Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New gpg_keypair module to manage GPG keys. #743

Draft
wants to merge 78 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
78 commits
Select commit Hold shift + click to select a range
f03b55e
new gpg_keypair module to manage GPG keys
austinlucaslake May 1, 2024
3ec2fa1
gpg_keypair module integration tests
austinlucaslake May 1, 2024
312d826
add diff_mode (support: none) to attributes list
austinlucaslake May 1, 2024
adab532
added version_added (2.22.0) to documentation
austinlucaslake May 1, 2024
ccc39b3
added elements qualifier to key_usage
austinlucaslake May 1, 2024
f47bb95
seperated if-else for improved readability
austinlucaslake May 1, 2024
f28ca9c
added dummy variables when extracting output from gpg command
austinlucaslake May 1, 2024
fd63e64
fixed invalid variable name when unpacking matching keys
austinlucaslake May 1, 2024
132e716
added missing punctuation in documentation
austinlucaslake May 1, 2024
f10082b
updated return conditions in documentation
austinlucaslake May 1, 2024
84277a8
removed default key_type
austinlucaslake May 2, 2024
422a248
removed type hints
austinlucaslake May 2, 2024
af95714
updated formating+documentation and added ability to specify multiple…
austinlucaslake May 2, 2024
c3660ec
fixed invalid parameter name
austinlucaslake May 2, 2024
ea6b1d7
added stricter matching passed on user input
austinlucaslake May 5, 2024
c9f89bb
added quotation marks around template expression brackets
austinlucaslake May 5, 2024
86a111a
fixing linting issues
austinlucaslake May 5, 2024
440acfd
syntax error in documentation
austinlucaslake May 5, 2024
60b2175
wrong module name
austinlucaslake May 5, 2024
d5d9c5d
fixed suboptions in documentation for subkeys parameter
austinlucaslake May 5, 2024
81166c7
removed keyserver/transient_key parameters and dependencies on Plugin…
austinlucaslake May 5, 2024
4753860
fixed linting errors
austinlucaslake May 5, 2024
8685426
updated documentation and curve requirements for ECC keys
austinlucaslake May 5, 2024
091c5d4
removed extraneous character that was causing syntax error
austinlucaslake May 6, 2024
965b667
reformated argument lists for run_module calls
austinlucaslake May 6, 2024
4891695
set subkeys parameter default to be empty list
austinlucaslake May 6, 2024
01d6ee2
updated documentation for check_mode and diff_mode attributes
austinlucaslake May 6, 2024
a70469a
fixed over-indentations
austinlucaslake May 6, 2024
90cf712
set defaults for all list-type parameters to empty list and ipdated r…
austinlucaslake May 6, 2024
4a7467a
provide bin path for gpg executable
austinlucaslake May 6, 2024
20fd381
delete key using returned fingerprint
austinlucaslake May 6, 2024
3ff3d83
fixed incorrect variable name when parsing regex
austinlucaslake May 6, 2024
899118f
added missing quotations for template expression
austinlucaslake May 6, 2024
d826d90
consolidated functions and added parameter to force new key generation
austinlucaslake May 6, 2024
9df8799
updated integration test to force new key generation
austinlucaslake May 6, 2024
c77ef5d
fixed syntax errors
austinlucaslake May 6, 2024
051b1be
fixed incorrect variable name during assertion
austinlucaslake May 6, 2024
4c32b07
fixed regex parsing for fingerprint after key generation
austinlucaslake May 6, 2024
8e00694
utilize user-id to match against for key deletion
austinlucaslake May 6, 2024
7ce40a8
removed no_log from fingerprints
austinlucaslake May 6, 2024
6edf177
adding missing extraction of capture group from fingerprint regex
austinlucaslake May 6, 2024
18fabae
updated code spacing and fixed text processing for key matching
austinlucaslake May 9, 2024
540545e
fixed secret key regex parsing and key matching for usage parameter
austinlucaslake May 9, 2024
2255f5e
fixed bad parameter matching
austinlucaslake May 9, 2024
473ee13
added more integration tests
austinlucaslake May 9, 2024
f4e06e5
capitalized GPG in documentation
austinlucaslake May 9, 2024
3bafd3f
add default attributes docs fragment
austinlucaslake May 9, 2024
baaec80
updated documentation and module parameter names
