def main():
module = AnsibleModule(
argument_spec=dict(
account_key_src=dict(type='path', aliases=['account_key']),
account_key_content=dict(type='str', no_log=True),
acme_directory=dict(
required=False,
default='https://acme-staging.api.letsencrypt.org/directory',
type='str'),
acme_version=dict(required=False,
default=1,
choices=[1, 2],
type='int'),
validate_certs=dict(required=False, default=True, type='bool'),
terms_agreed=dict(required=False, default=False, type='bool'),
state=dict(required=True,
choices=['absent', 'present', 'changed_key'],
type='str'),
allow_creation=dict(required=False, default=True, type='bool'),
contact=dict(required=False, type='list', default=[]),
new_account_key_src=dict(type='path'),
new_account_key_content=dict(type='str', no_log=True),
select_crypto_backend=dict(
required=False,
choices=['auto', 'openssl', 'cryptography'],
default='auto',
type='str'),
),
required_one_of=(['account_key_src', 'account_key_content'], ),
mutually_exclusive=(
['account_key_src', 'account_key_content'],
['new_account_key_src', 'new_account_key_content'],
),
required_if=(
# Make sure that for state == changed_key, one of
# new_account_key_src and new_account_key_content are specified
[
'state', 'changed_key',
['new_account_key_src', 'new_account_key_content'], True
], ),
supports_check_mode=True,
)
set_crypto_backend(module)
if not module.params.get('validate_certs'):
module.warn(
warning=
'Disabling certificate validation for communications with ACME endpoint. '
+
'This should only be done for testing against a local ACME server for '
+ 'development purposes, but *never* for production purposes.')
if module.params.get('acme_version') < 2:
module.fail_json(
msg='The acme_account module requires the ACME v2 protocol!')
try:
account = ACMEAccount(module)
state = module.params.get('state')
if state == 'absent':
changed = account.init_account(
[],
allow_creation=False,
update_contact=False,
)
if changed:
raise AssertionError('Unwanted account change')
if account.uri is not None:
# Account does exist
account_data = account.get_account_data()
if account_data is not None:
# Account is not yet deactivated
if not module.check_mode:
# Deactivate it
payload = {'status': 'deactivated'}
result, info = account.send_signed_request(
account.uri, payload)
if info['status'] != 200:
raise ModuleFailException(
'Error deactivating account: {0} {1}'.format(
info['status'], result))
module.exit_json(changed=True, account_uri=account.uri)
module.exit_json(changed=False, account_uri=account.uri)
elif state == 'present':
allow_creation = module.params.get('allow_creation')
contact = module.params.get('contact')
terms_agreed = module.params.get('terms_agreed')
changed = account.init_account(
contact,
terms_agreed=terms_agreed,
allow_creation=allow_creation,
)
if account.uri is None:
raise ModuleFailException(
msg='Account does not exist or is deactivated.')
module.exit_json(changed=changed, account_uri=account.uri)
elif state == 'changed_key':
# Parse new account key
error, new_key_data = account.parse_key(
module.params.get('new_account_key_src'),
module.params.get('new_account_key_content'))
if error:
raise ModuleFailException(
"error while parsing account key: %s" % error)
# Verify that the account exists and has not been deactivated
changed = account.init_account(
[],
allow_creation=False,
update_contact=False,
)
if changed:
raise AssertionError('Unwanted account change')
if account.uri is None or account.get_account_data() is None:
raise ModuleFailException(
msg='Account does not exist or is deactivated.')
