Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add certificate profile #106

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions library/certificate_request.py
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,10 @@
- as rendered by the template module
type: str
required: true
profile:
description:
- The certificate profile. Only used with certmonger.
required: false

author:
- Sergio Oliveira Campos (@seocam)
Expand Down Expand Up @@ -367,6 +371,8 @@ def _get_argument_spec():
run_before=dict(type="str"),
run_after=dict(type="str"),
__header=dict(type="str"),
ansible_managed_new=dict(type="str"),
profile=dict(type="str"),
)

@property
Expand Down
5 changes: 5 additions & 0 deletions module_utils/certificate_lsr/providers/certmonger.py
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,11 @@ def request_certificate(self):
if self.module.params["wait"]:
command += ["-w"]

# Set profile
profile = self.module.params["profile"]
if profile:
command += ["-T", profile]

# Set certificate locations
if not self.exists_in_certmonger:
command += ["-k", self.certificate_key_path]
Expand Down
2 changes: 2 additions & 0 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,8 @@
run_after: "{{ item.run_after | default(omit) }}"
ca: "{{ item.ca | default(omit) }}"
__header: "{{ __lsr_ansible_managed }}"
ansible_managed_new: "{{ __certificate_new_header }}"
profile: "{{ item.profile | default(omit) }}"
loop: "{{ certificate_requests }}"
vars:
__lsr_ansible_managed: "{{
Expand Down
22 changes: 22 additions & 0 deletions tests/tasks/assert_certificate_parameters.yml
Original file line number Diff line number Diff line change
Expand Up @@ -154,3 +154,25 @@
fail_msg: >-
{{ cert['auto_renew'] | default('yes') | bool }} !=
{{ result.stdout | bool }}

# On RHEL/CentOS 7, the output of 'getcert list' doesn't include the profile
- when:
- cert['profile'] is defined
- not (ansible_os_family == 'RedHat' and
ansible_distribution_major_version is version('7', '<='))
block:
- name: Retrieve profile
shell: >-
set -euo pipefail;
getcert list -f {{ cert['path'] }} |
grep 'profile:' |
sed 's/^\s\+profile: //g'
register: result
changed_when: false

- name: Verify certificate profile
assert:
that:
- cert['profile'] == result.stdout
fail_msg: >-
{{ cert['profile'] }} != {{ result.stdout }}
32 changes: 32 additions & 0 deletions tests/tests_basic_ipa.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,12 @@
principal: HTTP/[email protected]
ca: ipa
group: ftp

- name: cert_with_profile
dns: ipaserver.test.local
principal: HTTP/[email protected]
ca: ipa
profile: caIPAserviceCert
roles:
- linux-system-roles.certificate

Expand Down Expand Up @@ -80,6 +86,32 @@
- content_commitment
- key_encipherment
- data_encipherment

- path: /etc/pki/tls/certs/cert_with_profile.crt
key_path: /etc/pki/tls/private/cert_with_profile.key
owner: root
subject:
- name: commonName
oid: 2.5.4.3
value: ipaserver.test.local
- name: organizationName
oid: 2.5.4.10
value: TEST.LOCAL
subject_alt_name:
- name: DNS
value: ipaserver.test.local
- name: Universal Principal Name (UPN)
oid: 1.3.6.1.4.1.311.20.2.3
value: HTTP/[email protected]
- name: Kerberos principalname
oid: 1.3.6.1.5.2.2
value: HTTP/[email protected]
key_usage:
- digital_signature
- content_commitment
- key_encipherment
- data_encipherment
profile: caIPAserviceCert
tasks:
- name: Verify each certificate
include_tasks: tasks/assert_certificate_parameters.yml
Expand Down