From 18d3ccf77bc64f343bda88abe50888d7ec84c1d6 Mon Sep 17 00:00:00 2001 From: Andrew Pantuso Date: Fri, 16 Jul 2021 19:17:30 -0400 Subject: [PATCH 01/13] Initial commit --- plugins/module_utils/openssh/certificate.py | 179 ++++++++++++++++-- plugins/modules/openssh_cert.py | 67 +++++-- .../openssh_cert/tests/idempotency.yml | 16 +- .../openssh_cert/tests/key_idempotency.yml | 25 ++- .../module_utils/openssh/test_certificate.py | 64 ++++++- 5 files changed, 315 insertions(+), 36 deletions(-) diff --git a/plugins/module_utils/openssh/certificate.py b/plugins/module_utils/openssh/certificate.py index 3e6514871..1cbbe5860 100644 --- a/plugins/module_utils/openssh/certificate.py +++ b/plugins/module_utils/openssh/certificate.py @@ -39,6 +39,7 @@ from hashlib import sha256 from ansible.module_utils import six +from ansible.module_utils.common.text.converters import to_text from ansible_collections.community.crypto.plugins.module_utils.crypto.support import convert_relative_to_datetime from ansible_collections.community.crypto.plugins.module_utils.openssh.utils import ( OpensshParser, @@ -74,6 +75,29 @@ _ALWAYS = datetime(1970, 1, 1) _FOREVER = datetime.max +_CRITICAL_OPTIONS = ( + 'force-command', + 'source-address', + 'verify-required', +) + +_DIRECTIVES = ( + 'clear', + 'no-x11-forwarding', + 'no-agent-forwarding', + 'no-port-forwarding', + 'no-pty', + 'no-user-rc', +) + +_EXTENSIONS = ( + 'permit-X11-forwarding', + 'permit-agent-forwarding', + 'permit-port-forwarding', + 'permit-pty', + 'permit-user-rc' +) + if six.PY3: long = int @@ -92,6 +116,9 @@ def __eq__(self, other): else: return self._valid_from == other._valid_from and self._valid_to == other._valid_to + def __ne__(self, other): + return not self == other + @property def validity_string(self): if not (self._valid_from == _ALWAYS and self._valid_to == _FOREVER): @@ -131,12 +158,14 @@ def format_datetime(dt, date_format): @staticmethod def to_datetime(time_string_or_timestamp): try: - if isinstance(time_string_or_timestamp, str): + if isinstance(time_string_or_timestamp, six.string_types): result = OpensshCertificateTimeParameters._time_string_to_datetime(time_string_or_timestamp.strip()) elif isinstance(time_string_or_timestamp, (long, int)): result = OpensshCertificateTimeParameters._timestamp_to_datetime(time_string_or_timestamp) else: - raise ValueError("Value must be of type (str, int, long) not %s" % type(time_string_or_timestamp)) + raise ValueError( + "Value must be of type (str, unicode, int, long) not %s" % type(time_string_or_timestamp) + ) except ValueError: raise return result @@ -174,6 +203,87 @@ def _time_string_to_datetime(time_string): return result +class OpensshCertificateOption(object): + def __init__(self, option_type, name, data): + if not isinstance(option_type, six.string_types) or option_type not in ('critical', 'extension'): + raise ValueError("type must be either 'critical' or 'extension'") + + if not isinstance(name, six.string_types): + raise TypeError("name must be a string not %s" % type(name)) + + if not isinstance(data, six.string_types): + raise TypeError("data must be a string not %s" % type(data)) + + self._option_type = option_type + self._name = name + self._data = data + + def __eq__(self, other): + if not isinstance(other, type(self)): + return NotImplemented + + return all([ + self._option_type == other._option_type, + self._name == other._name, + self._data == other._data, + ]) + + def __hash__(self): + return hash((self._option_type, self._name, self._data)) + + def __ne__(self, other): + return not self == other + + def __str__(self): + if self._data: + return "%s=%s" % (self._name, self._data) + return self._name + + @property + def data(self): + return self._data + + @property + def name(self): + return self._name + + @property + def type(self): + return self._option_type + + @classmethod + def from_string(cls, option_string): + if not isinstance(option_string, six.string_types): + raise ValueError("option_string must be a string not %s" % type(option_string)) + option_type = None + + if ':' in option_string: + option_type, value = option_string.strip().split(':', 1) + if '=' in value: + name, data = value.split('=', 1) + else: + name, data = value, '' + elif '=' in option_string: + name, data = option_string.strip().split('=', 1) + else: + name, data = option_string.strip(), '' + + if option_type is None: + if name in _CRITICAL_OPTIONS: + option_type = 'critical' + elif name in _EXTENSIONS: + option_type = 'extension' + else: + raise ValueError("%s is not a valid option. " % name + + "Custom options must start with 'critical:' or 'extension:' to indicate type") + + return cls( + option_type=option_type, + name=name, + data=data + ) + + @six.add_metaclass(abc.ABCMeta) class OpensshCertificateInfo: """Encapsulates all certificate information which is signed by a CA key""" @@ -402,7 +512,7 @@ def load(cls, path): @property def type_string(self): - return self._cert_info.type_string + return to_text(self._cert_info.type_string) @property def nonce(self): @@ -410,7 +520,7 @@ def nonce(self): @property def public_key(self): - return self._cert_info.public_key_fingerprint() + return to_text(self._cert_info.public_key_fingerprint()) @property def serial(self): @@ -422,11 +532,11 @@ def type(self): @property def key_id(self): - return self._cert_info.key_id + return to_text(self._cert_info.key_id) @property def principals(self): - return self._cert_info.principals + return [to_text(p) for p in self._cert_info.principals] @property def valid_after(self): @@ -438,11 +548,13 @@ def valid_before(self): @property def critical_options(self): - return self._cert_info.critical_options + return [ + OpensshCertificateOption('critical', to_text(n), to_text(d)) for n, d in self._cert_info.critical_options + ] @property def extensions(self): - return self._cert_info.extensions + return [OpensshCertificateOption('extension', to_text(n), to_text(d)) for n, d in self._cert_info.extensions] @property def reserved(self): @@ -450,7 +562,7 @@ def reserved(self): @property def signing_key(self): - return self._cert_info.signing_key_fingerprint() + return to_text(self._cert_info.signing_key_fingerprint()) @staticmethod def _parse_cert_info(pub_key_type, parser): @@ -484,14 +596,37 @@ def to_dict(self): 'principals': self.principals, 'valid_after': time_parameters.valid_from(date_format='human_readable'), 'valid_before': time_parameters.valid_to(date_format='human_readable'), - 'critical_options': self.critical_options, - 'extensions': [e[0] for e in self.extensions], + 'critical_options': [str(critical_option) for critical_option in self.critical_options], + 'extensions': [str(extension) for extension in self.extensions], 'reserved': self.reserved, 'public_key': self.public_key, 'signing_key': self.signing_key, } +def apply_directives(directives, extensions): + if any(d not in _DIRECTIVES for d in directives): + raise ValueError("directives must be one of %s" % ", ".join(_DIRECTIVES)) + + directive_to_option = { + 'no-x11-forwarding': OpensshCertificateOption('extension', 'permit-x11-forwarding', ''), + 'no-agent-forwarding': OpensshCertificateOption('extension', 'permit-agent-forwarding', ''), + 'no-port-forwarding': OpensshCertificateOption('extension', 'permit-port-forwarding', ''), + 'no-pty': OpensshCertificateOption('extension', 'permit-pty', ''), + 'no-user-rc': OpensshCertificateOption('extension', 'permit-user-rc', ''), + } + + if 'clear' not in directives: + result = extensions[:] + for directive in directives: + option = directive_to_option[directive] + if option in result: + result.remove(option) + return result + else: + return [] + + def fingerprint(public_key): """Generates a SHA256 hash and formats output to resemble ``ssh-keygen``""" h = sha256() @@ -514,5 +649,27 @@ def get_cert_info_object(key_type): return cert_info +def get_default_options(): + return _EXTENSIONS + + def is_relative_time_string(time_string): return time_string.startswith("+") or time_string.startswith("-") + + +def parse_option_list(option_list): + critical_options = [] + directives = [] + extensions = [] + + for option in option_list: + if option in _DIRECTIVES: + directives.append(option) + else: + option_object = OpensshCertificateOption.from_string(option) + if option_object.type == 'critical': + critical_options.append(option_object) + else: + extensions.append(option_object) + + return critical_options, apply_directives(directives, extensions) diff --git a/plugins/modules/openssh_cert.py b/plugins/modules/openssh_cert.py index a518b5dfb..5e9250de8 