# Now we can start the account key rollover
if not module.check_mode:
# Compose inner signed message
# https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-7.3.6
url = account.directory['keyChange']
protected = {
"alg": new_key_data['alg'],
"jwk": new_key_data['jwk'],
"url": url,
}
payload = {
"account": account.uri,
"newKey": new_key_data['jwk'], # specified in draft 12
"oldKey": account.
jwk, # discussed in https://github.com/ietf-wg-acme/acme/pull/425,
# might be required in draft 13
}
data = account.sign_request(protected, payload, new_key_data)
# Send request and verify result
result, info = account.send_signed_request(url, data)
if info['status'] != 200:
raise ModuleFailException(
'Error account key rollover: {0} {1}'.format(
info['status'], result))
module.exit_json(changed=True, account_uri=account.uri)
except ModuleFailException as e:
e.do_fail(module)
def main():
module = AnsibleModule(
argument_spec=dict(
account_key_src=dict(type='path', aliases=['account_key']),
account_key_content=dict(type='str', no_log=True),
account_uri=dict(required=False, type='str'),
acme_directory=dict(
required=False,
default='https://acme-staging.api.letsencrypt.org/directory',
type='str'),
acme_version=dict(required=False,
default=1,
choices=[1, 2],
type='int'),
validate_certs=dict(required=False, default=True, type='bool'),
select_crypto_backend=dict(
required=False,
choices=['auto', 'openssl', 'cryptography'],
default='auto',
type='str'),
),
required_one_of=(['account_key_src', 'account_key_content'], ),
mutually_exclusive=(['account_key_src', 'account_key_content'], ),
supports_check_mode=True,
)
set_crypto_backend(module)
if not module.params.get('validate_certs'):
module.warn(
warning=
'Disabling certificate validation for communications with ACME endpoint. '
+
'This should only be done for testing against a local ACME server for '
+ 'development purposes, but *never* for production purposes.')
if module.params.get('acme_version') < 2:
module.fail_json(
msg='The acme_account module requires the ACME v2 protocol!')
try:
account = ACMEAccount(module)
# Check whether account exists
changed = account.init_account(
[],
allow_creation=False,
update_contact=False,
remove_account_uri_if_not_exists=True,
)
if changed:
raise AssertionError('Unwanted account change')
if account.uri is None:
# Account does exist
module.exit_json(changed=False, exists=False, account_uri=None)
else:
# Account exists: retrieve account information
data = account.get_account_data()
# Make sure promised data is there
if 'contact' not in data:
data['contact'] = []
module.exit_json(changed=False,
exists=True,
account_uri=account.uri,
account=data)
except ModuleFailException as e:
e.do_fail(module)
def main():
argument_spec = get_default_argspec()
argument_spec.update(
dict(
terms_agreed=dict(type='bool', default=False),
state=dict(type='str',
required=True,
choices=['absent', 'present', 'changed_key']),
allow_creation=dict(type='bool', default=True),
contact=dict(type='list', elements='str', default=[]),
new_account_key_src=dict(type='path'),
new_account_key_content=dict(type='str', no_log=True),
))
module = AnsibleModule(
argument_spec=argument_spec,
required_one_of=(['account_key_src', 'account_key_content'], ),
mutually_exclusive=(
['account_key_src', 'account_key_content'],
['new_account_key_src', 'new_account_key_content'],
),
required_if=(
# Make sure that for state == changed_key, one of
# new_account_key_src and new_account_key_content are specified
[
'state', 'changed_key',
['new_account_key_src', 'new_account_key_content'], True
], ),
supports_check_mode=True,
)
handle_standard_module_arguments(module, needs_acme_v2=True)
try:
account = ACMEAccount(module)
changed = False
state = module.params.get('state')
diff_before = {}
diff_after = {}
if state == 'absent':
created, account_data = account.setup_account(allow_creation=False)
if account_data:
diff_before = dict(account_data)
diff_before['public_account_key'] = account.key_data['jwk']
if created:
raise AssertionError('Unwanted account creation')
if account_data is not None:
# Account is not yet deactivated
if not module.check_mode:
# Deactivate it
payload = {'status': 'deactivated'}
result, info = account.send_signed_request(
account.uri, payload)
if info['status'] != 200:
raise ModuleFailException(
'Error deactivating account: {0} {1}'.format(
info['status'], result))
changed = True
elif state == 'present':
allow_creation = module.params.get('allow_creation')
# Make sure contact is a list of strings (unfortunately, Ansible doesn't do that for us)
contact = [str(v) for v in module.params.get('contact')]
terms_agreed = module.params.get('terms_agreed')
created, account_data = account.setup_account(
contact,
terms_agreed=terms_agreed,
allow_creation=allow_creation,
)
if account_data is None:
raise ModuleFailException(
msg='Account does not exist or is deactivated.')
