Output all validated challenges with basic infos.

ansible-collections · May 15, 2024 · f611a70 · f611a70
1 parent 0737fc4
commit f611a70
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 12 deletions.
diff --git a/plugins/module_utils/acme/certificate.py b/plugins/module_utils/acme/certificate.py
@@ -161,11 +161,12 @@ def collect_pending_authzs(self, order):
         return [authz for authz in order.authorizations.values() if authz.status == 'pending']
 
     def call_validate(self, pending_authzs, get_challenge, wait=True):
-        authzs_to_wait_for = []
+        authzs_with_challenges_to_wait_for = []
         for authz in pending_authzs:
-            authz.call_validate(self.client, get_challenge(authz), wait=wait)
-            authzs_to_wait_for.append(authz)
-        return authzs_to_wait_for
+            challenge_type = get_challenge(authz)
+            authz.call_validate(self.client, challenge_type, wait=wait)
+            authzs_with_challenges_to_wait_for.append((authz, challenge_type, authz.find_challenge(challenge_type)))
+        return authzs_with_challenges_to_wait_for
 
     def wait_for_validation(self, authzs_to_wait_for):
         wait_for_validation(authzs_to_wait_for, self.client)

diff --git a/plugins/modules/acme_certificate_order_validate.py b/plugins/modules/acme_certificate_order_validate.py
@@ -191,6 +191,44 @@
   description: ACME account URI.
   returned: success
   type: str
+validating_challenges:
+  description: List of challenges whose validation was triggered.
+  returned: success
+  type: list
+  elements: dict
+  contains:
+    identifier:
+      description:
+        - The identifier the challenge is for.
+      type: str
+      returned: always
+    identifier_type:
+      description:
+        - The identifier's type for the challenge.
+      type: str
+      returned: always
+      choices:
+        - dns
+        - ip
+    authz_url:
+      description:
+        - The URL of the authorization object for this challenge.
+      type: str
+      returned: always
+    challenge_type:
+      description:
+        - The challenge's type.
+      type: str
+      returned: always
+      choices:
+        - http-01
+        - dns-01
+        - tls-alpn-01
+    challenge_url:
+      description:
+        - The URL of the challenge object.
+      type: str
+      returned: always
 '''
 
 from ansible_collections.community.crypto.plugins.module_utils.acme.acme import (
@@ -266,7 +304,7 @@ def main():
             ]
 
             # Step 4: validate pending authorizations
-            authzs_to_wait_for = client.call_validate(
+            authzs_with_challenges_to_wait_for = client.call_validate(
                 really_pending_authzs,
                 get_challenge=lambda authz: challenges[authz.combined_identifier],
                 wait=False,
@@ -277,8 +315,18 @@ def main():
             if order and module.params['deactivate_authzs'] and not done:
                 client.deactivate_authzs(order)
         module.exit_json(
-            changed=len(authzs_to_wait_for) > 0,
+            changed=len(authzs_with_challenges_to_wait_for) > 0,
             account_uri=client.client.account_uri,
+            validating_challenges=[
+                dict(
+                    identifier=authz.identifier,
+                    identifier_type=authz.identifier_type,
+                    authz_url=authz.url,
+                    challenge_type=challenge_type,
+                    challenge_url=challenge.url,
+                )
+                for authz, challenge_type, challenge in authzs_with_challenges_to_wait_for
+            ],
         )
     except ModuleFailException as e:
         e.do_fail(module)