austinlucaslake May 9, 2024
aced2d3
updated filenames to use full .yaml extension and updated jinja2 temp…
austinlucaslake May 10, 2024
2d3faa1
changed parameter names for subkey suboptions and updated documentation
austinlucaslake May 10, 2024
6347b8c
added setup needed for dateutil dependency
austinlucaslake May 10, 2024
18f1c16
module will now fail safely if python-dateutil package is not found
austinlucaslake May 11, 2024
160b241
added option to automatically install python-dateutil and updated doc…
austinlucaslake May 11, 2024
b711ee4
updated parameter name and added versioning to python-dateutil
austinlucaslake May 11, 2024
758fdce
updated email in copyright statement
austinlucaslake May 13, 2024
a3c23a6
Create acme_certificate_deactivate_authz module (#741)
felixfontein May 1, 2024
6e1c1e0
Add tests for acme_certificate_deactivate_authz module. (#744)
felixfontein May 1, 2024
99521df
Refactor time code, add tests, fix bug when parsing absolute timestam…
felixfontein May 3, 2024
15ed057
Add acme_certificate_renewal_info module (#746)
felixfontein May 4, 2024
98c5c52
ACME: improve acme_certificate docs, include cert_id in acme_certific…
felixfontein May 4, 2024
f9f2231
Avoid exception if certificate has no AKI in acme_certificate. (#748)
felixfontein May 5, 2024
044a3be
Refactor and extend argument spec helper, use for ACME modules (#749)
felixfontein May 5, 2024
a147b78
ACME modules: simplify code, refactor argspec handling code, move csr…
felixfontein May 5, 2024
a7f2725
Fix documentation. (#751)
felixfontein May 5, 2024
89da989
ecs_certificate: allow to request renewal without csr (#740)
francescolovecchio May 9, 2024
8752b36
x509_certificate: fix time idempotence (#754)
felixfontein May 11, 2024
704d3ef
Revert all non-bugfixes merged since the last release.
felixfontein May 11, 2024
f9f38d4
Prepare 2.19.1 bugfix release.
felixfontein May 11, 2024
7c46bdd
Release 2.19.1.
felixfontein May 11, 2024
0021a0b
Next planned release is 2.20.0.
felixfontein May 11, 2024
ef9dbda
Revert "Revert all non-bugfixes merged since the last release."
felixfontein May 11, 2024
5809428
Pass codecov token to ansible-test-gh-action. (#755)
felixfontein May 11, 2024
f5e6a57
Make sure the ACME inspect tests run with both backends. (#758)
felixfontein May 12, 2024
2172e77
From now on automatically add period to new plugins in changelog, and…
felixfontein May 20, 2024
3c283d4
Prepare 2.20.0.
felixfontein May 20, 2024
ed3b4aa
Release 2.20.0.
felixfontein May 20, 2024
53b360b
The next expected release will be 2.21.0.
felixfontein May 20, 2024
8800e62
Remove usage of old ACME test container. (#760)
felixfontein May 20, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/ansible-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ jobs:
with:
ansible-core-github-repository-slug: ${{ contains(fromJson('["2.10", "2.11"]'), matrix.ansible) && 'felixfontein/ansible' || 'ansible/ansible' }}
ansible-core-version: stable-${{ matrix.ansible }}
codecov-token: ${{ secrets.CODECOV_TOKEN }}
coverage: ${{ github.event_name == 'schedule' && 'always' || 'never' }}
pull-request-change-detection: 'true'
testing-type: sanity
Expand Down Expand Up @@ -85,6 +86,7 @@ jobs:
with:
ansible-core-github-repository-slug: ${{ contains(fromJson('["2.10", "2.11"]'), matrix.ansible) && 'felixfontein/ansible' || 'ansible/ansible' }}
ansible-core-version: stable-${{ matrix.ansible }}
codecov-token: ${{ secrets.CODECOV_TOKEN }}
coverage: ${{ github.event_name == 'schedule' && 'always' || 'never' }}
pull-request-change-detection: 'true'
testing-type: units
Expand Down Expand Up @@ -282,6 +284,7 @@ jobs:
with:
ansible-core-github-repository-slug: ${{ contains(fromJson('["2.10", "2.11"]'), matrix.ansible) && 'felixfontein/ansible' || 'ansible/ansible' }}
ansible-core-version: stable-${{ matrix.ansible }}
codecov-token: ${{ secrets.CODECOV_TOKEN }}
coverage: ${{ github.event_name == 'schedule' && 'always' || 'never' }}
docker-image: ${{ matrix.docker }}
integration-continue-on-error: 'false'
Expand Down
617 changes: 338 additions & 279 deletions CHANGELOG.md