100644 --- a/plugins/modules/openssh_cert.py +++ b/plugins/modules/openssh_cert.py @@ -36,6 +36,18 @@ - Should the certificate be regenerated even if it already exists and is valid. type: bool default: false + idempotency: + description: + - When C(partial) and I(force=false) an existing certificate will be regenerated based on + I(serial), I(type), I(valid_from), I(valid_to), I(valid_at), and I(principals). + - When C(full) and I(force=false), I(identifier), I(options), I(public_key), and I(signing_key) + are also considered when compared against an existing certificate. + type: str + choices: + - partial + - full + default: partial + version_added: 1.8.0 path: description: - Path of the file containing the certificate. @@ -224,8 +236,10 @@ from ansible.module_utils.common.text.converters import to_native, to_text from ansible_collections.community.crypto.plugins.module_utils.openssh.certificate import ( + get_default_options, OpensshCertificate, OpensshCertificateTimeParameters, + parse_option_list, ) from ansible_collections.community.crypto.plugins.module_utils.openssh.utils import ( @@ -242,8 +256,9 @@ def __init__(self, module): self.ssh_keygen = module.get_bin_path('ssh-keygen', True) self.force = module.params['force'] + self.idempotency = module.params['idempotency'] self.identifier = module.params['identifier'] or "" - self.options = module.params['options'] + self.options = module.params['options'] or [] self.path = module.params['path'] self.pkcs11_provider = module.params['pkcs11_provider'] self.principals = module.params['principals'] or [] @@ -377,6 +392,28 @@ def _command_arguments(self, key_copy_path): return result + def _compare_options(self): + try: + critical_options, extensions = parse_option_list( + list(set(self.options).union(set(get_default_options()))) + ) + except ValueError as e: + return self.module.fail_json(msg=to_native(e)) + + return (set(self.original_data.critical_options) == set(critical_options) and + set(self.original_data.extensions) == set(extensions)) + + def _compare_time_parameters(self): + try: + original_time_parameters = OpensshCertificateTimeParameters( + valid_from=self.original_data.valid_after, + valid_to=self.original_data.valid_before + ) + except ValueError as e: + return self.module.fail_json(msg=to_native(e)) + + return original_time_parameters == self.time_parameters and original_time_parameters.within_range(self.valid_at) + def _generate_diff(self): before = self.original_data.to_dict() if self.original_data else {} before.pop('nonce', None) @@ -388,21 +425,24 @@ def _generate_diff(self): def _get_cert_info(self): return self.module.run_command([self.ssh_keygen, '-Lf', self.path])[1] + def _get_key_fingerprint(self, path): + stdout = self.module.run_command([self.ssh_keygen, '-lf', path], check_rc=True)[1] + return stdout.split()[1] + def _is_valid(self): if self.original_data: - try: - original_time_parameters = OpensshCertificateTimeParameters( - valid_from=self.original_data.valid_after, - valid_to=self.original_data.valid_before - ) - except ValueError as e: - return self.module.fail_json(msg=to_native(e)) - return all([ - self.original_data.type == self.type, - set(to_text(p) for p in self.original_data.principals) == set(self.principals), + partial_result = all([ + set(self.original_data.principals) == set(self.principals), self.original_data.serial == self.serial_number if self.serial_number is not None else True, - original_time_parameters == self.time_parameters, - original_time_parameters.within_range(self.valid_at) + self.original_data.type == self.type, + self._compare_time_parameters(), + ]) + + return partial_result if self.idempotency == 'partial' else partial_result and all([ + self._compare_options(), + self.original_data.key_id == self.identifier, + self.original_data.public_key == self._get_key_fingerprint(self.public_key), + self.original_data.signing_key == self._get_key_fingerprint(self.signing_key), ]) return False @@ -452,6 +492,7 @@ def main(): module = AnsibleModule( argument_spec=dict( force=dict(type='bool', default=False), + idempotency=dict(type='str', default='partial', choices=['partial', 'full']), identifier=dict(type='str'), options=dict(type='list', elements='str'), path=dict(type='path', required=True), diff --git a/tests/integration/targets/openssh_cert/tests/idempotency.yml b/tests/integration/targets/openssh_cert/tests/idempotency.yml index 3844a94ce..856ce4337 100644 --- a/tests/integration/targets/openssh_cert/tests/idempotency.yml +++ b/tests/integration/targets/openssh_cert/tests/idempotency.yml @@ -177,12 +177,17 @@ valid_from: "2001-01-21" valid_to: "2019-01-21" changed: false - # Options are currently not checked for idempotency purposes - test_name: Generate an OpenSSH user Certificate with no options (idempotent) type: user valid_from: "2001-01-21" valid_to: "2019-01-21" changed: false + - test_name: Generate an OpenSSH user Certificate with no options - full idempotency (idempotent) + type: user + valid_from: "2001-01-21" + valid_to: "2019-01-21" + idempotency: full + changed: true - test_name: Generate cert without serial type: user valid_from: always @@ -228,13 +233,19 @@ valid_from: always valid_to: forever changed: false - # Identifiers are not included in idempotency checks so a new cert will not be generated - test_name: Generate cert with identifier type: user identifier: foo valid_from: always valid_to: forever changed: false + - test_name: Generate cert with identifier - full idempotency + type: user + identifier: foo + valid_from: always + valid_to: forever + idempotency: full + changed: true - name: Execute idempotency tests openssh_cert: @@ -251,6 +262,7 @@ valid_at: "{{ test_case.valid_at | default(omit) }}" valid_from: "{{ test_case.valid_from | default(omit) }}" valid_to: "{{ test_case.valid_to | default(omit) }}" + idempotency: "{{ test_case.idempotency | default(omit) }}" check_mode: "{{ test_case.check_mode | default(omit) }}" register: idempotency_test_output loop: "{{ test_cases }}" diff --git a/tests/integration/targets/openssh_cert/tests/key_idempotency.yml b/tests/integration/targets/openssh_cert/tests/key_idempotency.yml index ecaeae7e7..ccf16b265 100644 --- a/tests/integration/targets/openssh_cert/tests/key_idempotency.yml +++ b/tests/integration/targets/openssh_cert/tests/key_idempotency.yml @@ -40,12 +40,35 @@ valid_to: forever register: new_public_key_output -# Signing key and public key are not considered during idempotency checks +- name: Generate cert with new signing key - full idempotency + openssh_cert: + type: user + path: "{{ certificate_path }}" + public_key: "{{ public_key }}" + signing_key: "{{ new_signing_key }}" + valid_from: always + valid_to: forever + idempotency: full + register: new_signing_key_full_idempotency_output + +- name: Generate cert with new pubic key - full idempotency + openssh_cert: + type: user + path: "{{ certificate_path }}" + public_key: "{{ new_public_key }}" + signing_key: "{{ new_signing_key }}" + valid_from: always + valid_to: forever + idempotency: full + register: new_public_key_full_idempotency_output + - name: Assert changes to public key or signing key results in no change assert: that: - new_signing_key_output is not changed - new_public_key_output is not changed + - new_signing_key_full_idempotency_output is changed + - new_public_key_full_idempotency_output is changed - name: Remove certificate openssh_cert: diff --git a/tests/unit/plugins/module_utils/openssh/test_certificate.py b/tests/unit/plugins/module_utils/openssh/test_certificate.py index c9e2f4345..036305a76 100644 --- a/tests/unit/plugins/module_utils/openssh/test_certificate.py +++ b/tests/unit/plugins/module_utils/openssh/test_certificate.py @@ -8,8 +8,11 @@ import pytest from ansible_collections.community.crypto.plugins.module_utils.openssh.certificate import ( + get_default_options, OpensshCertificate, - OpensshCertificateTimeParameters + OpensshCertificateOption, + OpensshCertificateTimeParameters, + parse_option_list ) # Type: ssh-rsa-cert-v01@openssh.com user certificate @@ -118,16 +121,16 @@ # garbage INVALID_DATA = b'yDspTN+BJzvIK2Q+CRD3qBDVSi+YqSxwyz432VEaHKlXbuLURirY0QpuBCqgR6tCtWW5vEGkXKZ3' -VALID_OPTS = [(b'force-command', b'/usr/bin/csh')] -INVALID_OPTS = [(b'test', b'undefined')] +VALID_OPTS = [OpensshCertificateOption('critical', 'force-command', '/usr/bin/csh')] +INVALID_OPTS = [OpensshCertificateOption('critical', 'test', 'undefined')] VALID_EXTENSIONS = [ - (b'permit-X11-forwarding', b''), - (b'permit-agent-forwarding', b''), - (b'permit-port-forwarding', b''), - (b'permit-pty', b''), - (b'permit-user-rc', b''), + OpensshCertificateOption('extension', 'permit-X11-forwarding', ''), + OpensshCertificateOption('extension', 'permit-agent-forwarding', ''), + OpensshCertificateOption('extension', 'permit-port-forwarding', ''), + OpensshCertificateOption('extension', 'permit-pty', ''), + OpensshCertificateOption('extension', 'permit-user-rc', ''), ] -INVALID_EXTENSIONS = [(b'test', b'')] +INVALID_EXTENSIONS = [OpensshCertificateOption('extension', 'test', '')] VALID_TIME_PARAMETERS = [ (0, "always", "always", 0, @@ -177,6 +180,20 @@ ("2000-01-01 00:00:00", "2000-01-01 00:00:01", "2000-01-01 00:00:02"), ] +VALID_OPTIONS = [ + ("force-command=/usr/bin/csh", OpensshCertificateOption('critical', 'force-command', '/usr/bin/csh')), + ("permit-X11-forwarding", OpensshCertificateOption('extension', 'permit-X11-forwarding', '')), + ("critical:foo=bar", OpensshCertificateOption('critical', 'foo', 'bar')), + ("extension:foo", OpensshCertificateOption('extension', 'foo', '')), +] + +INVALID_OPTIONS = [ + "foobar", + "foo=bar", + 'foo:bar=baz', + [], +] + def test_rsa_certificate(tmpdir): cert_file = tmpdir / 'id_rsa-cert.pub' @@ -275,3 +292,32 @@ def test_valid_validity_test(valid_from, valid_to, valid_at): @pytest.mark.parametrize("valid_from,valid_to,valid_at", INVALID_VALIDITY_TEST) def test_invalid_validity_test(valid_from, valid_to, valid_at): assert not OpensshCertificateTimeParameters(valid_from, valid_to).within_range(valid_at) + + +@pytest.mark.parametrize("option_string,option_object", VALID_OPTIONS) +def test_valid_options(option_string, option_object): + assert OpensshCertificateOption.from_string(option_string) == option_object + + +@pytest.mark.parametrize("option_string", INVALID_OPTIONS) +def test_invalid_options(option_string): + with pytest.raises(ValueError): + OpensshCertificateOption.from_string(option_string) + + +def test_parse_option_list(): + option_list = ['force-command=/usr/bin/csh', 'no-pty', 'no-agent-forwarding'] + list(get_default_options()) + critical_options, extensions = parse_option_list(option_list) + + critical_option_objects = [ + OpensshCertificateOption.from_string('force-command=/usr/bin/csh'), + ] + + extension_objects = [ + OpensshCertificateOption.from_string('permit-X11-forwarding'), + OpensshCertificateOption.from_string('permit-port-forwarding'), + OpensshCertificateOption.from_string('permit-user-rc'), + ] + + assert set(critical_options) == set(critical_option_objects) + assert set(extensions) == set(extension_objects) From 978ca7cdb43a54ea5e46f8e12fabad1731c8959b Mon Sep 17 00:00:00 2001 From: Andrew Pantuso Date: Fri, 16 Jul 2021 19:45:03 -0400 Subject: [PATCH 02/13] Fixing unit tests --- .../plugins/module_utils/openssh/test_certificate.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/unit/plugins/module_utils/openssh/test_certificate.py b/tests/unit/plugins/module_utils/openssh/test_certificate.py index 036305a76..e6d50b6e3 100644 --- a/tests/unit/plugins/module_utils/openssh/test_certificate.py +++ b/tests/unit/plugins/module_utils/openssh/test_certificate.py @@ -200,9 +200,9 @@ def test_rsa_certificate(tmpdir): cert_file.write(RSA_CERT_SIGNED_BY_DSA, mode='wb') cert = OpensshCertificate.load(str(cert_file)) - assert cert.key_id == b'test' + assert cert.key_id == 'test' assert cert.serial == 0 - assert cert.type_string == b'ssh-rsa-cert-v01@openssh.com' + assert cert.type_string == 'ssh-rsa-cert-v01@openssh.com' assert cert.public_key == RSA_FINGERPRINT assert cert.signing_key == DSA_FINGERPRINT @@ -213,7 +213,7 @@ def test_dsa_certificate(tmpdir): cert = OpensshCertificate.load(str(cert_file)) - assert cert.type_string == b'ssh-dss-cert-v01@openssh.com' + assert cert.type_string == 'ssh-dss-cert-v01@openssh.com' assert cert.public_key == DSA_FINGERPRINT assert cert.signing_key == ECDSA_FINGERPRINT assert cert.critical_options == [] @@ -225,7 +225,7 @@ def test_ecdsa_certificate(tmpdir): cert_file.write(ECDSA_CERT_SIGNED_BY_ED25519_VALID_OPTS) cert = OpensshCertificate.load(str(cert_file)) - assert cert.type_string == b'ecdsa-sha2-nistp256-cert-v01@openssh.com' + assert cert.type_string == 'ecdsa-sha2-nistp256-cert-v01@openssh.com' assert cert.public_key == ECDSA_FINGERPRINT assert cert.signing_key == ED25519_FINGERPRINT assert cert.critical_options == VALID_OPTS @@ -237,7 +237,7 @@ def test_ed25519_certificate(tmpdir): cert_file.write(ED25519_CERT_SIGNED_BY_RSA_INVALID_OPTS) cert = OpensshCertificate.load(str(cert_file)) - assert cert.type_string == b'ssh-ed25519-cert-v01@openssh.com' + assert cert.type_string == 'ssh-ed25519-cert-v01@openssh.com' assert cert.public_key == ED25519_FINGERPRINT assert cert.signing_key == RSA_FINGERPRINT assert cert.critical_options == INVALID_OPTS From f5f12f23dde3468eec7ac0e1ab82fd183a03c256 Mon Sep 17 00:00:00 2001 From: Andrew Pantuso Date: Fri, 16 Jul 2021 19:50:39 -0400 Subject: [PATCH 03/13] More unit fixes --- .../unit/plugins/module_utils/openssh/test_certificate.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/unit/plugins/module_utils/openssh/test_certificate.py b/tests/unit/plugins/module_utils/openssh/test_certificate.py index e6d50b6e3..164d0ff00 100644 --- a/tests/unit/plugins/module_utils/openssh/test_certificate.py +++ b/tests/unit/plugins/module_utils/openssh/test_certificate.py @@ -45,7 +45,7 @@ b'Q7c8c/tNDaL7uqV46QQAAADcAAAAHc3NoLWRzcwAAAChaQ94wqca+KhkHtbkLpjvGsfu0Gy03SAb0+o11Shk/BXnK7N/cwEVD ' + b'ansible@ansible-host' ) -RSA_FINGERPRINT = b'SHA256:SvUwwUer4AwsdePYseJR3LcZS8lnKi6BqiL51Dop030' +RSA_FINGERPRINT = 'SHA256:SvUwwUer4AwsdePYseJR3LcZS8lnKi6BqiL51Dop030' # Type: ssh-dss-cert-v01@openssh.com user certificate # Public key: DSA-CERT SHA256:YCdJ2lYU+FSkWUud7zg1SJszprXoRGNU/GVcqXUjgC8 # Signing CA: ECDSA SHA256:w9lp4zGRJShhm4DzO3ulVm0BEcR0PMjrM6VanQo4C0w @@ -67,7 +67,7 @@ b'wvanQKM01uU73swNIt+ZFra9kRSi21xjzgMPn7U0AAABkAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAABJAAAAIGmlKa/riG7+EpoW6dTJY6' + b'0N8BrEcniKgOxdRM1EPJ2DAAAAIQDnK4stvbvS+Bn0/42Was7uOfJtnLYXs5EuB2L3uejPcQ== ansible@ansible-host' ) -DSA_FINGERPRINT = b'SHA256:YCdJ2lYU+FSkWUud7zg1SJszprXoRGNU/GVcqXUjgC8' +DSA_FINGERPRINT = 'SHA256:YCdJ2lYU+FSkWUud7zg1SJszprXoRGNU/GVcqXUjgC8' # Type: ecdsa-sha2-nistp256-cert-v01@openssh.com user certificate # Public key: ECDSA-CERT SHA256:w9lp4zGRJShhm4DzO3ulVm0BEcR0PMjrM6VanQo4C0w # Signing CA: ED25519 SHA256:NP4JdfkCopbjwMepq0aPrpMz13cNmEd+uDOxC/j9N40 @@ -93,7 +93,7 @@ b'TUxOQAAAEAdp3eOLRN5t2wW29TBWbz604uuXg88jH4RA4HDhbRupa/x2rN3j6iZQ4VXPLA4JtdfIslHFkH6HUlxU8XsoJwP ' + b'ansible@ansible-host' ) -ECDSA_FINGERPRINT = b'SHA256:w9lp4zGRJShhm4DzO3ulVm0BEcR0PMjrM6VanQo4C0w' +ECDSA_FINGERPRINT = 'SHA256:w9lp4zGRJShhm4DzO3ulVm0BEcR0PMjrM6VanQo4C0w' # Type: ssh-ed25519-cert-v01@openssh.com user certificate # Public key: ED25519-CERT SHA256:NP4JdfkCopbjwMepq0aPrpMz13cNmEd+uDOxC/j9N40 # Signing CA: RSA SHA256:SvUwwUer4AwsdePYseJR3LcZS8lnKi6BqiL51Dop030 @@ -117,7 +117,7 @@ b'7WJpz3eypBJt4TglwRTJpp54IMN2CyDQm0N97x9ris8jQQHlCF2EgZp1u4aOiZJTSJ5d4hapO0uZwXOI9AIWy/lmx0/6jX07MWrs4iXpfiF' + b'5T4s6kEn7YW4SaJ0Z7xGp3V0vDOxh+jwHZGD5GM449Il6QxQwDY5BSJq+iMR467yaIjw2g8Kt4ZiU= ansible@ansible-host' ) -ED25519_FINGERPRINT = b'SHA256:NP4JdfkCopbjwMepq0aPrpMz13cNmEd+uDOxC/j9N40' +ED25519_FINGERPRINT = 'SHA256:NP4JdfkCopbjwMepq0aPrpMz13cNmEd+uDOxC/j9N40' # garbage INVALID_DATA = b'yDspTN+BJzvIK2Q+CRD3qBDVSi+YqSxwyz432VEaHKlXbuLURirY0QpuBCqgR6tCtWW5vEGkXKZ3' From a90cb514d7f9f9ef1a2fe133ac9368964ee3d62e Mon Sep 17 00:00:00 2001 From: Andrew Pantuso Date: Fri, 16 Jul 2021 20:06:53 -0400 Subject: [PATCH 04/13] Adding changelog fragment --- .../fragments/256-openssh_cert-adding-idempotency-option.yml | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 changelogs/fragments/256-openssh_cert-adding-idempotency-option.yml diff --git a/changelogs/fragments/256-openssh_cert-adding-idempotency-option.yml b/changelogs/fragments/256-openssh_cert-adding-idempotency-option.yml new file mode 100644 index 000000000..640850ab6 --- /dev/null +++ b/changelogs/fragments/256-openssh_cert-adding-idempotency-option.yml @@ -0,0 +1,4 @@ +--- +minor_changes: + - openssh_cert - added ``idempotency`` option to validate additional certificate parameters which trigger + regeneration of an existing certificate (https://github.com/ansible-collections/community.crypto/pull/256). From 1fccf6d6e4ca7dae14624706e18759a762bc464b Mon Sep 17 00:00:00 2001 From: Andrew Pantuso Date: Sat, 17 Jul 2021 08:17:04 -0400 Subject: [PATCH 05/13] Minor refactor in Certificate.generate() --- plugins/modules/openssh_cert.py | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/plugins/modules/openssh_cert.py b/plugins/modules/openssh_cert.py index 5e9250de8..8357e3f2b 100644 --- a/plugins/modules/openssh_cert.py +++ b/plugins/modules/openssh_cert.py @@ -298,18 +298,7 @@ def exists(self): def generate(self): if not self._is_valid() or self.force: if not self.check_mode: - key_copy = os.path.join(self.module.tmpdir, os.path.basename(self.public_key)) - - try: - self.module.preserved_copy(self.public_key, key_copy) - except OSError as e: - self.module.fail_json(msg="Unable to stage temporary key: %s" % to_native(e)) - self.module.add_cleanup_file(key_copy) - - self.module.run_command(self._command_arguments(key_copy), environ_update=dict(TZ="UTC"), check_rc=True) - - temp_cert = os.path.splitext(key_copy)[0] + '-cert.pub' - self.module.add_cleanup_file(temp_cert) + temp_cert = self._generate_temp_certificate() backup_cert = self.module.backup_local(self.path) if self.exists() else None try: @@ -422,6 +411,22 @@ def _generate_diff(self): return {'before': before, 'after': after} + def _generate_temp_certificate(self): + key_copy = os.path.join(self.module.tmpdir, os.path.basename(self.public_key)) + + try: + self.module.preserved_copy(self.public_key, key_copy) + except OSError as e: + self.module.fail_json(msg="Unable to stage temporary key: %s" % to_native(e)) + self.module.add_cleanup_file(key_copy) + + self.module.run_command(self._command_arguments(key_copy), environ_update=dict(TZ="UTC"), check_rc=True) + + temp_cert = os.path.splitext(key_copy)[0] + '-cert.pub' + self.module.add_cleanup_file(temp_cert) + + return temp_cert + def _get_cert_info(self): return self.module.run_command([self.ssh_keygen, '-Lf', self.path])[1] From 2246c615449ff4b20f7e439d6578d2343908cc5b Mon Sep 17 00:00:00 2001 From: Andrew Pantuso Date: Sat, 17 Jul 2021 09:27:39 -0400 Subject: [PATCH 06/13] Addressing option case-sensitivity and directive overrides --- plugins/module_utils/openssh/certificate.py | 37 +++---- plugins/modules/openssh_cert.py | 5 +- .../targets/openssh_cert/tasks/main.yml | 3 + .../openssh_cert/tests/key_idempotency.yml | 2 +- .../tests/options_idempotency.yml | 102 ++++++++++++++++++ .../module_utils/openssh/test_certificate.py | 37 +++++-- 6 files changed, 157 insertions(+), 29 deletions(-) create mode 100644 tests/integration/targets/openssh_cert/tests/options_idempotency.yml diff --git a/plugins/module_utils/openssh/certificate.py b/plugins/module_utils/openssh/certificate.py index 1cbbe5860..42bcb61a6 100644 --- a/plugins/module_utils/openssh/certificate.py +++ b/plugins/module_utils/openssh/certificate.py @@ -91,7 +91,7 @@ ) _EXTENSIONS = ( - 'permit-X11-forwarding', + 'permit-x11-forwarding', 'permit-agent-forwarding', 'permit-port-forwarding', 'permit-pty', @@ -215,7 +215,7 @@ def __init__(self, option_type, name, data): raise TypeError("data must be a string not %s" % type(data)) self._option_type = option_type - self._name = name + self._name = name.lower() self._data = data def __eq__(self, other): @@ -268,6 +268,8 @@ def from_string(cls, option_string): else: name, data = option_string.strip(), '' + name = name.lower() + if option_type is None: if name in _CRITICAL_OPTIONS: option_type = 'critical' @@ -604,10 +606,18 @@ def to_dict(self): } -def apply_directives(directives, extensions): +def apply_directives(directives): if any(d not in _DIRECTIVES for d in directives): raise ValueError("directives must be one of %s" % ", ".join(_DIRECTIVES)) + default_options = [ + OpensshCertificateOption('extension', 'permit-x11-forwarding', ''), + OpensshCertificateOption('extension', 'permit-agent-forwarding', ''), + OpensshCertificateOption('extension', 'permit-port-forwarding', ''), + OpensshCertificateOption('extension', 'permit-pty', ''), + OpensshCertificateOption('extension', 'permit-user-rc', ''), + ] + directive_to_option = { 'no-x11-forwarding': OpensshCertificateOption('extension', 'permit-x11-forwarding', ''), 'no-agent-forwarding': OpensshCertificateOption('extension', 'permit-agent-forwarding', ''), @@ -616,15 +626,10 @@ def apply_directives(directives, extensions): 'no-user-rc': OpensshCertificateOption('extension', 'permit-user-rc', ''), } - if 'clear' not in directives: - result = extensions[:] - for directive in directives: - option = directive_to_option[directive] - if option in result: - result.remove(option) - return result - else: + if 'clear' in directives: return [] + else: + return list(set(default_options) - set(directive_to_option[d] for d in directives)) def fingerprint(public_key): @@ -649,10 +654,6 @@ def get_cert_info_object(key_type): return cert_info -def get_default_options(): - return _EXTENSIONS - - def is_relative_time_string(time_string): return time_string.startswith("+") or time_string.startswith("-") @@ -663,8 +664,8 @@ def parse_option_list(option_list): extensions = [] for option in option_list: - if option in _DIRECTIVES: - directives.append(option) + if option.lower() in _DIRECTIVES: + directives.append(option.lower()) else: option_object = OpensshCertificateOption.from_string(option) if option_object.type == 'critical': @@ -672,4 +673,4 @@ def parse_option_list(option_list): else: extensions.append(option_object) - return critical_options, apply_directives(directives, extensions) + return critical_options, list(set(extensions + apply_directives(directives))) diff --git a/plugins/modules/openssh_cert.py b/plugins/modules/openssh_cert.py index 8357e3f2b..d23e950c8 100644 --- a/plugins/modules/openssh_cert.py +++ b/plugins/modules/openssh_cert.py @@ -236,7 +236,6 @@ from ansible.module_utils.common.text.converters import to_native, to_text from ansible_collections.community.crypto.plugins.module_utils.openssh.certificate import ( - get_default_options, OpensshCertificate, OpensshCertificateTimeParameters, parse_option_list, @@ -383,9 +382,7 @@ def _command_arguments(self, key_copy_path): def _compare_options(self): try: - critical_options, extensions = parse_option_list( - list(set(self.options).union(set(get_default_options()))) - ) + critical_options, extensions = parse_option_list(self.options) except ValueError as e: return self.module.fail_json(msg=to_native(e)) diff --git a/tests/integration/targets/openssh_cert/tasks/main.yml b/tests/integration/targets/openssh_cert/tasks/main.yml index c1897d6cf..39ff448e7 100644 --- a/tests/integration/targets/openssh_cert/tasks/main.yml +++ b/tests/integration/targets/openssh_cert/tasks/main.yml @@ -22,6 +22,9 @@ - name: Import key_idempotency tests import_tasks: ../tests/key_idempotency.yml + - name: Import options tests + import_tasks: ../tests/options_idempotency.yml + - name: Import remove tests import_tasks: ../tests/remove.yml when: not (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "6") diff --git a/tests/integration/targets/openssh_cert/tests/key_idempotency.yml b/tests/integration/targets/openssh_cert/tests/key_idempotency.yml index ccf16b265..487af7a9c 100644 --- a/tests/integration/targets/openssh_cert/tests/key_idempotency.yml +++ b/tests/integration/targets/openssh_cert/tests/key_idempotency.yml @@ -62,7 +62,7 @@ idempotency: full register: new_public_key_full_idempotency_output -- name: Assert changes to public key or signing key results in no change +- name: Assert changes to public key or signing key results in no change unless idempotency=full assert: that: - new_signing_key_output is not changed diff --git a/tests/integration/targets/openssh_cert/tests/options_idempotency.yml b/tests/integration/targets/openssh_cert/tests/options_idempotency.yml new file mode 100644 index 000000000..802efd278 --- /dev/null +++ b/tests/integration/targets/openssh_cert/tests/options_idempotency.yml @@ -0,0 +1,102 @@ +#################################################################### +# WARNING: These are designed specifically for Ansible tests # +# and should not be used as examples of how to write Ansible roles # +#################################################################### + +- name: Generate cert with no options + openssh_cert: + type: user + path: "{{ certificate_path }}" + public_key: "{{ public_key }}" + signing_key: "{{ signing_key }}" + valid_from: always + valid_to: forever + options: + - clear + idempotency: full + register: no_options + +- name: Generate cert with no options with explicit directives + openssh_cert: + type: user + path: "{{ certificate_path }}" + public_key: "{{ public_key }}" + signing_key: "{{ signing_key }}" + valid_from: always + valid_to: forever + options: + - no-user-rc + - no-x11-forwarding + - no-agent-forwarding + - no-port-forwarding + - no-pty + idempotency: full + register: no_options_explicit_directives + +- name: Generate cert with explicit extension + openssh_cert: + type: user + path: "{{ certificate_path }}" + public_key: "{{ public_key }}" + signing_key: "{{ signing_key }}" + valid_from: always + valid_to: forever + options: + - clear + - permit-pty + idempotency: full + register: explicit_extension_before + +- name: Generate cert with explicit extension (idempotency) + openssh_cert: + type: user + path: "{{ certificate_path }}" + public_key: "{{ public_key }}" + signing_key: "{{ signing_key }}" + valid_from: always + valid_to: forever + options: + - clear + - permit-pty + idempotency: full + register: explicit_extension_after + +- name: Generate cert with explicit extension and corresponding directive + openssh_cert: + type: user + path: "{{ certificate_path }}" + public_key: "{{ public_key }}" + signing_key: "{{ signing_key }}" + valid_from: always + valid_to: forever + options: + - no-pty + - permit-pty + idempotency: full + register: explicit_extension_and_directive + +- name: Generate cert with default options + openssh_cert: + type: user + path: "{{ certificate_path }}" + public_key: "{{ public_key }}" + signing_key: "{{ signing_key }}" + valid_from: always + valid_to: forever + idempotency: full + register: default_options + +- name: Assert options results + assert: + that: + - no_options is changed + - no_options_explicit_directives is not changed + - explicit_extension_before is changed + - explicit_extension_after is not changed + - explicit_extension_and_directive is changed + - default_options is not changed + +- name: Remove certificate + openssh_cert: + path: "{{ certificate_path }}" + state: absent diff --git a/tests/unit/plugins/module_utils/openssh/test_certificate.py b/tests/unit/plugins/module_utils/openssh/test_certificate.py index 164d0ff00..e6574ea2e 100644 --- a/tests/unit/plugins/module_utils/openssh/test_certificate.py +++ b/tests/unit/plugins/module_utils/openssh/test_certificate.py @@ -8,7 +8,6 @@ import pytest from ansible_collections.community.crypto.plugins.module_utils.openssh.certificate import ( - get_default_options, OpensshCertificate, OpensshCertificateOption, OpensshCertificateTimeParameters, @@ -124,7 +123,7 @@ VALID_OPTS = [OpensshCertificateOption('critical', 'force-command', '/usr/bin/csh')] INVALID_OPTS = [OpensshCertificateOption('critical', 'test', 'undefined')] VALID_EXTENSIONS = [ - OpensshCertificateOption('extension', 'permit-X11-forwarding', ''), + OpensshCertificateOption('extension', 'permit-x11-forwarding', ''), OpensshCertificateOption('extension', 'permit-agent-forwarding', ''), OpensshCertificateOption('extension', 'permit-port-forwarding', ''), OpensshCertificateOption('extension', 'permit-pty', ''), @@ -182,7 +181,9 @@ VALID_OPTIONS = [ ("force-command=/usr/bin/csh", OpensshCertificateOption('critical', 'force-command', '/usr/bin/csh')), - ("permit-X11-forwarding", OpensshCertificateOption('extension', 'permit-X11-forwarding', '')), + ("Force-Command=/Usr/Bin/Csh", OpensshCertificateOption('critical', 'force-command', '/Usr/Bin/Csh')), + ("permit-x11-forwarding", OpensshCertificateOption('extension', 'permit-x11-forwarding', '')), + ("permit-X11-forwarding", OpensshCertificateOption('extension', 'permit-x11-forwarding', '')), ("critical:foo=bar", OpensshCertificateOption('critical', 'foo', 'bar')), ("extension:foo", OpensshCertificateOption('extension', 'foo', '')), ] @@ -306,18 +307,42 @@ def test_invalid_options(option_string): def test_parse_option_list(): - option_list = ['force-command=/usr/bin/csh', 'no-pty', 'no-agent-forwarding'] + list(get_default_options()) - critical_options, extensions = parse_option_list(option_list) + critical_options, extensions = parse_option_list(['force-command=/usr/bin/csh']) critical_option_objects = [ OpensshCertificateOption.from_string('force-command=/usr/bin/csh'), ] extension_objects = [ - OpensshCertificateOption.from_string('permit-X11-forwarding'), + OpensshCertificateOption.from_string('permit-x11-forwarding'), + OpensshCertificateOption.from_string('permit-agent-forwarding'), OpensshCertificateOption.from_string('permit-port-forwarding'), OpensshCertificateOption.from_string('permit-user-rc'), + OpensshCertificateOption.from_string('permit-pty'), ] assert set(critical_options) == set(critical_option_objects) assert set(extensions) == set(extension_objects) + + +def test_parse_option_list_with_directives(): + critical_options, extensions = parse_option_list(['clear', 'no-pty', 'permit-pty', 'permit-user-rc']) + + extension_objects = [ + OpensshCertificateOption.from_string('permit-user-rc'), + OpensshCertificateOption.from_string('permit-pty'), + ] + + assert set(critical_options) == set() + assert set(extensions) == set(extension_objects) + + +def test_parse_option_list_case_sensitivity(): + critical_options, extensions = parse_option_list(['CLEAR', 'no-X11-forwarding', 'permit-X11-forwarding']) + + extension_objects = [ + OpensshCertificateOption.from_string('permit-x11-forwarding'), + ] + + assert set(critical_options) == set() + assert set(extensions) == set(extension_objects) From 9f4640563391ea969d8cfa094329b225bd3b7c54 Mon Sep 17 00:00:00 2001 From: Andrew Pantuso Date: Sat, 17 Jul 2021 11:17:22 -0400 Subject: [PATCH 07/13] Renaming idempotency to regenerate --- plugins/modules/openssh_cert.py | 63 ++++++--- .../targets/openssh_cert/tasks/main.yml | 3 + .../openssh_cert/tests/idempotency.yml | 6 +- .../openssh_cert/tests/key_idempotency.yml | 4 +- .../tests/options_idempotency.yml | 12 +- .../targets/openssh_cert/tests/regenerate.yml | 121 ++++++++++++++++++ 6 files changed, 183 insertions(+), 26 deletions(-) create mode 100644 tests/integration/targets/openssh_cert/tests/regenerate.yml diff --git a/plugins/modules/openssh_cert.py b/plugins/modules/openssh_cert.py index d23e950c8..cddedd583 100644 --- a/plugins/modules/openssh_cert.py +++ b/plugins/modules/openssh_cert.py @@ -34,25 +34,34 @@ force: description: - Should the certificate be regenerated even if it already exists and is valid. + - Equivalent to I(regenerate=always). type: bool default: false - idempotency: + path: + description: + - Path of the file containing the certificate. + type: path + required: true + regenerate: description: - - When C(partial) and I(force=false) an existing certificate will be regenerated based on + - When C(never) the task will fail if a certificate already exists at I(path) and is unreadable + otherwise a new certificate will only be generated if there is no existing certificate. + - When C(fail) the task will fail if a certificate already exists at I(path) and does not + match the module's options. + - When C(partial_idempotence) an existing certificate will be regenerated based on I(serial), I(type), I(valid_from), I(valid_to), I(valid_at), and I(principals). - - When C(full) and I(force=false), I(identifier), I(options), I(public_key), and I(signing_key) + - When C(full_idempotence) I(identifier), I(options), I(public_key), and I(signing_key) are also considered when compared against an existing certificate. + - C(always) is equivalent to I(force=true). type: str choices: - - partial - - full - default: partial + - never + - fail + - partial_idempotence + - full_idempotence + - always + default: partial_idempotence version_added: 1.8.0 - path: - description: - - Path of the file containing the certificate. - type: path - required: true signing_key: description: - The path to the private openssh key that is used for signing the public key in order to generate the certificate. @@ -255,13 +264,13 @@ def __init__(self, module): self.ssh_keygen = module.get_bin_path('ssh-keygen', True) self.force = module.params['force'] - self.idempotency = module.params['idempotency'] self.identifier = module.params['identifier'] or "" self.options = module.params['options'] or [] self.path = module.params['path'] self.pkcs11_provider = module.params['pkcs11_provider'] self.principals = module.params['principals'] or [] self.public_key = module.params['public_key'] + self.regenerate = module.params['regenerate'] if not self.force else 'always' self.serial_number = module.params['serial_number'] self.signing_key = module.params['signing_key'] self.state = module.params['state'] @@ -287,6 +296,8 @@ def __init__(self, module): try: self.original_data = OpensshCertificate.load(self.path) except (TypeError, ValueError) as e: + if self.regenerate in ('never', 