diff --git a/tests/integration/targets/acme_certificate_order/tasks/impl.yml b/tests/integration/targets/acme_certificate_order/tasks/impl.yml
@@ -102,8 +102,8 @@
       - order_info_1.authorizations_by_identifier['dns:' ~ domain_name].identifier.type == 'dns'
       - order_info_1.authorizations_by_identifier['dns:' ~ domain_name].identifier.value == domain_name
       - order_info_1.authorizations_by_identifier['dns:' ~ domain_name].status == 'pending'
-      - (order_info_1.authorizations_by_identifier['dns:' ~ domain_name].challenges | selectattr('type', 'eq', 'http-01') | first).status == 'pending'
-      - (order_info_1.authorizations_by_identifier['dns:' ~ domain_name].challenges | selectattr('type', 'eq', 'dns-01') | first).status == 'pending'
+      - (order_info_1.authorizations_by_identifier['dns:' ~ domain_name].challenges | selectattr('type', 'equalto', 'http-01') | first).status == 'pending'
+      - (order_info_1.authorizations_by_identifier['dns:' ~ domain_name].challenges | selectattr('type', 'equalto', 'dns-01') | first).status == 'pending'
       - order_info_1.authorizations_by_status['deactivated'] | length == 0
       - order_info_1.authorizations_by_status['expired'] | length == 0
       - order_info_1.authorizations_by_status['invalid'] | length == 0
@@ -168,8 +168,8 @@
       - order_info_2.authorizations_by_identifier['dns:' ~ domain_name].identifier.type == 'dns'
       - order_info_2.authorizations_by_identifier['dns:' ~ domain_name].identifier.value == domain_name
       - order_info_2.authorizations_by_identifier['dns:' ~ domain_name].status in ['pending', 'valid']
-      - (order_info_2.authorizations_by_identifier['dns:' ~ domain_name].challenges | selectattr('type', 'eq', 'http-01') | first).status in ['processing', 'valid']
-      - (order_info_2.authorizations_by_identifier['dns:' ~ domain_name].challenges | selectattr('type', 'eq', 'dns-01') | first).status == 'pending'
+      - (order_info_2.authorizations_by_identifier['dns:' ~ domain_name].challenges | selectattr('type', 'equalto', 'http-01') | first).status in ['processing', 'valid']
+      - (order_info_2.authorizations_by_identifier['dns:' ~ domain_name].challenges | selectattr('type', 'equalto', 'dns-01') | first).status == 'pending'
       - order_info_2.authorizations_by_status['deactivated'] | length == 0
       - order_info_2.authorizations_by_status['expired'] | length == 0
       - order_info_2.authorizations_by_status['invalid'] | length == 0
@@ -264,7 +264,7 @@
       - order_info_3.authorizations_by_identifier['dns:' ~ domain_name].identifier.type == 'dns'
       - order_info_3.authorizations_by_identifier['dns:' ~ domain_name].identifier.value == domain_name
       - order_info_3.authorizations_by_identifier['dns:' ~ domain_name].status == 'valid'
-      - (order_info_3.authorizations_by_identifier['dns:' ~ domain_name].challenges | selectattr('type', 'eq', 'http-01') | first).status == 'valid'
+      - (order_info_3.authorizations_by_identifier['dns:' ~ domain_name].challenges | selectattr('type', 'equalto', 'http-01') | first).status == 'valid'
       - order_info_3.authorizations_by_status['deactivated'] | length == 0
       - order_info_3.authorizations_by_status['expired'] | length == 0
       - order_info_3.authorizations_by_status['invalid'] | length == 0
@@ -328,7 +328,7 @@
       - order_info_4.authorizations_by_identifier['dns:' ~ domain_name].identifier.type == 'dns'
       - order_info_4.authorizations_by_identifier['dns:' ~ domain_name].identifier.value == domain_name
       - order_info_4.authorizations_by_identifier['dns:' ~ domain_name].status == 'deactivated'
-      - (order_info_4.authorizations_by_identifier['dns:' ~ domain_name].challenges | selectattr('type', 'eq', 'http-01') | first).status == 'valid'
+      - (order_info_4.authorizations_by_identifier['dns:' ~ domain_name].challenges | selectattr('type', 'equalto', 'http-01') | first).status == 'valid'
       - order_info_4.authorizations_by_status['deactivated'] | length == 1
       - order_info_4.authorizations_by_status['deactivated'][0] == 'dns:' ~ domain_name
       - order_info_4.authorizations_by_status['expired'] | length == 0