if created:
diff_before = {}
else:
diff_before = dict(account_data)
diff_before['public_account_key'] = account.key_data['jwk']
updated = False
if not created:
updated, account_data = account.update_account(
account_data, contact)
changed = created or updated
diff_after = dict(account_data)
diff_after['public_account_key'] = account.key_data['jwk']
elif state == 'changed_key':
# Parse new account key
error, new_key_data = account.parse_key(
module.params.get('new_account_key_src'),
module.params.get('new_account_key_content'))
if error:
raise ModuleFailException(
"error while parsing account key: %s" % error)
# Verify that the account exists and has not been deactivated
created, account_data = account.setup_account(allow_creation=False)
if created:
raise AssertionError('Unwanted account creation')
if account_data is None:
raise ModuleFailException(
msg='Account does not exist or is deactivated.')
diff_before = dict(account_data)
diff_before['public_account_key'] = account.key_data['jwk']
# Now we can start the account key rollover
if not module.check_mode:
# Compose inner signed message
# https://tools.ietf.org/html/rfc8555#section-7.3.5
url = account.directory['keyChange']
protected = {
"alg": new_key_data['alg'],
"jwk": new_key_data['jwk'],
"url": url,
}
payload = {
"account": account.uri,
"newKey":
new_key_data['jwk'], # specified in draft 12 and older
"oldKey": account.jwk, # specified in draft 13 and newer
}
data = account.sign_request(protected, payload, new_key_data)
# Send request and verify result
result, info = account.send_signed_request(url, data)
if info['status'] != 200:
raise ModuleFailException(
'Error account key rollover: {0} {1}'.format(
info['status'], result))
if module._diff:
account.key_data = new_key_data
account.jws_header['alg'] = new_key_data['alg']
diff_after = account.get_account_data()
elif module._diff:
# Kind of fake diff_after
diff_after = dict(diff_before)
diff_after['public_account_key'] = new_key_data['jwk']
changed = True
result = {
'changed': changed,
'account_uri': account.uri,
}
if module._diff:
result['diff'] = {
'before': diff_before,
'after': diff_after,
}
module.exit_json(**result)
except ModuleFailException as e:
e.do_fail(module)
def main():
module = AnsibleModule(
argument_spec=dict(
account_key_src=dict(type='path', aliases=['account_key']),
account_key_content=dict(type='str', no_log=True),
account_uri=dict(required=False, type='str'),
acme_directory=dict(
required=False,
default='https://acme-staging.api.letsencrypt.org/directory',
type='str'),
acme_version=dict(required=False,
default=1,
choices=[1, 2],
type='int'),
validate_certs=dict(required=False, default=True, type='bool'),
terms_agreed=dict(required=False, default=False, type='bool'),
state=dict(required=True,
choices=['absent', 'present', 'changed_key'],
type='str'),
allow_creation=dict(required=False, default=True, type='bool'),
contact=dict(required=False,
type='list',
elements='str',
default=[]),
new_account_key_src=dict(type='path'),
new_account_key_content=dict(type='str', no_log=True),
select_crypto_backend=dict(
required=False,
choices=['auto', 'openssl', 'cryptography'],
default='auto',
type='str'),
),
required_one_of=(['account_key_src', 'account_key_content'], ),
mutually_exclusive=(
['account_key_src', 'account_key_content'],
['new_account_key_src', 'new_account_key_content'],
),
required_if=(
# Make sure that for state == changed_key, one of
# new_account_key_src and new_account_key_content are specified
[
'state', 'changed_key',
['new_account_key_src', 'new_account_key_content'], True
], ),
supports_check_mode=True,
)
set_crypto_backend(module)
if not module.params.get('validate_certs'):
module.warn(
warning=
'Disabling certificate validation for communications with ACME endpoint. '
+
'This should only be done for testing against a local ACME server for '
+ 'development purposes, but *never* for production purposes.')
