# -*- coding: utf-8 -*- # This code is part of Ansible, but is an independent component. # This particular file snippet, and this file snippet only, is BSD licensed. # Modules you write using this snippet, which is embedded dynamically by Ansible # still belong to the author of the module, and may assign their own license # to the complete work. # # Copyright (c), Michael Gruener , 2016 # # Simplified BSD License (see licenses/simplified_bsd.txt or https://opensource.org/licenses/BSD-2-Clause) from __future__ import absolute_import, division, print_function __metaclass__ = type import base64 import binascii import copy import datetime import hashlib import json import os import re import shutil import sys import tempfile import traceback from ansible.module_utils._text import to_native, to_text, to_bytes from ansible.module_utils.urls import fetch_url as _fetch_url try: import cryptography import cryptography.hazmat.backends import cryptography.hazmat.primitives.serialization import cryptography.hazmat.primitives.asymmetric.rsa import cryptography.hazmat.primitives.asymmetric.ec import cryptography.hazmat.primitives.asymmetric.padding import cryptography.hazmat.primitives.hashes import cryptography.hazmat.primitives.asymmetric.utils import cryptography.x509 import cryptography.x509.oid from distutils.version import LooseVersion CRYPTOGRAPHY_VERSION = cryptography.__version__ HAS_CURRENT_CRYPTOGRAPHY = (LooseVersion(CRYPTOGRAPHY_VERSION) >= LooseVersion('1.5')) if HAS_CURRENT_CRYPTOGRAPHY: _cryptography_backend = cryptography.hazmat.backends.default_backend() except Exception as _: HAS_CURRENT_CRYPTOGRAPHY = False class ModuleFailException(Exception): ''' If raised, module.fail_json() will be called with the given parameters after cleanup. ''' def __init__(self, msg, **args): super(ModuleFailException, self).__init__(self, msg) self.msg = msg self.module_fail_args = args def do_fail(self, module): module.fail_json(msg=self.msg, other=self.module_fail_args) def _lowercase_fetch_url(*args, **kwargs): ''' Add lowercase representations of the header names as dict keys ''' response, info = _fetch_url(*args, **kwargs) info.update(dict((header.lower(), value) for (header, value) in info.items())) return response, info fetch_url = _lowercase_fetch_url def nopad_b64(data): return base64.urlsafe_b64encode(data).decode('utf8').replace("=", "") def read_file(fn, mode='b'): try: with open(fn, 'r' + mode) as f: return f.read() except Exception as e: raise ModuleFailException('Error while reading file "{0}": {1}'.format(fn, e)) # function source: network/basics/uri.py def write_file(module, dest, content): ''' Write content to destination file dest, only if the content has changed. ''' changed = False # create a tempfile fd, tmpsrc = tempfile.mkstemp(text=False) f = os.fdopen(fd, 'wb') try: f.write(content) except Exception as err: try: f.close() except Exception as e: pass os.remove(tmpsrc) raise ModuleFailException("failed to create temporary content file: %s" % to_native(err), exception=traceback.format_exc()) f.close() checksum_src = None checksum_dest = None # raise an error if there is no tmpsrc file if not os.path.exists(tmpsrc): try: os.remove(tmpsrc) except Exception as e: pass raise ModuleFailException("Source %s does not exist" % (tmpsrc)) if not os.access(tmpsrc, os.R_OK): os.remove(tmpsrc) raise ModuleFailException("Source %s not readable" % (tmpsrc)) checksum_src = module.sha1(tmpsrc) # check if there is no dest file if os.path.exists(dest): # raise an error if copy has no permission on dest if not os.access(dest, os.W_OK): os.remove(tmpsrc) raise ModuleFailException("Destination %s not writable" % (dest)) if not os.access(dest, os.R_OK): os.remove(tmpsrc) raise ModuleFailException("Destination %s not readable" % (dest)) checksum_dest = module.sha1(dest) else: if not os.access(os.path.dirname(dest), os.W_OK): os.remove(tmpsrc) raise