Large diffs are not rendered by default.

94 changes: 72 additions & 22 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,56 @@ Community Crypto Release Notes

.. contents:: Topics

v2.20.0
=======

Release Summary
---------------

Feature and bugfix release.

The deprecations in this release are only relevant for collections that use shared
code or docs fragments from this collection.

Minor Changes
-------------

- acme_certificate - add ``include_renewal_cert_id`` option to allow requesting renewal of a specific certificate according to the current ACME Renewal Information specification draft (https://github.com/ansible-collections/community.crypto/pull/739).

Deprecated Features
-------------------

- acme documentation fragment - the default ``community.crypto.acme[.documentation]`` docs fragment is deprecated and will be removed from community.crypto 3.0.0. Replace it with both the new ``community.crypto.acme.basic`` and ``community.crypto.acme.account`` fragments (https://github.com/ansible-collections/community.crypto/pull/735).
- acme.backends module utils - the ``get_cert_information()`` method for a ACME crypto backend must be implemented from community.crypto 3.0.0 on (https://github.com/ansible-collections/community.crypto/pull/736).
- crypto.module_backends.common module utils - the ``crypto.module_backends.common`` module utils is deprecated and will be removed from community.crypto 3.0.0. Use the improved ``argspec`` module util instead (https://github.com/ansible-collections/community.crypto/pull/749).

Bugfixes
--------

- x509_crl, x509_certificate, x509_certificate_info - when parsing absolute timestamps which omitted the second count, the first digit of the minutes was used as a one-digit minutes count, and the second digit of the minutes as a one-digit second count (https://github.com/ansible-collections/community.crypto/pull/745).

New Modules
-----------

- community.crypto.acme_ari_info - Retrieves ACME Renewal Information (ARI) for a certificate.
- community.crypto.acme_certificate_deactivate_authz - Deactivate all authz for an ACME v2 order.
- community.crypto.acme_certificate_renewal_info - Determine whether a certificate should be renewed or not.

v2.19.1
=======

Release Summary
---------------

Bugfix release.

Bugfixes
--------

- crypto.math module utils - change return values for ``quick_is_not_prime()`` and ``convert_int_to_bytes(0, 0)`` for special cases that do not appear when using the collection (https://github.com/ansible-collections/community.crypto/pull/733).
- ecs_certificate - fixed ``csr`` option to be empty and allow renewal of a specific certificate according to the Renewal Information specification (https://github.com/ansible-collections/community.crypto/pull/740).
- x509_certificate - since community.crypto 2.19.0 the module was no longer idempotent with respect to ``not_before`` and ``not_after`` times. This is now fixed (https://github.com/ansible-collections/community.crypto/issues/753, https://github.com/ansible-collections/community.crypto/pull/754).

v2.19.0
=======

Expand Down Expand Up @@ -31,7 +81,7 @@ Bugfixes
New Modules
-----------

- x509_certificate_convert - Convert X.509 certificates
- community.crypto.x509_certificate_convert - Convert X.509 certificates

v2.18.0
=======
Expand Down Expand Up @@ -64,8 +114,8 @@ New Plugins
Filter
~~~~~~

- parse_serial - Convert a serial number as a colon-separated list of hex numbers to an integer
- to_serial - Convert an integer to a colon-separated list of hex numbers
- community.crypto.parse_serial - Convert a serial number as a colon-separated list of hex numbers to an integer
- community.crypto.to_serial - Convert an integer to a colon-separated list of hex numbers

v2.17.1
=======
Expand Down Expand Up @@ -185,12 +235,12 @@ New Plugins
Filter
~~~~~~

- gpg_fingerprint - Retrieve a GPG fingerprint from a GPG public or private key
- community.crypto.gpg_fingerprint - Retrieve a GPG fingerprint from a GPG public or private key

Lookup
~~~~~~

- gpg_fingerprint - Retrieve a GPG fingerprint from a GPG public or private key file
- community.crypto.gpg_fingerprint - Retrieve a GPG fingerprint from a GPG public or private key file

v2.14.1
=======
Expand Down Expand Up @@ -333,12 +383,12 @@ New Plugins
Filter
~~~~~~

- openssl_csr_info - Retrieve information from OpenSSL Certificate Signing Requests (CSR)
- openssl_privatekey_info - Retrieve information from OpenSSL private keys
- openssl_publickey_info - Retrieve information from OpenSSL public keys in PEM format
- split_pem - Split PEM file contents into multiple objects
- x509_certificate_info - Retrieve information from X.509 certificates in PEM format
- x509_crl_info - Retrieve information from X.509 CRLs in PEM format
- community.crypto.openssl_csr_info - Retrieve information from OpenSSL Certificate Signing Requests (CSR)
- community.crypto.openssl_privatekey_info - Retrieve information from OpenSSL private keys
- community.crypto.openssl_publickey_info - Retrieve information from OpenSSL public keys in PEM format
- community.crypto.split_pem - Split PEM file contents into multiple objects
- community.crypto.x509_certificate_info - Retrieve information from X.509 certificates in PEM format
- community.crypto.x509_crl_info - Retrieve information from X.509 CRLs in PEM format

v2.9.0
======
Expand Down Expand Up @@ -637,8 +687,8 @@ Bugfixes
New Modules
-----------

