned: success
|
|
type: string
|
|
sample: "keytool -importcert -noprompt -keystore"
|
|
'''
|
|
|
|
import os
|
|
|
|
# import module snippets
|
|
from ansible.module_utils.basic import AnsibleModule
|
|
|
|
|
|
def check_cert_present(module, executable, keystore_path, keystore_pass, alias):
|
|
''' Check if certificate with alias is present in keystore
|
|
located at keystore_path '''
|
|
test_cmd = ("%s -noprompt -list -keystore '%s' -storepass '%s' "
|
|
"-alias '%s'") % (executable, keystore_path, keystore_pass, alias)
|
|
|
|
(check_rc, _, _) = module.run_command(test_cmd)
|
|
if check_rc == 0:
|
|
return True
|
|
return False
|
|
|
|
|
|
def import_cert_url(module, executable, url, port, keystore_path, keystore_pass, alias):
|
|
''' Import certificate from URL into keystore located at keystore_path '''
|
|
import re
|
|
|
|
https_proxy = os.getenv("https_proxy")
|
|
no_proxy = os.getenv("no_proxy")
|
|
|
|
proxy_opts = ''
|
|
if https_proxy is not None:
|
|
(proxy_host, proxy_port) = https_proxy.split(':')
|
|
proxy_opts = ("-J-Dhttps.proxyHost=%s -J-Dhttps.proxyPort=%s") % (proxy_host, proxy_port)
|
|
|
|
if no_proxy is not None:
|
|
# For Java's nonProxyHosts property, items are separated by '|',
|
|
# and patterns have to start with "*".
|
|
non_proxy_hosts = no_proxy.replace(',', '|')
|
|
non_proxy_hosts = re.sub(r'(^|\|)\.', r'\1*.', non_proxy_hosts)
|
|
|
|
# The property name is http.nonProxyHosts, there is no
|
|
# separate setting for HTTPS.
|
|
proxy_opts += (" -J-Dhttp.nonProxyHosts='%s'") % (non_proxy_hosts)
|
|
|
|
fetch_cmd = ("%s -printcert -rfc -sslserver %s %s:%d") % (executable, proxy_opts, url, port)
|
|
|
|
import_cmd = ("%s -importcert -noprompt -keystore '%s' "
|
|
"-storepass '%s' -alias '%s'") % (executable, keystore_path,
|
|
keystore_pass, alias)
|
|
|
|
if module.check_mode:
|
|
module.exit_json(changed=True)
|
|
|
|
# Fetch SSL certificate from remote host.
|
|
(_, fetch_out, _) = module.run_command(fetch_cmd, check_rc=True)
|
|
|
|
# Use remote certificate from remote host and import it to a java keystore
|
|
(import_rc, import_out, import_err) = module.run_command(import_cmd,
|
|
data=fetch_out,
|
|
check_rc=False)
|
|
diff = {'before': '\n', 'after': '%s\n' % alias}
|
|
if import_rc == 0:
|
|
return module.exit_json(changed=True, msg=import_out,
|
|
rc=import_rc, cmd=import_cmd, stdout=import_out,
|
|
diff=diff)
|
|
else:
|
|
return module.fail_json(msg=import_out, rc=import_rc, cmd=import_cmd,
|
|
error=import_err)
|
|
|
|
|
|
def import_cert_path(module, executable, path, keystore_path, keystore_pass, alias):
|
|
''' Import certificate from path into keystore located on
|
|
keystore_path as alias '''
|
|
import_cmd = ("%s -importcert -noprompt -keystore '%s' "
|
|
"-storepass '%s' -file '%s' -alias '%s'") % (executable,
|
|
keystore_path,
|
|
keystore_pass,
|
|
path, alias)
|
|
|
|
if module.check_mode:
|
|
module.exit_json(changed=True)
|
|
|
|
# Use local certificate from local path and import it to a java keystore
|
|
(import_rc, import_out, import_err) = module.run_command(import_cmd,
|
|
check_rc=False)
|
|
|
|
diff = {'before': '\n', 'after': '%s\n' % alias}
|
|
if import_rc == 0:
|
|
return module.exit_json(changed=True, msg=import_out,
|
|
rc=import_rc, cmd=import_cmd, stdout=import_out,
|
|
error=import_err, diff=diff)
|
|
else:
|
|
return module.fail_json(msg=import_out, rc=import_rc, cmd=import_cmd)
|
|
|
|
|
|
def import_pkcs12_path(module, executable, path, keystore_path, keystore_pass, pkcs12_pass, pkcs12_alias, alias):
|
|
''' Import pkcs12 from path into keystore located on
|
|
keystore_path as alias '''
|
|
import_cmd = ("%s -importkeystore -noprompt -destkeystore '%s' -srcstoretype PKCS12 "
|
|
"-deststorepass '%s' -destkeypass '%s' -srckeystore '%s' -srcstorepass '%s' "
|
|
"-srcalias '%s' -destalias '%s'") % (executable, keystore_path, keystore_pass,
|
|
keystore_pass, path, pkcs12_pass, pkcs12_alias, alias)
|
|
|
|
if module.check_mode:
|
|
module.exit_json(changed=True)
|
|
|
|
# Use local certificate from local path and import it to a java keystore
|
|
(import_rc, import_out, import_err) = module.run_command(import_cmd,
|
|
check_rc=False)