ModuleFailException("Destination dir %s not writable" % (os.path.dirname(dest))) if checksum_src != checksum_dest: try: shutil.copyfile(tmpsrc, dest) changed = True except Exception as err: os.remove(tmpsrc) raise ModuleFailException("failed to copy %s to %s: %s" % (tmpsrc, dest, to_native(err)), exception=traceback.format_exc()) os.remove(tmpsrc) return changed def pem_to_der(pem_filename): ''' Load PEM file, and convert to DER. If PEM contains multiple entities, the first entity will be used. ''' certificate_lines = [] try: with open(pem_filename, "rt") as f: header_line_count = 0 for line in f: if line.startswith('-----'): header_line_count += 1 if header_line_count == 2: # If certificate file contains other certs appended # (like intermediate certificates), ignore these. break continue certificate_lines.append(line.strip()) except Exception as err: raise ModuleFailException("cannot load PEM file {0}: {1}".format(pem_filename, to_native(err)), exception=traceback.format_exc()) return base64.b64decode(''.join(certificate_lines)) def _parse_key_openssl(openssl_binary, module, key_file=None, key_content=None): ''' Parses an RSA or Elliptic Curve key file in PEM format and returns a pair (error, key_data). ''' # If key_file isn't given, but key_content, write that to a temporary file if key_file is None: fd, tmpsrc = tempfile.mkstemp() module.add_cleanup_file(tmpsrc) # Ansible will delete the file on exit f = os.fdopen(fd, 'wb') try: f.write(key_content.encode('utf-8')) key_file = tmpsrc except Exception as err: try: f.close() except Exception as e: pass raise ModuleFailException("failed to create temporary content file: %s" % to_native(err), exception=traceback.format_exc()) f.close() # Parse key account_key_type = None with open(key_file, "rt") as f: for line in f: m = re.match(r"^\s*-{5,}BEGIN\s+(EC|RSA)\s+PRIVATE\s+KEY-{5,}\s*$", line) if m is not None: account_key_type = m.group(1).lower() break if account_key_type is None: # This happens for example if openssl_privatekey created this key # (as opposed to the OpenSSL binary). For now, we assume this is # an RSA key. # FIXME: add some kind of auto-detection account_key_type = "rsa" if account_key_type not in ("rsa", "ec"): return 'unknown key type "%s"' % account_key_type, {} openssl_keydump_cmd = [openssl_binary, account_key_type, "-in", key_file, "-noout", "-text"] dummy, out, dummy = module.run_command(openssl_keydump_cmd, check_rc=True) if account_key_type == 'rsa': pub_hex, pub_exp = re.search( r"modulus:\n\s+00:([a-f0-9\:\s]+?)\npublicExponent: ([0-9]+)", to_text(out, errors='surrogate_or_strict'), re.MULTILINE | re.DOTALL).groups() pub_exp = "{0:x}".format(int(pub_exp)) if len(pub_exp) % 2: pub_exp = "0{0}".format(pub_exp) return None, { 'key_file': key_file, 'type': 'rsa', 'alg': 'RS256', 'jwk': { "kty": "RSA", "e": nopad_b64(binascii.unhexlify(pub_exp.encode("utf-8"))), "n": nopad_b64(binascii.unhexlify(re.sub(r"(\s|:)", "", pub_hex).encode("utf-8"))), }, 'hash': 'sha256', } elif account_key_type == 'ec': pub_data = re.search( r"pub:\s*\n\s+04:([a-f0-9\:\s]+?)\nASN1 OID: (\S+)(?:\nNIST CURVE: (\S+))?", to_text(out, errors='surrogate_or_strict'), re.MULTILINE | re.DOTALL) if pub_data is None: return 'cannot parse elliptic curve key', {} pub_hex = binascii.unhexlify(re.sub(r"(\s|:)", "", pub_data.group(1)).encode("utf-8")) asn1_oid_curve = pub_data.group(2).lower() nist_curve = pub_data.group(3).lower() if pub_data.group(3) else None if asn1_oid_curve == 'prime256v1' or nist_curve == 'p-256': bits = 256 alg = 'ES256' hash = 'sha256' point_size = 32 curve = 'P-256' elif asn1_oid_curve == 'secp384r1' or nist_curve == 'p-384': bits = 384 alg = 'ES384' hash = 'sha384' point_size = 48 curve = 'P-384' elif asn1_oid_curve == 'secp521r1' or nist_curve == 'p-521': # Not yet supported on Let's Encrypt side, see # https://github.com/letsencrypt/boulder/issues/2217 bits = 521 alg = 'ES512' hash = 'sha512' point_size = 66 curve = 'P-521' else: return 'unknown elliptic curve: %s / %s' % (asn1_oid_curve, nist_curve), {} bytes = (bits + 7) // 8 if len(pub_hex) != 2 * bytes: return 'bad elliptic curve point (%s / %s)' % (asn1_oid_curve, nist_curve), {} return None, { 'key_file': key_file, 'type': 'ec', 'alg': alg, 'jwk': { "kty": "EC", "crv": curve, "x": nopad_b64(pub_hex[:bytes]), "y": nopad_b64(pub_hex[bytes:]), }, 'hash': hash, 'point_size': point_size, } def _sign_request_openssl(openssl_binary, module, payload64, protected64, key_data): openssl_sign_cmd = [openssl_binary, "dgst", "-{0}".format(key_data['hash']), "-sign", key_data['key_file']] sign_payload = "{0}.{1}".format(protected64, payload64).encode('utf8') dummy, out, dummy = module.run_command(openssl_sign_cmd, data=sign_payload, check_rc=True, binary_data=True) if key_data['type'] == 'ec': dummy, der_out, dummy = module.run_command( [openssl_binary, "asn1parse", "-inform", "DER"], data=out, binary_data=True) expected_len = 2 * key_data['point_size'] sig = re.findall( r"prim:\s+INTEGER\s+:([0-9A-F]{1,%s})\n" % expected_len, to_text(der_out, errors='surrogate_or_strict')) if len(sig) != 2: raise ModuleFailException( "failed to generate Elliptic Curve signature; cannot parse DER output: {0}".format( to_text(der_out, errors='surrogate_or_strict'))) sig[0] = (expected_len - len(sig[0])) * '0' + sig[0] sig[1] = (expected_len - len(sig[1])) * '0' + sig[1] out = binascii.unhexlify(sig[0]) + binascii.unhexlify(sig[1]) return { "protected": protected64, "payload": payload64, "signature": nopad_b64(to_bytes(out)), } if sys.version_info[0] >= 3: # Python 3 (and newer) def _count_bytes(n): return (n.bit_length() + 7) // 8 if n > 0 else 0 def _convert_int_to_bytes(count, no): return no.to_bytes(count, byteorder='big') def _pad_hex(n, digits): res = hex(n)[2:] if len(res) < digits: res = '0' * (digits - len(res)) + res return res else: # Python 2 def _count_bytes(n): if n <= 0: return 0 h = '%x' % n return (len(h) + 1) // 2 def _convert_int_to_bytes(count, n): h = '%x' % n if len(h) > 2 * count: raise Exception('Number {1} needs more than {0} bytes!'.format(count, n)) return ('0' * (2 * count - len(h)) + h).decode('hex') def _pad_hex(n, digits): h = '%x' % n if len(h) < digits: h = '0' * (digits - len(h)) + h return h def _parse_key_cryptography(module, key_file=None, key_content=None): ''' Parses an RSA or Elliptic Curve key file in PEM format and returns a pair (error, key_data). ''' # If key_content isn't given, read key_file if key_content is None: key_content = read_file(key_file) else: key_content = to_bytes(key_content) # Parse key try: key = cryptography.hazmat.primitives.serialization.load_pem_private_key(key_content, password=None, backend=_cryptography_backend) except Exception as e: return 'error while loading key: {0}'.format(e), None if isinstance(key, cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey): pk = key.public_key().public_numbers() return None, { 'key_obj': key, 'type': 'rsa', 'alg': 'RS256', 'jwk': { "kty": "RSA", "e": nopad_b64(_convert_int_to_bytes(_count_bytes(pk.e), pk.e)), "n": nopad_b64(_convert_int_to_bytes(_count_bytes(pk.n), pk.n)), }, 'hash': 'sha256', } elif isinstance(key, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey): pk = key.public_key().public_numbers() if pk.curve.name == 'secp256r1': bits = 256 alg = 'ES256' hash = 'sha256' point_size = 32 curve = 'P-256' elif pk.curve.name == 'secp384r1': bits = 384 alg = 'ES384' hash = 'sha384' point_size = 48 curve = 'P-384' elif pk.curve.name == 'secp521r1': # Not yet supported on Let's Encrypt side, see # https://github.com/letsencrypt/boulder/issues/2217 bits = 521 alg = 'ES512' hash = 'sha512' point_size = 66 curve = 'P-521' else: return 'unknown elliptic curve: {0}'.format(pk.curve.name), {} bytes = (bits + 7) // 8 return None, { 'key_obj': key, 'type': 'ec', 'alg': alg, 'jwk': { "kty": "EC", "crv": curve, "x": nopad_b64(_convert_int_to_bytes(bytes, pk.x)), "y": nopad_b64(_convert_int_to_bytes(bytes, pk.y)), }, 'hash': hash, 'point_size': point_size, } else: return 'unknown key type "{0}"'.format(type(key)), {} def _sign_request_cryptography(module, payload64, protected64, key_data): sign_payload = "{0}.