VhWddlmZmZmZeZdZdZdZddl Z ddl Z ddl Z ddl m Z ddlmZddlmZd Zd Zd Zd Zd ZdZddZdZdZdZdZdZdZdZdZ dZ!e"dk(re!yy))absolute_importdivisionprint_functionaz module: java_cert short_description: Uses keytool to import/remove certificate to/from java keystore (cacerts) description: - This is a wrapper module around keytool, which can be used to import certificates and optionally private keys to a given java keystore, or remove them from it. extends_documentation_fragment: - community.general.attributes - ansible.builtin.files attributes: check_mode: support: full diff_mode: support: full options: cert_url: description: - Basic URL to fetch SSL certificate from. - Exactly one of O(cert_url), O(cert_path), O(cert_content), or O(pkcs12_path) is required to load certificate. type: str cert_port: description: - Port to connect to URL. - This will be used to create server URL:PORT. type: int default: 443 cert_path: description: - Local path to load certificate from. - Exactly one of O(cert_url), O(cert_path), O(cert_content), or O(pkcs12_path) is required to load certificate. type: path cert_content: description: - Content of the certificate used to create the keystore. - Exactly one of O(cert_url), O(cert_path), O(cert_content), or O(pkcs12_path) is required to load certificate. type: str version_added: 8.6.0 cert_alias: description: - Imported certificate alias. - The alias is used when checking for the presence of a certificate in the keystore. type: str trust_cacert: description: - Trust imported cert as CAcert. type: bool default: false version_added: '0.2.0' pkcs12_path: description: - Local path to load PKCS12 keystore from. - Unlike O(cert_url), O(cert_path) and O(cert_content), the PKCS12 keystore embeds the private key matching the certificate, and is used to import both the certificate and its private key into the java keystore. - Exactly one of O(cert_url), O(cert_path), O(cert_content), or O(pkcs12_path) is required to load certificate. type: path pkcs12_password: description: - Password for importing from PKCS12 keystore. type: str pkcs12_alias: description: - Alias in the PKCS12 keystore. type: str keystore_path: description: - Path to keystore. type: path keystore_pass: description: - Keystore password. type: str required: true keystore_create: description: - Create keystore if it does not exist. type: bool default: false keystore_type: description: - Keystore type (JCEKS, JKS). type: str executable: description: - Path to keytool binary if not used we search in PATH for it. type: str default: keytool state: description: - Defines action which can be either certificate import or removal. - When state is present, the certificate will always idempotently be inserted into the keystore, even if there already exists a cert alias that is different. type: str choices: [absent, present] default: present mode: version_added: 8.5.0 owner: version_added: 8.5.0 group: version_added: 8.5.0 seuser: version_added: 8.5.0 serole: version_added: 8.5.0 setype: version_added: 8.5.0 selevel: version_added: 8.5.0 unsafe_writes: version_added: 8.5.0 attributes: version_added: 8.5.0 requirements: [openssl, keytool] author: - Adam Hamsik (@haad) a@ - name: Import SSL certificate from google.com to a given cacerts keystore community.general.java_cert: cert_url: google.com cert_port: 443 keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts keystore_pass: changeit state: present - name: Remove certificate with given alias from a keystore community.general.java_cert: cert_url: google.com keystore_path: /usr/lib/jvm/jre7/lib/security/cacerts keystore_pass: changeit executable: /usr/lib/jvm/jre7/bin/keytool state: absent - name: Import trusted CA from SSL certificate community.general.java_cert: cert_path: /opt/certs/rootca.crt keystore_path: /tmp/cacerts keystore_pass: changeit keystore_create: true state: present cert_alias: LE_RootCA trust_cacert: true - name: Import trusted CA from the SSL certificate stored in the cert_content variable community.general.java_cert: cert_content: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- keystore_path: /tmp/cacerts keystore_pass: changeit keystore_create: true state: present cert_alias: LE_RootCA trust_cacert: true - name: Import SSL certificate from google.com to a keystore, create it if it doesn't exist community.general.java_cert: cert_url: google.com keystore_path: /tmp/cacerts keystore_pass: changeit keystore_create: true state: present - name: Import a pkcs12 keystore with a specified alias, create it if it doesn't exist community.general.java_cert: pkcs12_path: "/tmp/importkeystore.p12" cert_alias: default keystore_path: /opt/wildfly/standalone/configuration/defaultkeystore.jks keystore_pass: changeit keystore_create: true state: present - name: Import SSL certificate to JCEKS keystore community.general.java_cert: pkcs12_path: "/tmp/importkeystore.p12" pkcs12_alias: default pkcs12_password: somepass cert_alias: default keystore_path: /opt/someapp/security/keystore.jceks keystore_type: "JCEKS" keystore_pass: changeit keystore_create: true state: present a msg: description: Output from stdout of keytool command after execution of given command. returned: success type: str sample: "Module require existing keystore at keystore_path '/tmp/test/cacerts'" rc: description: Keytool command execution return value. returned: success type: int sample: "0" cmd: description: Executed command to get action done. returned: success type: str sample: "keytool -importcert -noprompt -keystore" N) AnsibleModule)urlparse) getproxiesc|rd|gSgS)z7 Check that custom keystore is presented in parameters -storetype) keystore_types o/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/community/general/plugins/modules/java_cert.py%_get_keystore_type_keytool_parametersrsm,, Ict|dd|d|dg}|t|z }|j||d\}}} |dk(rd|fSy ) zY Check if certificate with alias is present in keystore located at keystore_path -list -keystore-alias-rfcFdatacheck_rcrT)F)r run_command) module executable keystore_path keystore_passaliasr test_cmdrstdoutdummys r _check_cert_presentr"se  H 5mDDH & 2 28-Z_ 2 `Xvu1}f~ rct||||}t|d5}|j|dddy#1swYyxYw)Nw)_download_cert_urlopenwrite)rrurlportpem_certificate_outputremote_cert_pem_chainfs r _get_certificate_from_urlr-sB.vz3M $c *'a %&'''s6?c|dd|d|g}|j|d\}}}|dk7r:|ddgz }|j|d\}}}|dk7r|jd |z|| |S) zQ Read a X509 certificate chain file and output the first certificate in the list x509z-inz-outFrrz-informderz>Internal module failure, cannot extract certificate, error: %smsgrccmd)r fail_json)rpem_certificate_filer* openssl_bin extract_cmd extract_rcr!extract_stderrs r %_get_first_certificate_from_x509_filer<s   K+1*<*<[SX*<*Y'ZQ 5)) .4.@.@W\.@.]+UN ?   !adr!r *   = rc tj\}}|j|t|||||ddd|g}|j |d\}}}|dk7r|j d|z|||j d dS) zE Read a X509 certificate file and output sha256 digest using openssl dgstz-rz-sha256Fr0rzIInternal module failure, cannot compute digest for certificate, error: %sr2 )tempfilemkstempadd_cleanup_filer<rr6split) rr7r8r!tmp_certificatedgst_cmddgst_rc dgst_stdout dgst_stderrs r _get_digest_from_x509_filerI s (//1UO O,)&2FYde  H+1*<*'>s'C $ZJ''(2'<'|j dd}t j dd|}|jd|zg|S) z1 Returns list of valid proxy options for keytool no_proxyz-J-Dhttps.proxyHost=%sz-J-Dhttps.proxyPort=%s,|z(^|\|)\.z\1*.z-J-Dhttp.nonProxyHosts=%s)raosgetenvrNreplaceresub)r_r`rc proxy_optsnon_proxy_hostss r build_proxy_optionsrm^s13Zyy$HJ3j@BZ]gBghi  '..sC8O ff['?KO   :_LM N rc`|j|j|}|j|dS)z/ Updates keystore file attributes as necessary )r\F)load_file_common_argumentsparamsset_fs_attributes_if_different)rr file_argss r _update_permissionsrsss.11&--m1TI  0 0E BBrct}|dddg|zd||fzgz}|j|d\}}}|dk7r|jd|z|| |S) zz Fetches the certificate from the remote URL using `keytool -printcert...` The PEM formatted string is returned z -printcertrz -sslserverz%s:%dFr0rz?Internal module failure, cannot download certificate, error: %sr2)rmrr6) rrr(r)rk fetch_cmdfetch_rc fetch_out fetch_errs r r%r%ys%&J\6<@:MQX\_ae[fQfPggI(.'9'9)e'9'T$Xy)1}^ajj$)  5 rc ||d} |ddddd|d|g } | jD]\} } | s | j| | g| t|z } |d|} tjj |s|d| } |j | | d \}}}dd |zd }|d k7stjj |s|j||| |td||| |||S)zQ Import pkcs12 from path into keystore located on keystore_path as alias )z -destaliasz -srcaliasz-importkeystorerKz -srcstoretyperLz -srckeystorez -destkeystore Fr%s beforeafterrr3r4r5errorTchangedr3r4r5r rdiff) itemsrNrrfr\existsrr6dict)rr pkcs12_path pkcs12_pass pkcs12_aliasrrkeystore_aliasr optional_aliases import_cmdflagvalue secret_data import_rc import_out import_errrs r import_pkcs12_pathrs %!  J(--/- e    tUm ,-7 FFJ+[9K 77>>- ("/= +1*<*>- ( 1N,dgt,tu2O (rc ttdtdtdtdtddtdtdtddtdtddd td d td d tdtdd tdd dd g}t|gdgdgddgggdgdd}|jjd}|jjd}|jjd}|jjd}|jjd}|jjdd}|jjdd}|jjd xs|} |jjd!} |jjd} |jjd} |jjd"} |jjd#}|jjd$}|jjd%}|j d&d}|r| s|j d d'| z(t ||| s t|| t||| | | |\}}tj\}}tj\}}|j||j|t}|dk(r0|r.|jr|jd)t||| | | |}|d k(r|r4t|d*5}|j!|dddt#|||}nd}|rt%||||||n?|r|}n:|r't|d*5}|j!|dddn|rt'|||||t#|||}||k7rX|jr|jd)|rt||| | | ||rt)|||||| | | | }nt+|||| | | || }t,j.j1| r%t3|| }|jd+d xs||d+<|jd,i|y#1swY-xYw#1swYxYw)-Nstr)typer\T)rno_loginti)rdefault)rrequiredrboolFkeytoolpresentabsent)rrchoices)cert_url cert_path cert_contentrpkcs12_passwordr cert_alias cert_portrrrkeystore_creater rstate)rr)rrrrT)rr)rrTrr)rrrr) argument_spec required_ifrequired_togethermutually_exclusivesupports_check_modeadd_file_common_argsrrrrrrrr1rrrr rropensslz8Using local path import from %s requires alias argument.r)rr$rr )rrrprY get_bin_pathr6rrr"r@rArB check_mode exit_jsonrr&r'rIrVr-rrrfr\rrs)rrr(r\contentr)rrrrrrrrr rrr8 alias_existsalias_exists_outputr!new_certificateold_certificateresultr,keystore_cert_digestnew_cert_digestchanged_permissionss r mainrs5!F#u%f%%5u%U#E3/'TBvu5&%8&UI6y8Y:OPM$#iJL+_=> D !! F --  J 'C ==  [ )Dmm/G ==  [ )D--##M2K--##$5r:K==$$^S9L""<07CJ==$$^4LMM%%o6MMM%%o6Mmm''(9:OMM%%o6M""<0J MM  g &E%%i6K JW,-  .$ fm,(; M=*m)U%L% (//1UO'//1UO O, O, VF \      T  *VZ z[hi  os+ -q+, -#=foWb#c $&  +FJ \[fhw x #O os+ !q  ! ! &fj#t_ U4V_kZ ? 2     .FJ }jZgh+FJ [Zf,9=*Vce*&*o}*7]T`b ww~~m$1&-H"JJy%8OrsA@ t lD L (  5@D(' 2%,4 (*C  (-V-B:24 vEP zFr