- crypto_info - Retrieve cryptographic capabilities
- openssl_privatekey_convert - Convert OpenSSL private keys
- community.crypto.crypto_info - Retrieve cryptographic capabilities
- community.crypto.openssl_privatekey_convert - Convert OpenSSL private keys

v2.0.2
======
Expand Down Expand Up @@ -884,7 +934,7 @@ Bugfixes
New Modules
-----------

- openssl_publickey_info - Provide information for OpenSSL public keys
- community.crypto.openssl_publickey_info - Provide information for OpenSSL public keys

v1.6.2
======
Expand Down Expand Up @@ -1015,9 +1065,9 @@ Bugfixes
New Modules
-----------

- openssl_csr_pipe - Generate OpenSSL Certificate Signing Request (CSR)
- openssl_privatekey_pipe - Generate OpenSSL private keys without disk access
- x509_certificate_pipe - Generate and/or check OpenSSL certificates
- community.crypto.openssl_csr_pipe - Generate OpenSSL Certificate Signing Request (CSR)
- community.crypto.openssl_privatekey_pipe - Generate OpenSSL private keys without disk access
- community.crypto.x509_certificate_pipe - Generate and/or check OpenSSL certificates

v1.2.0
======
Expand Down Expand Up @@ -1093,8 +1143,8 @@ Bugfixes
New Modules
-----------

- openssl_signature - Sign data with openssl
- openssl_signature_info - Verify signatures with openssl
- community.crypto.openssl_signature - Sign data with openssl
- community.crypto.openssl_signature_info - Verify signatures with openssl

v1.0.0
======
Expand Down Expand Up @@ -1169,6 +1219,6 @@ Bugfixes
New Modules
-----------

- ecs_domain - Request validation of a domain with the Entrust Certificate Services (ECS) API
- x509_crl - Generate Certificate Revocation Lists (CRLs)
- x509_crl_info - Retrieve information on Certificate Revocation Lists (CRLs)
- community.crypto.ecs_domain - Request validation of a domain with the Entrust Certificate Services (ECS) API
- community.crypto.x509_crl - Generate Certificate Revocation Lists (CRLs)
- community.crypto.x509_crl_info - Retrieve information on Certificate Revocation Lists (CRLs)
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ If you use the Ansible package and do not update collections independently, use
- acme_account module
- acme_ari_info module
- acme_certificate module
- acme_certificate_deactivate_authz module
- acme_certificate_revoke module
- acme_challenge_cert_helper module
- acme_inspect module
Expand Down
67 changes: 67 additions & 0 deletions changelogs/changelog.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1079,6 +1079,25 @@ releases:
name: x509_certificate_convert
namespace: ''
release_date: '2024-04-20'
2.19.1:
changes:
bugfixes:
- crypto.math module utils - change return values for ``quick_is_not_prime()``
and ``convert_int_to_bytes(0, 0)`` for special cases that do not appear when
using the collection (https://github.com/ansible-collections/community.crypto/pull/733).
- ecs_certificate - fixed ``csr`` option to be empty and allow renewal of a
specific certificate according to the Renewal Information specification (https://github.com/ansible-collections/community.crypto/pull/740).
- x509_certificate - since community.crypto 2.19.0 the module was no longer
idempotent with respect to ``not_before`` and ``not_after`` times. This is
now fixed (https://github.com/ansible-collections/community.crypto/issues/753,
https://github.com/ansible-collections/community.crypto/pull/754).
release_summary: Bugfix release.
fragments:
- 2.19.1.yml
- 733-math-prime.yml
- 740-ecs_certificate-renewal-without-csr.yml
- 754-x509_certificate-time.yml
release_date: '2024-05-11'
2.2.0:
changes:
bugfixes:
Expand Down Expand Up @@ -1153,6 +1172,54 @@ releases:
- 2.2.4.yml
- 417-openssh_modules-fix-exception-reporting.yml
release_date: '2022-03-22'
2.20.0:
changes:
bugfixes:
- x509_crl, x509_certificate, x509_certificate_info - when parsing absolute
timestamps which omitted the second count, the first digit of the minutes
was used as a one-digit minutes count, and the second digit of the minutes
as a one-digit second count (https://github.com/ansible-collections/community.crypto/pull/745).
deprecated_features:
- acme documentation fragment - the default ``community.crypto.acme[.documentation]``
docs fragment is deprecated and will be removed from community.crypto 3.0.0.
Replace it with both the new ``community.crypto.acme.basic`` and ``community.crypto.acme.account``
fragments (https://github.com/ansible-collections/community.crypto/pull/735).
- acme.backends module utils - the ``get_cert_information()`` method for a ACME
crypto backend must be implemented from community.crypto 3.0.0 on (https://github.com/ansible-collections/community.crypto/pull/736).
- crypto.module_backends.common module utils - the ``crypto.module_backends.common``
module utils is deprecated and will be removed from community.crypto 3.0.0.
Use the improved ``argspec`` module util instead (https://github.com/ansible-collections/community.crypto/pull/749).
minor_changes:
- acme_certificate - add ``include_renewal_cert_id`` option to allow requesting
renewal of a specific certificate according to the current ACME Renewal Information
specification draft (https://github.com/ansible-collections/community.crypto/pull/739).
release_summary: 'Feature and bugfix release.