{1}".format(protected64, payload64).encode('utf8') if isinstance(key_data['key_obj'], cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey): padding = cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15() hash = cryptography.hazmat.primitives.hashes.SHA256() signature = key_data['key_obj'].sign(sign_payload, padding, hash) elif isinstance(key_data['key_obj'], cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey): if key_data['hash'] == 'sha256': hash = cryptography.hazmat.primitives.hashes.SHA256 elif key_data['hash'] == 'sha384': hash = cryptography.hazmat.primitives.hashes.SHA384 elif key_data['hash'] == 'sha512': hash = cryptography.hazmat.primitives.hashes.SHA512 ecdsa = cryptography.hazmat.primitives.asymmetric.ec.ECDSA(hash()) r, s = cryptography.hazmat.primitives.asymmetric.utils.decode_dss_signature(key_data['key_obj'].sign(sign_payload, ecdsa)) rr = _pad_hex(r, 2 * key_data['point_size']) ss = _pad_hex(s, 2 * key_data['point_size']) signature = binascii.unhexlify(rr) + binascii.unhexlify(ss) return { "protected": protected64, "payload": payload64, "signature": nopad_b64(signature), } class ACMEDirectory(object): ''' The ACME server directory. Gives access to the available resources, and allows to obtain a Replay-Nonce. The acme_directory URL needs to support unauthenticated GET requests; ACME endpoints requiring authentication are not supported. https://tools.ietf.org/html/rfc8555#section-7.1.1 ''' def __init__(self, module, account): self.module = module self.directory_root = module.params['acme_directory'] self.version = module.params['acme_version'] self.directory, dummy = account.get_request(self.directory_root, get_only=True) # Check whether self.version matches what we expect if self.version == 1: for key in ('new-reg', 'new-authz', 'new-cert'): if key not in self.directory: raise ModuleFailException("ACME directory does not seem to follow protocol ACME v1") if self.version == 2: for key in ('newNonce', 'newAccount', 'newOrder'): if key not in self.directory: raise ModuleFailException("ACME directory does not seem to follow protocol ACME v2") def __getitem__(self, key): return self.directory[key] def get_nonce(self, resource=None): url = self.directory_root if self.version == 1 else self.directory['newNonce'] if resource is not None: url = resource dummy, info = fetch_url(self.module, url, method='HEAD') if info['status'] not in (200, 204): raise ModuleFailException("Failed to get replay-nonce, got status {0}".format(info['status'])) return info['replay-nonce'] class ACMEAccount(object): ''' ACME account object. Handles the authorized communication with the ACME server. Provides access to account bound information like the currently active authorizations and valid certificates ''' def __init__(self, module): self.module = module self.version = module.params['acme_version'] # account_key path and content are mutually exclusive self.key = module.params['account_key_src'] self.key_content = module.params['account_key_content'] # Grab account URI from module parameters. # Make sure empty string is treated as None. self.uri = module.params.get('account_uri') or None self._openssl_bin = module.get_bin_path('openssl', True) if self.key is not None or self.key_content is not None: error, self.key_data = self.parse_key(self.key, self.key_content) if error: raise ModuleFailException("error while parsing account key: %s" % error) self.jwk = self.key_data['jwk'] self.jws_header = { "alg": self.key_data['alg'], "jwk": self.jwk, } if self.uri: # Make sure self.jws_header is updated self.set_account_uri(self.uri) self.directory = ACMEDirectory(module, self) def get_keyauthorization(self, token): ''' Returns the key authorization for the given token https://tools.ietf.org/html/rfc8555#section-8.1 ''' accountkey_json = json.dumps(self.jwk, sort_keys=True, separators=(',', ':')) thumbprint = nopad_b64(hashlib.sha256(accountkey_json.encode('utf8')).digest()) return "{0}.