|
|
|
|
diff = {'before': '\n', 'after': '%s\n' % alias}
|
|
if import_rc == 0:
|
|
return module.exit_json(changed=True, msg=import_out,
|
|
rc=import_rc, cmd=import_cmd, stdout=import_out,
|
|
error=import_err, diff=diff)
|
|
else:
|
|
return module.fail_json(msg=import_out, rc=import_rc, cmd=import_cmd)
|
|
|
|
|
|
def delete_cert(module, executable, keystore_path, keystore_pass, alias):
|
|
''' Delete certificate identified with alias from keystore on keystore_path '''
|
|
del_cmd = ("%s -delete -keystore '%s' -storepass '%s' "
|
|
"-alias '%s'") % (executable, keystore_path, keystore_pass, alias)
|
|
|
|
if module.check_mode:
|
|
module.exit_json(changed=True)
|
|
|
|
# Delete SSL certificate from keystore
|
|
(del_rc, del_out, del_err) = module.run_command(del_cmd, check_rc=True)
|
|
|
|
diff = {'before': '%s\n' % alias, 'after': None}
|
|
|
|
return module.exit_json(changed=True, msg=del_out,
|
|
rc=del_rc, cmd=del_cmd, stdout=del_out,
|
|
error=del_err, diff=diff)
|
|
|
|
|
|
def test_keytool(module, executable):
|
|
''' Test if keytool is actuall executable or not '''
|
|
test_cmd = "%s" % (executable)
|
|
|
|
module.run_command(test_cmd, check_rc=True)
|
|
|
|
|
|
def test_keystore(module, keystore_path):
|
|
''' Check if we can access keystore as file or not '''
|
|
if keystore_path is None:
|
|
keystore_path = ''
|
|
|
|
if not os.path.exists(keystore_path) and not os.path.isfile(keystore_path):
|
|
# Keystore doesn't exist we want to create it
|
|
return module.fail_json(changed=False,
|
|
msg="Module require existing keystore at keystore_path '%s'"
|
|
% (keystore_path))
|
|
|
|
|
|
def main():
|
|
argument_spec = dict(
|
|
cert_url=dict(type='str'),
|
|
cert_path=dict(type='path'),
|
|
pkcs12_path=dict(type='path'),
|
|
pkcs12_password=dict(type='str', no_log=True),
|
|
pkcs12_alias=dict(type='str'),
|
|
cert_alias=dict(type='str'),
|
|
cert_port=dict(type='int', default='443'),
|
|
keystore_path=dict(type='path'),
|
|
keystore_pass=dict(type='str', required=True, no_log=True),
|
|
keystore_create=dict(type='bool', default=False),
|
|
executable=dict(type='str', default='keytool'),
|
|
state=dict(type='str', default='present', choices=['absent', 'present']),
|
|
)
|
|
|
|
module = AnsibleModule(
|
|
argument_spec=argument_spec,
|
|
required_one_of=[['cert_path', 'cert_url', 'pkcs12_path']],
|
|
required_together=[['keystore_path', 'keystore_pass']],
|
|
mutually_exclusive=[
|
|
['cert_url', 'cert_path', 'pkcs12_path']
|
|
],
|
|
supports_check_mode=True,
|
|
)
|
|
|
|
url = module.params.get('cert_url')
|
|
path = module.params.get('cert_path')
|
|
port = module.params.get('cert_port')
|
|
|
|
pkcs12_path = module.params.get('pkcs12_path')
|
|
pkcs12_pass = module.params.get('pkcs12_password', '')
|
|
pkcs12_alias = module.params.get('pkcs12_alias', '1')
|
|
|
|
cert_alias = module.params.get('cert_alias') or url
|
|
|
|
keystore_path = module.params.get('keystore_path')
|
|
keystore_pass = module.params.get('keystore_pass')
|
|
keystore_create = module.params.get('keystore_create')
|
|
executable = module.params.get('executable')
|
|
state = module.params.get('state')
|
|
|
|
if path and not cert_alias:
|
|
module.fail_json(changed=False,
|
|
msg="Using local path import from %s requires alias argument."
|
|
% (keystore_path))
|
|
|
|
test_keytool(module, executable)
|
|
|
|
if not keystore_create:
|
|
test_keystore(module, keystore_path)
|
|
|
|
cert_present = check_cert_present(module, executable, keystore_path,
|
|
keystore_pass, cert_alias)
|
|
|
|
if state == 'absent':
|
|
if cert_present:
|
|
delete_cert(module, executable, keystore_path, keystore_pass, cert_alias)
|
|
|
|
elif state == 'present':
|
|
if not cert_present:
|
|
if pkcs12_path:
|
|
import_pkcs12_path(module, executable, pkcs12_path, keystore_path,
|
|
keystore_pass, pkcs12_pass, pkcs12_alias, cert_alias)
|
|
|
|
if path:
|
|
import_cert_path(module, executable, path, keystore_path,
|
|
keystore_pass, cert_alias)
|
|
|
|
if url:
|
|
import_cert_url(module, executable, url, port, keystore_path,
|
|
keystore_pass, cert_alias)
|
|
|
|
module.exit_json(changed=False)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|