The deprecations in this release are only relevant for collections that use
shared

code or docs fragments from this collection.

'
fragments:
- 2.20.0.yml
- 735-acme-docs-fragment.yml
- 736-cert-info.yml
- 739-acme_certificate-include_renewal_cert_id.yml
- 745-absolute-time.yml
- 749-argspec.yml
modules:
- description: Retrieves ACME Renewal Information (ARI) for a certificate.
name: acme_ari_info
namespace: ''
- description: Deactivate all authz for an ACME v2 order.
name: acme_certificate_deactivate_authz
namespace: ''
- description: Determine whether a certificate should be renewed or not.
name: acme_certificate_renewal_info
namespace: ''
release_date: '2024-05-20'
2.3.0:
changes:
bugfixes:
Expand Down
3 changes: 3 additions & 0 deletions changelogs/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,3 +34,6 @@ sections:
- - known_issues
- Known Issues
title: Community Crypto
trivial_section_name: trivial
use_fqcn: true
add_plugin_period: true
2 changes: 0 additions & 2 deletions changelogs/fragments/733-math-prime.yml

This file was deleted.

2 changes: 0 additions & 2 deletions changelogs/fragments/735-acme-docs-fragment.yml

This file was deleted.

2 changes: 0 additions & 2 deletions changelogs/fragments/736-cert-info.yml

This file was deleted.

This file was deleted.

2 changes: 1 addition & 1 deletion galaxy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@

namespace: community
name: crypto
version: 2.20.0
version: 2.21.0
readme: README.md
authors:
- Ansible (github.com/ansible)
Expand Down
1 change: 1 addition & 0 deletions meta/runtime.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ requires_ansible: '>=2.9.10'
action_groups:
acme:
- acme_inspect
- acme_certificate_deactivate_authz
- acme_certificate_revoke
- acme_certificate
- acme_account
Expand Down
30 changes: 30 additions & 0 deletions plugins/doc_fragments/acme.py
Original file line number Diff line number Diff line change
Expand Up @@ -284,4 +284,34 @@ class ModuleDocFragment(object):
or enabled with the O(select_crypto_backend) option. Note that using
the C(openssl) binary will be slower."
options: {}
'''

CERTIFICATE = r'''
options:
csr:
description:
- "File containing the CSR for the new certificate."
- "Can be created with M(community.crypto.openssl_csr)."
- "The CSR may contain multiple Subject Alternate Names, but each one
will lead to an individual challenge that must be fulfilled for the
CSR to be signed."
- "B(Note): the private key used to create the CSR B(must not) be the
account key. This is a bad idea from a security point of view, and
the CA should not accept the CSR. The ACME server should return an
error in this case."
- Precisely one of O(csr) or O(csr_content) must be specified.
type: path
csr_content:
description:
- "Content of the CSR for the new certificate."
- "Can be created with M(community.crypto.openssl_csr_pipe)."
- "The CSR may contain multiple Subject Alternate Names, but each one
will lead to an individual challenge that must be fulfilled for the
CSR to be signed."
- "B(Note): the private key used to create the CSR B(must not) be the
account key. This is a bad idea from a security point of view, and
the CA should not accept the CSR. The ACME server should return an
error in this case."
- Precisely one of O(csr) or O(csr_content) must be specified.
type: str
'''
Loading
Loading