{1}".format(token, thumbprint) def parse_key(self, key_file=None, key_content=None): ''' Parses an RSA or Elliptic Curve key file in PEM format and returns a pair (error, key_data). ''' if key_file is None and key_content is None: raise AssertionError('One of key_file and key_content must be specified!') if HAS_CURRENT_CRYPTOGRAPHY: return _parse_key_cryptography(self.module, key_file, key_content) else: return _parse_key_openssl(self._openssl_bin, self.module, key_file, key_content) def sign_request(self, protected, payload, key_data): try: if payload is None: payload64 = '' else: payload64 = nopad_b64(self.module.jsonify(payload).encode('utf8')) protected64 = nopad_b64(self.module.jsonify(protected).encode('utf8')) except Exception as e: raise ModuleFailException("Failed to encode payload / headers as JSON: {0}".format(e)) if HAS_CURRENT_CRYPTOGRAPHY: return _sign_request_cryptography(self.module, payload64, protected64, key_data) else: return _sign_request_openssl(self._openssl_bin, self.module, payload64, protected64, key_data) def send_signed_request(self, url, payload, key_data=None, jws_header=None, parse_json_result=True): ''' Sends a JWS signed HTTP POST request to the ACME server and returns the response as dictionary https://tools.ietf.org/html/rfc8555#section-6.2 If payload is None, a POST-as-GET is performed. (https://tools.ietf.org/html/rfc8555#section-6.3) ''' key_data = key_data or self.key_data jws_header = jws_header or self.jws_header failed_tries = 0 while True: protected = copy.deepcopy(jws_header) protected["nonce"] = self.directory.get_nonce() if self.version != 1: protected["url"] = url data = self.sign_request(protected, payload, key_data) if self.version == 1: data["header"] = jws_header data = self.module.jsonify(data) headers = { 'Content-Type': 'application/jose+json', } resp, info = fetch_url(self.module, url, data=data, headers=headers, method='POST') result = {} try: content = resp.read() except AttributeError: content = info.pop('body', None) if content or not parse_json_result: if (parse_json_result and info['content-type'].startswith('application/json')) or 400 <= info['status'] < 600: try: decoded_result = self.module.from_json(content.decode('utf8')) # In case of badNonce error, try again (up to 5 times) # (https://tools.ietf.org/html/rfc8555#section-6.7) if (400 <= info['status'] < 600 and decoded_result.get('type') == 'urn:ietf:params:acme:error:badNonce' and failed_tries <= 5): failed_tries += 1 continue if parse_json_result: result = decoded_result else: result = content except ValueError: raise ModuleFailException("Failed to parse the ACME response: {0} {1}".format(url, content)) else: result = content return result, info def get_request(self, uri, parse_json_result=True, headers=None, get_only=False): ''' Perform a GET-like request. Will try POST-as-GET for ACMEv2, with fallback to GET if server replies with a status code of 405. ''' if not get_only and self.version != 1: # Try POST-as-GET content, info = self.send_signed_request(uri, None, parse_json_result=False) if info['status'] == 405: # Instead, do unauthenticated GET get_only = True else: # Do unauthenticated GET get_only = True if get_only: # Perform unauthenticated GET resp, info = fetch_url(self.module, uri, method='GET', headers=headers) try: content = resp.read() except AttributeError: content = info.pop('body', None) # Process result if parse_json_result: result = {} if content: if info['content-type'].startswith('application/json'): try: result = self.module.from_json(content.decode('utf8')) except ValueError: raise ModuleFailException("Failed to parse the ACME response: {0} {1}".format(uri, content)) else: result = content else: result = content if info['status'] >= 400: raise ModuleFailException("ACME request failed: CODE: {0} RESULT: {1}".format(info['status'], result)) return result, info def set_account_uri(self, uri): ''' Set account URI. For ACME v2, it needs to be used to sending signed requests. ''' self.uri = uri if self.version != 1: self.jws_header.pop('jwk') self.jws_header['kid'] = self.uri def _new_reg(self, contact=None, agreement=None, terms_agreed=False, allow_creation=True): ''' Registers a new ACME account. Returns True if the account was created and False if it already existed (e.g. it was not newly created). https://tools.ietf.org/html/rfc8555#section-7.3 ''' contact = [] if contact is None else contact if self.version == 1: new_reg = { 'resource': 'new-reg', 'contact': contact } if agreement: new_reg['agreement'] = agreement else: new_reg['agreement'] = self.directory['meta']['terms-of-service'] url = self.directory['new-reg'] else: new_reg = { 'contact': contact } if not allow_creation: new_reg['onlyReturnExisting'] = True if terms_agreed: new_reg['termsOfServiceAgreed'] = True url = self.directory['newAccount'] result, info = self.send_signed_request(url, new_reg) if info['status'] in ([200, 201] if self.version == 1 else [201]): # Account did not exist if 'location' in info: self.set_account_uri(info['location']) return True elif info['status'] == (409 if self.version == 1 else 200): # Account did exist if result.get('status') == 'deactivated': # A probable bug in Pebble (https://github.com/letsencrypt/pebble/issues/179) # and Boulder: this should not return a valid account object according to # https://tools.ietf.org/html/rfc8555#section-7.3.6: # "Once an account is deactivated, the server MUST NOT accept further # requests authorized by that account's key." if not allow_creation: return False else: raise ModuleFailException("Account is deactivated") if 'location' in info: self.set_account_uri(info['location']) return False elif info['status'] == 400 and result['type'] == 'urn:ietf:params:acme:error:accountDoesNotExist' and not allow_creation: # Account does not exist (and we didn't try to create it) return False else: raise ModuleFailException("Error registering: {0} {1}".format(info['status'], result)) def get_account_data(self): ''' Retrieve account information. Can only be called when the account URI is already known (such as after calling init_account). Return None if the account was deactivated, or a dict otherwise. ''' if self.uri is None: raise ModuleFailException("Account URI unknown") if self.version == 1: data = {} data['resource'] = 'reg' result, info = self.send_signed_request(self.uri, data) else: # try POST-as-GET first (draft-15 or newer) data = None result, info = self.send_signed_request(self.uri, data) # check whether that failed with a malformed request error if info['status'] >= 400 and result.get('type') == 'urn:ietf:params:acme:error:malformed': # retry as a regular POST (with no changed data) for pre-draft-15 ACME servers data = {} result, info = self.send_signed_request(self.uri, data) if info['status'] in (400, 403) and result.get('type') == 'urn:ietf:params:acme:error:unauthorized': # Returned when account is deactivated return None if info['status'] in (400, 404) and result.get('type') == 'urn:ietf:params:acme:error:accountDoesNotExist': # Returned when account does not exist return None if info['status'] < 200 or info['status'] >= 300: raise ModuleFailException("Error getting account data from {2}: {0} {1}".format(info['status'], result, self.uri)) return result def init_account(self, contact, agreement=None, terms_agreed=False, allow_creation=True, update_contact=True, remove_account_uri_if_not_exists=False): ''' Create or update an account on the ACME server. For ACME v1, as the only way (without