'fail'): + self.module.fail_json(msg="Unable to read existing certificate: %s" % to_native(e)) self.module.warn("Unable to read existing certificate: %s" % to_native(e)) self._validate_parameters() @@ -295,7 +306,7 @@ def exists(self): return os.path.exists(self.path) def generate(self): - if not self._is_valid() or self.force: + if self._should_generate(): if not self.check_mode: temp_cert = self._generate_temp_certificate() backup_cert = self.module.backup_local(self.path) if self.exists() else None @@ -440,7 +451,7 @@ def _is_valid(self): self._compare_time_parameters(), ]) - return partial_result if self.idempotency == 'partial' else partial_result and all([ + return partial_result if self.regenerate == 'partial_idempotence' else partial_result and all([ self._compare_options(), self.original_data.key_id == self.identifier, self.original_data.public_key == self._get_key_fingerprint(self.public_key), @@ -448,6 +459,24 @@ def _is_valid(self): ]) return False + def _should_generate(self): + if self.regenerate == 'never': + result = self.original_data is None + elif self.regenerate == 'fail': + if not self._is_valid(): + cert = self.original_data.to_dict() + cert.pop('nonce', None) + self.module.fail_json( + msg="Certificate does not match the provided options.", + cert=cert + ) + result = self.original_data is None + elif self.regenerate in ('partial_idempotence', 'full_idempotence'): + result = not self._is_valid() + else: + result = True + return result + def _update_permissions(self): file_args = self.module.load_file_common_arguments(self.module.params) self.changed = self.module.set_fs_attributes_if_different(file_args, self.changed) @@ -494,13 +523,17 @@ def main(): module = AnsibleModule( argument_spec=dict( force=dict(type='bool', default=False), - idempotency=dict(type='str', default='partial', choices=['partial', 'full']), identifier=dict(type='str'), options=dict(type='list', elements='str'), path=dict(type='path', required=True), pkcs11_provider=dict(type='str'), principals=dict(type='list', elements='str'), public_key=dict(type='path'), + regenerate=dict( + type='str', + default='partial_idempotence', + choices=['never', 'fail', 'partial_idempotence', 'full_idempotence', 'always'] + ), signing_key=dict(type='path'), serial_number=dict(type='int'), state=dict(type='str', default='present', choices=['absent', 'present']), diff --git a/tests/integration/targets/openssh_cert/tasks/main.yml b/tests/integration/targets/openssh_cert/tasks/main.yml index 39ff448e7..c257a42c3 100644 --- a/tests/integration/targets/openssh_cert/tasks/main.yml +++ b/tests/integration/targets/openssh_cert/tasks/main.yml @@ -25,6 +25,9 @@ - name: Import options tests import_tasks: ../tests/options_idempotency.yml + - name: Import regenerate tests + import_tasks: ../tests/regenerate.yml + - name: Import remove tests import_tasks: ../tests/remove.yml when: not (ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "6") diff --git a/tests/integration/targets/openssh_cert/tests/idempotency.yml b/tests/integration/targets/openssh_cert/tests/idempotency.yml index 856ce4337..2e468a2f1 100644 --- a/tests/integration/targets/openssh_cert/tests/idempotency.yml +++ b/tests/integration/targets/openssh_cert/tests/idempotency.yml @@ -186,7 +186,7 @@ type: user valid_from: "2001-01-21" valid_to: "2019-01-21" - idempotency: full + regenerate: full_idempotence changed: true - test_name: Generate cert without serial type: user @@ -244,7 +244,7 @@ identifier: foo valid_from: always valid_to: forever - idempotency: full + regenerate: full_idempotence changed: true - name: Execute idempotency tests @@ -262,7 +262,7 @@ valid_at: "{{ test_case.valid_at | default(omit) }}" valid_from: "{{ test_case.valid_from | default(omit) }}" valid_to: "{{ test_case.valid_to | default(omit) }}" - idempotency: "{{ test_case.idempotency | default(omit) }}" + regenerate: "{{ test_case.regenerate | default(omit) }}" check_mode: "{{ test_case.check_mode | default(omit) }}" register: idempotency_test_output loop: "{{ test_cases }}" diff --git a/tests/integration/targets/openssh_cert/tests/key_idempotency.yml b/tests/integration/targets/openssh_cert/tests/key_idempotency.yml index 487af7a9c..b8e364348 100644 --- a/tests/integration/targets/openssh_cert/tests/key_idempotency.yml +++ b/tests/integration/targets/openssh_cert/tests/key_idempotency.yml @@ -48,7 +48,7 @@ signing_key: "{{ new_signing_key }}" valid_from: always valid_to: forever - idempotency: full + regenerate: full_idempotence register: new_signing_key_full_idempotency_output - name: Generate cert with new pubic key - full idempotency @@ -59,7 +59,7 @@ signing_key: "{{ new_signing_key }}" valid_from: always valid_to: forever - idempotency: full + regenerate: full_idempotence register: new_public_key_full_idempotency_output - name: Assert changes to public key or signing key results in no change unless idempotency=full diff --git a/tests/integration/targets/openssh_cert/tests/options_idempotency.yml b/tests/integration/targets/openssh_cert/tests/options_idempotency.yml index 802efd278..cb2c35e25 100644 --- a/tests/integration/targets/openssh_cert/tests/options_idempotency.yml +++ b/tests/integration/targets/openssh_cert/tests/options_idempotency.yml @@ -13,7 +13,7 @@ valid_to: forever options: - clear - idempotency: full + regenerate: full_idempotence register: no_options - name: Generate cert with no options with explicit directives @@ -30,7 +30,7 @@ - no-agent-forwarding - no-port-forwarding - no-pty - idempotency: full + regenerate: full_idempotence register: no_options_explicit_directives - name: Generate cert with explicit extension @@ -44,7 +44,7 @@ options: - clear - permit-pty - idempotency: full + regenerate: full_idempotence register: explicit_extension_before - name: Generate cert with explicit extension (idempotency) @@ -58,7 +58,7 @@ options: - clear - permit-pty - idempotency: full + regenerate: full_idempotence register: explicit_extension_after - name: Generate cert with explicit extension and corresponding directive @@ -72,7 +72,7 @@ options: - no-pty - permit-pty - idempotency: full + regenerate: full_idempotence register: explicit_extension_and_directive - name: Generate cert with default options @@ -83,7 +83,7 @@ signing_key: "{{ signing_key }}" valid_from: always valid_to: forever - idempotency: full + regenerate: full_idempotence register: default_options - name: Assert options results diff --git a/tests/integration/targets/openssh_cert/tests/regenerate.yml b/tests/integration/targets/openssh_cert/tests/regenerate.yml new file mode 100644 index 000000000..1405da400 --- /dev/null +++ b/tests/integration/targets/openssh_cert/tests/regenerate.yml @@ -0,0 +1,121 @@ +#################################################################### +# WARNING: These are designed specifically for Ansible tests # +# and should not be used as examples of how to write Ansible roles # +#################################################################### + +- set_fact: + test_cases: + - test_name: Generate certificate + type: user + signing_key: "{{ signing_key }}" + public_key: "{{ public_key }}" + path: "{{ certificate_path }}" + valid_from: always + valid_to: forever + changed: true + - test_name: Regenerate never - same options + type: user + signing_key: "{{ signing_key }}" + public_key: "{{ public_key }}" + path: "{{ certificate_path }}" + valid_from: always + valid_to: forever + regenerate: never + changed: false + - test_name: Regenerate never - different options + type: user + signing_key: "{{ signing_key }}" + public_key: "{{ public_key }}" + path: "{{ certificate_path }}" + valid_from: always + valid_to: forever + options: + - clear + regenerate: never + changed: false + - test_name: Regenerate never with force + force: true + type: user + signing_key: "{{ signing_key }}" + public_key: "{{ public_key }}" + path: "{{ certificate_path }}" + valid_from: always + valid_to: forever + regenerate: never + changed: true + - test_name: Regenerate fail - same options + type: user + signing_key: "{{ signing_key }}" + public_key: "{{ public_key }}" + path: "{{ certificate_path }}" + valid_from: always + valid_to: forever + regenerate: fail + changed: false + - test_name: Regenerate fail - different options + type: user + signing_key: "{{ signing_key }}" + public_key: "{{ public_key }}" + path: "{{ certificate_path }}" + valid_from: always + valid_to: forever + options: + - clear + regenerate: fail + changed: false + ignore_errors: true + - test_name: Regenerate fail with force + force: true + type: user + signing_key: "{{ signing_key }}" + public_key: "{{ public_key }}" + path: "{{ certificate_path }}" + valid_from: always + valid_to: forever + regenerate: fail + changed: true + - test_name: Regenerate always + type: user + signing_key: "{{ signing_key }}" + public_key: "{{ public_key }}" + path: "{{ certificate_path }}" + valid_from: always + valid_to: forever + regenerate: always + changed: true + +- name: Execute regenerate tests + openssh_cert: + force: "{{ test_case.force | default(omit) }}" + options: "{{ test_case.options | default(omit) }}" + path: "{{ test_case.path | default(omit) }}" + public_key: "{{ test_case.public_key | default(omit) }}" + principals: "{{ test_case.principals | default(omit) }}" + regenerate: "{{ test_case.regenerate | default(omit) }}" + serial_number: "{{ test_case.serial_number | default(omit) }}" + signing_key: "{{ test_case.signing_key | default(omit) }}" + state: "{{ test_case.state | default(omit) }}" + type: "{{ test_case.type | default(omit) }}" + valid_at: "{{ test_case.valid_at | default(omit) }}" + valid_from: "{{ test_case.valid_from | default(omit) }}" + valid_to: "{{ test_case.valid_to | default(omit) }}" + check_mode: "{{ test_case.check_mode | default(omit) }}" + ignore_errors: "{{ test_case.ignore_errors | default(omit) }}" + register: regenerate_tests_output + loop: "{{ test_cases }}" + loop_control: + loop_var: test_case + +- name: Assert task statuses + assert: + that: + - result.changed == test_cases[index].changed + loop: "{{ regenerate_tests_output.results }}" + loop_control: + index_var: index + loop_var: result + +- name: Remove certificate + openssh_cert: + path: "{{ certificate_path }}" + state: absent From 0b0be884a15c2e7dbf32278dc51afd23f8224bba Mon Sep 17 00:00:00 2001 From: Andrew Pantuso Date: Sat, 17 Jul 2021 12:59:17 -0400 Subject: [PATCH 08/13] updating changelog --- .../fragments/256-openssh_cert-adding-idempotency-option.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelogs/fragments/256-openssh_cert-adding-idempotency-option.yml b/changelogs/fragments/256-openssh_cert-adding-idempotency-option.yml index 640850ab6..d415fd8d5 100644 --- a/changelogs/fragments/256-openssh_cert-adding-idempotency-option.yml +++ b/changelogs/fragments/256-openssh_cert-adding-idempotency-option.yml @@ -1,4 +1,4 @@ --- minor_changes: - - openssh_cert - added ``idempotency`` option to validate additional certificate parameters which trigger + - openssh_cert - added ``regenerate`` option to validate additional certificate parameters which trigger regeneration of an existing certificate (https://github.com/ansible-collections/community.crypto/pull/256). From 65a611d389a6c4b4c21c1d2dad2447c1bd083e76 Mon Sep 17 00:00:00 2001 From: Andrew Pantuso Date: Sat, 17 Jul 2021 14:50:57 -0400 Subject: [PATCH 09/13] Minor refactoring of default options --- plugins/module_utils/openssh/certificate.py | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/plugins/module_utils/openssh/certificate.py b/plugins/module_utils/openssh/certificate.py index 42bcb61a6..4c7680bf4 100644 --- a/plugins/module_utils/openssh/certificate.py +++ b/plugins/module_utils/openssh/certificate.py @@ -610,14 +610,6 @@ def apply_directives(directives): if any(d not in _DIRECTIVES for d in directives): raise ValueError("directives must be one of %s" % ", ".join(_DIRECTIVES)) - default_options = [ - OpensshCertificateOption('extension', 'permit-x11-forwarding', ''), - OpensshCertificateOption('extension', 'permit-agent-forwarding', ''), - OpensshCertificateOption('extension', 'permit-port-forwarding', ''), - OpensshCertificateOption('extension', 'permit-pty', ''), - OpensshCertificateOption('extension', 'permit-user-rc', ''), - ] - directive_to_option = { 'no-x11-forwarding': OpensshCertificateOption('extension', 'permit-x11-forwarding', ''), 'no-agent-forwarding': OpensshCertificateOption('extension', 'permit-agent-forwarding', ''), @@ -629,7 +621,11 @@ def apply_directives(directives): if 'clear' in directives: return [] else: - return list(set(default_options) - set(directive_to_option[d] for d in directives)) + return list(set(default_options()) - set(directive_to_option[d] for d in directives)) + + +def default_options(): + return [OpensshCertificateOption('extension', name, '') for name in _EXTENSIONS] def fingerprint(public_key): From b8494734fb1929afd47a684c9f3842f147435074 Mon Sep 17 00:00:00 2001 From: Andrew Pantuso Date: Sun, 18 Jul 2021 08:52:03 -0400 Subject: [PATCH 10/13] Cleaning up with inline functions --- plugins/module_utils/openssh/certificate.py | 24 ++++++------- plugins/modules/openssh_cert.py | 37 ++++++++++++--------- 2 files changed, 34 insertions(+), 27 deletions(-) diff --git a/plugins/module_utils/openssh/certificate.py b/plugins/module_utils/openssh/certificate.py index 4c7680bf4..86f8fde87 100644 --- a/plugins/module_utils/openssh/certificate.py +++ b/plugins/module_utils/openssh/certificate.py @@ -268,19 +268,8 @@ def from_string(cls, option_string): else: name, data = option_string.strip(), '' - name = name.lower() - - if option_type is None: - if name in _CRITICAL_OPTIONS: - option_type = 'critical' - elif name in _EXTENSIONS: - option_type = 'extension' - else: - raise ValueError("%s is not a valid option. " % name + - "Custom options must start with 'critical:' or 'extension:' to indicate type") - return cls( - option_type=option_type, + option_type=option_type or get_option_type(name.lower()), name=name, data=data ) @@ -650,6 +639,17 @@ def get_cert_info_object(key_type): return cert_info +def get_option_type(name): + if name in _CRITICAL_OPTIONS: + result = 'critical' + elif name in _EXTENSIONS: + result = 'extension' + else: + raise ValueError("%s is not a valid option. " % name + + "Custom options must start with 'critical:' or 'extension:' to indicate type") + return result + + def is_relative_time_string(time_string): return time_string.startswith("+") or time_string.startswith("-") diff --git a/plugins/modules/openssh_cert.py b/plugins/modules/openssh_cert.py index cddedd583..ab4d5d956 100644 --- a/plugins/modules/openssh_cert.py +++ b/plugins/modules/openssh_cert.py @@ -345,7 +345,10 @@ def result(self): result = {'changed': self.changed} if self.module._diff: - result['diff'] = self._generate_diff() + result['diff'] = { + 'before': get_cert_dict(self.original_data), + 'after': get_cert_dict(self.data) + } if self.state == 'present': result.update({ @@ -397,8 +400,10 @@ def _compare_options(self): except ValueError as e: return self.module.fail_json(msg=to_native(e)) - return (set(self.original_data.critical_options) == set(critical_options) and - set(self.original_data.extensions) == set(extensions)) + return all([ + set(self.original_data.critical_options) == set(critical_options), + set(self.original_data.extensions) == set(extensions) + ]) def _compare_time_parameters(self): try: @@ -409,15 +414,10 @@ def _compare_time_parameters(self): except ValueError as e: return self.module.fail_json(msg=to_native(e)) - return original_time_parameters == self.time_parameters and original_time_parameters.within_range(self.valid_at) - - def _generate_diff(self): - before = self.original_data.to_dict() if self.original_data else {} - before.pop('nonce', None) - after = self.data.to_dict() if self.data else {} - after.pop('nonce', None) - - return {'before': before, 'after': after} + return all([ + original_time_parameters == self.time_parameters, + original_time_parameters.within_range(self.valid_at) + ]) def _generate_temp_certificate(self): key_copy = os.path.join(self.module.tmpdir, os.path.basename(self.public_key)) @@ -464,11 +464,9 @@ def _should_generate(self): result = self.original_data is None elif self.regenerate == 'fail': if not self._is_valid(): - cert = self.original_data.to_dict() - cert.pop('nonce', None) self.module.fail_json( msg="Certificate does not match the provided options.", - cert=cert + cert=get_cert_dict(self.original_data) ) result = self.original_data is None elif self.regenerate in ('partial_idempotence', 'full_idempotence'): @@ -519,6 +517,15 @@ def format_cert_info(cert_info): return result +def get_cert_dict(data): + if data is not None: + result = data.to_dict() + result.pop('nonce') + else: + result = {} + return result + + def main(): module = AnsibleModule( argument_spec=dict( From 20862c414c9f7b5ed2451e3b2eb54bf76cf57917 Mon Sep 17 00:00:00 2001 From: Andrew Pantuso Date: Tue, 20 Jul 2021 09:38:31 -0400 Subject: [PATCH 11/13] Fixing false failures when regenerate=fail and improving clarity --- plugins/modules/openssh_cert.py | 49 +++++++++---------- .../targets/openssh_cert/tests/regenerate.yml | 14 ++++++ 2 files changed, 37 insertions(+), 26 deletions(-) diff --git a/plugins/modules/openssh_cert.py b/plugins/modules/openssh_cert.py index ab4d5d956..1dc16d739 100644 --- a/plugins/modules/openssh_cert.py +++ b/plugins/modules/openssh_cert.py @@ -443,37 +443,34 @@ def _get_key_fingerprint(self, path): return stdout.split()[1] def _is_valid(self): - if self.original_data: - partial_result = all([ - set(self.original_data.principals) == set(self.principals), - self.original_data.serial == self.serial_number if self.serial_number is not None else True, - self.original_data.type == self.type, - self._compare_time_parameters(), - ]) - - return partial_result if self.regenerate == 'partial_idempotence' else partial_result and all([ - self._compare_options(), - self.original_data.key_id == self.identifier, - self.original_data.public_key == self._get_key_fingerprint(self.public_key), - self.original_data.signing_key == self._get_key_fingerprint(self.signing_key), - ]) - return False + partial_result = all([ + set(self.original_data.principals) == set(self.principals), + self.original_data.serial == self.serial_number if self.serial_number is not None else True, + self.original_data.type == self.type, + self._compare_time_parameters(), + ]) + + return partial_result if self.regenerate == 'partial_idempotence' else partial_result and all([ + self._compare_options(), + self.original_data.key_id == self.identifier, + self.original_data.public_key == self._get_key_fingerprint(self.public_key), + self.original_data.signing_key == self._get_key_fingerprint(self.signing_key), + ]) def _should_generate(self): if self.regenerate == 'never': - result = self.original_data is None + return self.original_data is None elif self.regenerate == 'fail': - if not self._is_valid(): + if self.original_data and not self._is_valid(): self.module.fail_json( msg="Certificate does not match the provided options.", cert=get_cert_dict(self.original_data) ) - result = self.original_data is None + return self.original_data is None elif self.regenerate in ('partial_idempotence', 'full_idempotence'): - result = not self._is_valid() + return self.original_data is None or not self._is_valid() else: - result = True - return result + return True def _update_permissions(self): file_args = self.module.load_file_common_arguments(self.module.params) @@ -518,11 +515,11 @@ def format_cert_info(cert_info): def get_cert_dict(data): - if data is not None: - result = data.to_dict() - result.pop('nonce') - else: - result = {} + if data is None: + return {} + + result = data.to_dict() + result.pop('nonce') return result diff --git a/tests/integration/targets/openssh_cert/tests/regenerate.yml b/tests/integration/targets/openssh_cert/tests/regenerate.yml index 1405da400..38f4f7fab 100644 --- a/tests/integration/targets/openssh_cert/tests/regenerate.yml +++ b/tests/integration/targets/openssh_cert/tests/regenerate.yml @@ -12,6 +12,7 @@ path: "{{ certificate_path }}" valid_from: always valid_to: forever + regenerate: never changed: true - test_name: Regenerate never - same options type: user @@ -43,6 +44,19 @@ valid_to: forever regenerate: never changed: true + - test_name: Remove certificate + path: "{{ certificate_path }}" + state: absent + changed: true + - test_name: Regenerate fail - new certificate + type: user + signing_key: "{{ signing_key }}" + public_key: "{{ public_key }}" + path: "{{ certificate_path }}" + valid_from: always + valid_to: forever + regenerate: fail + changed: true - test_name: Regenerate fail - same options type: user signing_key: "{{ signing_key }}" From 7437bebe961d059490bd4d046f2260690fbdc690 Mon Sep 17 00:00:00 2001 From: Andrew Pantuso Date: Wed, 21 Jul 2021 08:13:22 -0400 Subject: [PATCH 12/13] Applying second round of review suggestions --- plugins/module_utils/openssh/certificate.py | 2 +- plugins/modules/openssh_cert.py | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/plugins/module_utils/openssh/certificate.py b/plugins/module_utils/openssh/certificate.py index 86f8fde87..ad3a4f573 100644 --- a/plugins/module_utils/openssh/certificate.py +++ b/plugins/module_utils/openssh/certificate.py @@ -205,7 +205,7 @@ def _time_string_to_datetime(time_string): class OpensshCertificateOption(object): def __init__(self, option_type, name, data): - if not isinstance(option_type, six.string_types) or option_type not in ('critical', 'extension'): + if option_type not in ('critical', 'extension'): raise ValueError("type must be either 'critical' or 'extension'") if not isinstance(name, six.string_types): diff --git a/plugins/modules/openssh_cert.py b/plugins/modules/openssh_cert.py index 1dc16d739..e6f46ffad 100644 --- a/plugins/modules/openssh_cert.py +++ b/plugins/modules/openssh_cert.py @@ -44,8 +44,8 @@ required: true regenerate: description: - - When C(never) the task will fail if a certificate already exists at I(path) and is unreadable - otherwise a new certificate will only be generated if there is no existing certificate. + - When C(never) the task will fail if a certificate already exists at I(path) and is unreadable. + Otherwise, a new certificate will only be generated if there is no existing certificate. - When C(fail) the task will fail if a certificate already exists at I(path) and does not match the module's options. - When C(partial_idempotence) an existing certificate will be regenerated based on @@ -450,7 +450,10 @@ def _is_valid(self): self._compare_time_parameters(), ]) - return partial_result if self.regenerate == 'partial_idempotence' else partial_result and all([ + if self.regenerate == 'partial_idempotence': + return partial_result + + return partial_result and all([ self._compare_options(), self.original_data.key_id == self.identifier, self.original_data.public_key == self._get_key_fingerprint(self.public_key), From cc643aa683309aabf64caeb3175c0a12a50fad1d Mon Sep 17 00:00:00 2001 From: Andrew Pantuso Date: Fri, 23 Jul 2021 21:56:36 -0400 Subject: [PATCH 13/13] adding helper for safe atomic moves --- .../module_utils/openssh/backends/common.py | 42 +++++++++++++++++++ plugins/modules/openssh_cert.py | 10 ++--- 2 files changed, 45 insertions(+), 7 deletions(-) create mode 100644 plugins/module_utils/openssh/backends/common.py diff --git a/plugins/module_utils/openssh/backends/common.py b/plugins/module_utils/openssh/backends/common.py new file mode 100644 index 000000000..7dc952a0f --- /dev/null +++ b/plugins/module_utils/openssh/backends/common.py @@ -0,0 +1,42 @@ +# -*- coding: utf-8 -*- +# +# Copyright: (c) 2021, Andrew Pantuso (@ajpantuso) +# +# Ansible is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Ansible is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see . + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +import os + + +def restore_on_failure(f): + def backup_and_restore(module, path, *args, **kwargs): + backup_file = module.backup_local(path) if os.path.exists(path) else None + + try: + f(module, path, *args, **kwargs) + except Exception: + if backup_file is not None: + module.atomic_move(backup_file, path) + raise + else: + module.add_cleanup_file(backup_file) + + return backup_and_restore + + +@restore_on_failure +def safe_atomic_move(module, path, destination): + module.atomic_move(path, destination) diff --git a/plugins/modules/openssh_cert.py b/plugins/modules/openssh_cert.py index e6f46ffad..32f28e36e 100644 --- a/plugins/modules/openssh_cert.py +++ b/plugins/modules/openssh_cert.py @@ -244,6 +244,8 @@ from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.common.text.converters import to_native, to_text +from ansible_collections.community.crypto.plugins.module_utils.openssh.backends.common import safe_atomic_move + from ansible_collections.community.crypto.plugins.module_utils.openssh.certificate import ( OpensshCertificate, OpensshCertificateTimeParameters, @@ -309,17 +311,11 @@ def generate(self): if self._should_generate(): if not self.check_mode: temp_cert = self._generate_temp_certificate() - backup_cert = self.module.backup_local(self.path) if self.exists() else None try: - self.module.atomic_move(temp_cert, self.path) + safe_atomic_move(self.module, temp_cert, self.path) except OSError as e: - if backup_cert is not None: - self.module.atomic_move(backup_cert, self.path) self.module.fail_json(msg="Unable to write certificate to %s: %s" % (self.path, to_native(e))) - else: - if backup_cert is not None: - self.module.add_cleanup_file(backup_cert) try: self.data = OpensshCertificate.load(self.path)