Skip to content

Commit

Permalink
Explicitly use UTC timezone in OpenSSL backend code.
Browse files Browse the repository at this point in the history
  • Loading branch information
felixfontein committed Oct 24, 2024
1 parent 20a4c3d commit 11598cb
Show file tree
Hide file tree
Showing 5 changed files with 39 additions and 16 deletions.
2 changes: 2 additions & 0 deletions changelogs/fragments/811-openssl-timezone.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
bugfixes:
- "acme_* modules - when using the OpenSSL backend, explicitly use the UTC timezone in Python code (https://github.com/ansible-collections/community.crypto/pull/811)."
6 changes: 3 additions & 3 deletions plugins/module_utils/acme/backend_cryptography.py
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@
)

from ansible_collections.community.crypto.plugins.module_utils.time import (
ensure_utc_timezone,
add_or_remove_timezone,
)

CRYPTOGRAPHY_MINIMAL_VERSION = '1.5'
Expand Down Expand Up @@ -382,8 +382,8 @@ def get_cert_days(self, cert_filename=None, cert_content=None, now=None):

if now is None:
now = self.get_now()
elif CRYPTOGRAPHY_TIMEZONE:
now = ensure_utc_timezone(now)
else:
now = add_or_remove_timezone(now, with_timezone=CRYPTOGRAPHY_TIMEZONE)
return (get_not_valid_after(cert) - now).days

def create_chain_matcher(self, criterium):
Expand Down
14 changes: 11 additions & 3 deletions plugins/module_utils/acme/backend_openssl_cli.py
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@

from ansible_collections.community.crypto.plugins.module_utils.crypto.math import convert_bytes_to_int

from ansible_collections.community.crypto.plugins.module_utils.time import ensure_utc_timezone

try:
import ipaddress
except ImportError:
Expand All @@ -45,7 +47,11 @@
def _extract_date(out_text, name, cert_filename_suffix=""):
try:
date_str = re.search(r"\s+%s\s*:\s+(.*)" % name, out_text).group(1)
return datetime.datetime.strptime(date_str, '%b %d %H:%M:%S %Y %Z')
# For some reason Python's strptime() doesn't return any timezone information,
# even though the information is there and a supported timezone for all supported
# Python implementations (GMT). So we have to modify the datetime object by
# replacing it by UTC.
return ensure_utc_timezone(datetime.datetime.strptime(date_str, '%b %d %H:%M:%S %Y %Z'))
except AttributeError:
raise BackendException("No '{0}' date found{1}".format(name, cert_filename_suffix))
except ValueError as exc:
Expand All @@ -71,7 +77,7 @@ def _extract_octets(out_text, name, required=True, potential_prefixes=None):

class OpenSSLCLIBackend(CryptoBackend):
def __init__(self, module, openssl_binary=None):
super(OpenSSLCLIBackend, self).__init__(module)
super(OpenSSLCLIBackend, self).__init__(module, with_timezone=True)
if openssl_binary is None:
openssl_binary = module.get_bin_path('openssl', True)
self.openssl_binary = openssl_binary
Expand Down Expand Up @@ -340,7 +346,9 @@ def get_cert_days(self, cert_filename=None, cert_content=None, now=None):
out_text = to_text(out, errors='surrogate_or_strict')
not_after = _extract_date(out_text, 'Not After', cert_filename_suffix=cert_filename_suffix)
if now is None:
now = datetime.datetime.now()
now = self.get_now()
else:
now = ensure_utc_timezone(now)
return (not_after - now).days

def create_chain_matcher(self, criterium):
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,21 +12,20 @@

from ansible_collections.community.crypto.tests.unit.compat.mock import MagicMock

from ansible_collections.community.crypto.plugins.module_utils.time import UTC

from ansible_collections.community.crypto.plugins.module_utils.acme.backend_cryptography import (
HAS_CURRENT_CRYPTOGRAPHY,
CryptographyBackend,
)

from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
ensure_utc_timezone,
)

from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
CRYPTOGRAPHY_TIMEZONE,
)

from ansible_collections.community.crypto.plugins.module_utils.time import (
ensure_utc_timezone,
UTC,
)

from .backend_data import (
TEST_KEYS,
TEST_CSRS,
Expand Down
22 changes: 18 additions & 4 deletions tests/unit/plugins/module_utils/acme/test_backend_openssl_cli.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,11 @@
OpenSSLCLIBackend,
)

from ansible_collections.community.crypto.plugins.module_utils.time import (
ensure_utc_timezone,
UTC,
)

from .backend_data import (
TEST_KEYS,
TEST_CSRS,
Expand All @@ -28,7 +33,7 @@
TEST_INTERPOLATE_TIMESTAMP,
)

from ..test_time import TIMEZONES
# from ..test_time import TIMEZONES


TEST_IPS = [
Expand Down Expand Up @@ -94,20 +99,29 @@ def test_get_cert_information(cert_content, expected_cert_info, openssl_output,
module = MagicMock()
module.run_command = MagicMock(return_value=(0, openssl_output, 0))
backend = OpenSSLCLIBackend(module, openssl_binary='openssl')

expected_cert_info = expected_cert_info._replace(
not_valid_after=ensure_utc_timezone(expected_cert_info.not_valid_after),
not_valid_before=ensure_utc_timezone(expected_cert_info.not_valid_before),
)

cert_info = backend.get_cert_information(cert_filename=str(fn))
assert cert_info == expected_cert_info
cert_info = backend.get_cert_information(cert_content=cert_content)
assert cert_info == expected_cert_info


@pytest.mark.parametrize("timezone", TIMEZONES)
# @pytest.mark.parametrize("timezone", TIMEZONES)
# Due to a bug in freezegun (https://github.com/spulec/freezegun/issues/348, https://github.com/spulec/freezegun/issues/553)
# this only works with timezone = UTC if CRYPTOGRAPHY_TIMEZONE is truish
@pytest.mark.parametrize("timezone", [datetime.timedelta(hours=0)])
def test_now(timezone):
with freeze_time("2024-02-03 04:05:06", tz_offset=timezone):
module = MagicMock()
backend = OpenSSLCLIBackend(module, openssl_binary='openssl')
now = backend.get_now()
assert now.tzinfo is None
assert now == datetime.datetime(2024, 2, 3, 4, 5, 6)
assert now.tzinfo is not None
assert now == datetime.datetime(2024, 2, 3, 4, 5, 6, tzinfo=UTC)


@pytest.mark.parametrize("timezone, input, expected", TEST_PARSE_ACME_TIMESTAMP)
Expand Down

0 comments on commit 11598cb

Please sign in to comment.