knowing an account URI) to test if an account exists is to try and create one with the provided account key, this method will always result in an account being present (except on error situations). For ACME v2, a new account will only be created if allow_creation is set to True. For ACME v2, check_mode is fully respected. For ACME v1, the account might be created if it does not yet exist. If the account already exists and if update_contact is set to True, this method will update the contact information. Return True in case something changed (account was created, contact info updated) or would be changed (check_mode). The account URI will be stored in self.uri; if it is None, the account does not exist. https://tools.ietf.org/html/rfc8555#section-7.3 ''' new_account = True changed = False if self.uri is not None: new_account = False if not update_contact: # Verify that the account key belongs to the URI. # (If update_contact is True, this will be done below.) if self.get_account_data() is None: if remove_account_uri_if_not_exists and not allow_creation: self.uri = None return False raise ModuleFailException("Account is deactivated or does not exist!") else: new_account = self._new_reg( contact, agreement=agreement, terms_agreed=terms_agreed, allow_creation=allow_creation and not self.module.check_mode ) if self.module.check_mode and self.uri is None and allow_creation: return True if not new_account and self.uri and update_contact: result = self.get_account_data() if result is None: if not allow_creation: self.uri = None return False raise ModuleFailException("Account is deactivated or does not exist!") # ...and check if update is necessary if result.get('contact', []) != contact: if not self.module.check_mode: upd_reg = result upd_reg['contact'] = contact result, dummy = self.send_signed_request(self.uri, upd_reg) changed = True return new_account or changed def cryptography_get_csr_domains(module, csr_filename): ''' Return a set of requested domains (CN and SANs) for the CSR. ''' domains = set([]) csr = cryptography.x509.load_pem_x509_csr(read_file(csr_filename), _cryptography_backend) for sub in csr.subject: if sub.oid == cryptography.x509.oid.NameOID.COMMON_NAME: domains.add(sub.value) for extension in csr.extensions: if extension.oid == cryptography.x509.oid.ExtensionOID.SUBJECT_ALTERNATIVE_NAME: for name in extension.value: if isinstance(name, cryptography.x509.DNSName): domains.add(name.value) return domains def cryptography_get_cert_days(module, cert_file): ''' Return the days the certificate in cert_file remains valid and -1 if the file was not found. If cert_file contains more than one certificate, only the first one will be considered. ''' if not os.path.exists(cert_file): return -1 try: cert = cryptography.x509.load_pem_x509_certificate(read_file(cert_file), _cryptography_backend) except Exception as e: raise ModuleFailException('Cannot parse certificate {0}: {1}'.format(cert_file, e)) now = datetime.datetime.now() return (cert.not_valid_after - now).days def set_crypto_backend(module): ''' Sets which crypto backend to use (default: auto detection). Does not care whether a new enough cryptoraphy is available or not. Must be called before any real stuff is done which might evaluate ``HAS_CURRENT_CRYPTOGRAPHY``. ''' global HAS_CURRENT_CRYPTOGRAPHY # Choose backend backend = module.params['select_crypto_backend'] if backend == 'auto': pass elif backend == 'openssl': HAS_CURRENT_CRYPTOGRAPHY = False elif backend == 'cryptography': try: cryptography.__version__ except Exception as _: module.fail_json(msg='Cannot find cryptography module!') HAS_CURRENT_CRYPTOGRAPHY = True else: module.fail_json(msg='Unknown crypto backend "{0}"!'.format(backend)) # Inform about choices if HAS_CURRENT_CRYPTOGRAPHY: module.debug('Using cryptography backend (library version {0})'.format(CRYPTOGRAPHY_VERSION)) else: module.debug('Using OpenSSL binary backend')