Skip to content

Commit

Permalink
Add certificate profile
Browse files Browse the repository at this point in the history
Resolves: linux-system-roles#88

Signed-off-by: Omar Aloraini <[email protected]>
  • Loading branch information
ooraini committed Feb 4, 2022
1 parent 43c3fca commit f75dae1
Show file tree
Hide file tree
Showing 5 changed files with 61 additions and 0 deletions.
5 changes: 5 additions & 0 deletions library/certificate_request.py
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,10 @@
description:
- Command that should run after saving the certificate.
required: false
profile:
description:
- The certificate profile. Only used with certmonger.
required: false
author:
- Sergio Oliveira Campos (@seocam)
Expand Down Expand Up @@ -359,6 +363,7 @@ def _get_argument_spec():
wait=dict(type="bool", default=True),
run_before=dict(type="str"),
run_after=dict(type="str"),
profile=dict(type="str"),
)

@property
Expand Down
5 changes: 5 additions & 0 deletions module_utils/certificate_lsr/providers/certmonger.py
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,11 @@ def request_certificate(self):
if self.module.params["wait"]:
command += ["-w"]

# Set profile
profile = self.module.params["profile"]
if profile:
command += ["-T", profile]

# Set certificate locations
if not self.exists_in_certmonger:
command += ["-k", self.certificate_key_path]
Expand Down
1 change: 1 addition & 0 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -140,4 +140,5 @@
run_before: "{{ item.run_before | default(omit) }}"
run_after: "{{ item.run_after | default(omit) }}"
ca: "{{ item.ca | default(omit) }}"
profile: "{{ item.profile | default(omit) }}"
loop: "{{ certificate_requests }}"
18 changes: 18 additions & 0 deletions tests/tasks/assert_certificate_parameters.yml
Original file line number Diff line number Diff line change
Expand Up @@ -154,3 +154,21 @@
fail_msg: >-
{{ cert['auto_renew'] | default('yes') | bool }} !=
{{ result.stdout | bool }}
- name: Retrieve profile
shell: >-
set -euo pipefail;
getcert list -f {{ cert['path'] }} |
grep 'profile:' |
sed 's/^\s\+profile: //g'
register: result
changed_when: false
when: cert['profile'] is defined

- name: Verify certificate profile
assert:
that:
- cert['profile'] == result.stdout
fail_msg: >-
{{ cert['profile'] }} != {{ result.stdout }}
when: cert['profile'] is defined
32 changes: 32 additions & 0 deletions tests/tests_basic_ipa.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,12 @@
principal: HTTP/[email protected]
ca: ipa
group: ftp

- name: cert_with_profile
dns: ipaserver.test.local
principal: HTTP/[email protected]
ca: ipa
profile: caIPAserviceCert
roles:
- linux-system-roles.certificate

Expand Down Expand Up @@ -80,6 +86,32 @@
- content_commitment
- key_encipherment
- data_encipherment

- path: /etc/pki/tls/certs/cert_with_profile.crt
key_path: /etc/pki/tls/private/cert_with_profile.key
owner: root
subject:
- name: commonName
oid: 2.5.4.3
value: ipaserver.test.local
- name: organizationName
oid: 2.5.4.10
value: TEST.LOCAL
subject_alt_name:
- name: DNS
value: ipaserver.test.local
- name: Universal Principal Name (UPN)
oid: 1.3.6.1.4.1.311.20.2.3
value: HTTP/[email protected]
- name: Kerberos principalname
oid: 1.3.6.1.5.2.2
value: HTTP/[email protected]
key_usage:
- digital_signature
- content_commitment
- key_encipherment
- data_encipherment
profile: caIPAserviceCert
tasks:
- name: Verify each certificate
include_tasks: tasks/assert_certificate_parameters.yml
Expand Down

0 comments on commit f75dae1

Please sign in to comment.