if module.params.get('acme_version') < 2:
module.fail_json(
msg='The acme_account module requires the ACME v2 protocol!')
try:
account = ACMEAccount(module)
changed = False
state = module.params.get('state')
diff_before = {}
diff_after = {}
if state == 'absent':
created, account_data = account.setup_account(allow_creation=False)
if account_data:
diff_before = dict(account_data)
diff_before['public_account_key'] = account.key_data['jwk']
if created:
raise AssertionError('Unwanted account creation')
if account_data is not None:
# Account is not yet deactivated
if not module.check_mode:
# Deactivate it
payload = {'status': 'deactivated'}
result, info = account.send_signed_request(
account.uri, payload)
if info['status'] != 200:
raise ModuleFailException(
'Error deactivating account: {0} {1}'.format(
info['status'], result))
changed = True
elif state == 'present':
allow_creation = module.params.get('allow_creation')
# Make sure contact is a list of strings (unfortunately, Ansible doesn't do that for us)
contact = [str(v) for v in module.params.get('contact')]
terms_agreed = module.params.get('terms_agreed')
created, account_data = account.setup_account(
contact,
terms_agreed=terms_agreed,
allow_creation=allow_creation,
)
if account_data is None:
raise ModuleFailException(
msg='Account does not exist or is deactivated.')
if created:
diff_before = {}
else:
diff_before = dict(account_data)
diff_before['public_account_key'] = account.key_data['jwk']
updated = False
if not created:
updated, account_data = account.update_account(
account_data, contact)
changed = created or updated
diff_after = dict(account_data)
diff_after['public_account_key'] = account.key_data['jwk']
elif state == 'changed_key':
# Parse new account key
error, new_key_data = account.parse_key(
module.params.get('new_account_key_src'),
module.params.get('new_account_key_content'))
if error:
raise ModuleFailException(
"error while parsing account key: %s" % error)
# Verify that the account exists and has not been deactivated
created, account_data = account.setup_account(allow_creation=False)
if created:
raise AssertionError('Unwanted account creation')
if account_data is None:
raise ModuleFailException(
msg='Account does not exist or is deactivated.')
diff_before = dict(account_data)
diff_before['public_account_key'] = account.key_data['jwk']
# Now we can start the account key rollover
if not module.check_mode:
# Compose inner signed message
# https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-7.3.6
url = account.directory['keyChange']
protected = {
"alg": new_key_data['alg'],
"jwk": new_key_data['jwk'],
"url": url,
}
payload = {
"account": account.uri,
"newKey":
new_key_data['jwk'], # specified in draft 12 and older
"oldKey": account.jwk, # specified in draft 13 and newer
}
data = account.sign_request(protected, payload, new_key_data)
# Send request and verify result
result, info = account.send_signed_request(url, data)
if info['status'] != 200:
raise ModuleFailException(
'Error account key rollover: {0} {1}'.format(
info['status'], result))
if module._diff:
account.key_data = new_key_data
account.jws_header['alg'] = new_key_data['alg']
diff_after = account.get_account_data()
elif module._diff:
# Kind of fake diff_after
diff_after = dict(diff_before)
diff_after['public_account_key'] = new_key_data['jwk']
changed = True
result = {
'changed': changed,
'account_uri': account.uri,
}
if module._diff:
result['diff'] = {
'before': diff_before,
'after': diff_after,
}
module.exit_json(**result)
except ModuleFailException as e:
e.do_fail(module)
