def main(): argument_spec = get_default_argspec() argument_spec.update( dict( terms_agreed=dict(type='bool', default=False), state=dict(type='str', required=True, choices=['absent', 'present', 'changed_key']), allow_creation=dict(type='bool', default=True), contact=dict(type='list', elements='str', default=[]), new_account_key_src=dict(type='path'), new_account_key_content=dict(type='str', no_log=True), )) module = AnsibleModule( argument_spec=argument_spec, required_one_of=(['account_key_src', 'account_key_content'], ), mutually_exclusive=( ['account_key_src', 'account_key_content'], ['new_account_key_src', 'new_account_key_content'], ), required_if=( # Make sure that for state == changed_key, one of # new_account_key_src and new_account_key_content are specified [ 'state', 'changed_key', ['new_account_key_src', 'new_account_key_content'], True ], ), supports_check_mode=True, ) handle_standard_module_arguments(module, needs_acme_v2=True) try: account = ACMEAccount(module) changed = False state = module.params.get('state') diff_before = {} diff_after = {} if state == 'absent': created, account_data = account.setup_account(allow_creation=False) if account_data: diff_before = dict(account_data) diff_before['public_account_key'] = account.key_data['jwk'] if created: raise AssertionError('Unwanted account creation') if account_data is not None: # Account is not yet deactivated if not module.check_mode: # Deactivate it payload = {'status': 'deactivated'} result, info = account.send_signed_request( account.uri, payload) if info['status'] != 200: raise ModuleFailException( 'Error deactivating account: {0} {1}'.format( info['status'], result)) changed = True elif state == 'present': allow_creation = module.params.get('allow_creation') # Make sure contact is a list of strings (unfortunately, Ansible doesn't do that for us) contact = [str(v) for v in module.params.get('contact')] terms_agreed = module.params.get('terms_agreed') created, account_data = account.setup_account( contact, terms_agreed=terms_agreed, allow_creation=allow_creation, ) if account_data is None: raise ModuleFailException( msg='Account does not exist or is deactivated.') if created: diff_before = {} else: diff_before = dict(account_data) diff_before['public_account_key'] = account.key_data['jwk'] updated = False if not created: updated, account_data = account.update_account( account_data, contact) changed = created or updated diff_after = dict(account_data) diff_after['public_account_key'] = account.key_data['jwk'] elif state == 'changed_key': # Parse new account key error, new_key_data = account.parse_key( module.params.get('new_account_key_src'), module.params.get('new_account_key_content')) if error: raise ModuleFailException( "error while parsing account key: %s" % error) # Verify that the account exists and has not been deactivated created, account_data = account.setup_account(allow_creation=False) if created: raise AssertionError('Unwanted account creation') if account_data is None: raise ModuleFailException( msg='Account does not exist or is deactivated.') diff_before = dict(account_data) diff_before['public_account_key'] = account.key_data['jwk'] # Now we can start the account key rollover if not module.check_mode: # Compose inner signed message # https://tools.ietf.org/html/rfc8555#section-7.3.5 url = account.directory['keyChange'] protected = { "alg": new_key_data['alg'], "jwk": new_key_data['jwk'], "url": url, } payload = { "account": account.uri, "newKey": new_key_data['jwk'], # specified in draft 12 and older "oldKey": account.jwk, # specified in draft 13 and newer } data = account.sign_request(protected, payload, new_key_data) # Send request and verify result result, info = account.send_signed_request(url, data) if info['status'] != 200: raise ModuleFailException( 'Error account key rollover: {0} {1}'.format( info['status'], result)) if module._diff: account.key_data = new_key_data account.jws_header['alg'] = new_key_data['alg'] diff_after = account.get_account_data() elif module._diff: # Kind of fake diff_after diff_after = dict(diff_before) diff_after['public_account_key'] = new_key_data['jwk'] changed = True result = { 'changed': changed, 'account_uri': account.uri, } if module._diff: result['diff'] = { 'before': diff_before, 'after': diff_after, } module.exit_json(**result) except ModuleFailException as e: e.do_fail(module)
def main(): module = AnsibleModule( argument_spec=dict( account_key_src=dict(type='path', aliases=['account_key']), account_key_content=dict(type='str', no_log=True), account_uri=dict(required=False, type='str'), acme_directory=dict( required=False, default='https://acme-staging.api.letsencrypt.org/directory', type='str'), acme_version=dict(required=False, default=1, choices=[1, 2], type='int'), validate_certs=dict(required=False, default=True, type='bool'), terms_agreed=dict(required=False, default=False, type='bool'), state=dict(required=True, choices=['absent', 'present', 'changed_key'], type='str'), allow_creation=dict(required=False, default=True, type='bool'), contact=dict(required=False, type='list', elements='str', default=[]), new_account_key_src=dict(type='path'), new_account_key_content=dict(type='str', no_log=True), select_crypto_backend=dict( required=False, choices=['auto', 'openssl', 'cryptography'], default='auto', type='str'), ), required_one_of=(['account_key_src', 'account_key_content'], ), mutually_exclusive=( ['account_key_src', 'account_key_content'], ['new_account_key_src', 'new_account_key_content'], ), required_if=( # Make sure that for state == changed_key, one of # new_account_key_src and new_account_key_content are specified [ 'state', 'changed_key', ['new_account_key_src', 'new_account_key_content'], True ], ), supports_check_mode=True, ) set_crypto_backend(module) if not module.params.get('validate_certs'): module.warn( warning= 'Disabling certificate validation for communications with ACME endpoint. ' + 'This should only be done for testing against a local ACME server for ' + 'development purposes, but *never* for production purposes.') if module.params.get('acme_version') < 2: module.fail_json( msg='The acme_account module requires the ACME v2 protocol!') try: account = ACMEAccount(module) changed = False state = module.params.get('state') diff_before = {} diff_after = {} if state == 'absent': created, account_data = account.setup_account(allow_creation=False) if account_data: diff_before = dict(account_data) diff_before['public_account_key'] = account.key_data['jwk'] if created: raise AssertionError('Unwanted account creation') if account_data is not None: # Account is not yet deactivated if not module.check_mode: # Deactivate it payload = {'status': 'deactivated'} result, info = account.send_signed_request( account.uri, payload) if info['status'] != 200: raise ModuleFailException( 'Error deactivating account: {0} {1}'.format( info['status'], result)) changed = True elif state == 'present': allow_creation = module.params.get('allow_creation') # Make sure contact is a list of strings (unfortunately, Ansible doesn't do that for us) contact = [str(v) for v in module.params.get('contact')] terms_agreed = module.params.get('terms_agreed') created, account_data = account.setup_account( contact, terms_agreed=terms_agreed, allow_creation=allow_creation, ) if account_data is None: raise ModuleFailException( msg='Account does not exist or is deactivated.') if created: diff_before = {} else: diff_before = dict(account_data) diff_before['public_account_key'] = account.key_data['jwk'] updated = False if not created: updated, account_data = account.update_account( account_data, contact) changed = created or updated diff_after = dict(account_data) diff_after['public_account_key'] = account.key_data['jwk'] elif state == 'changed_key': # Parse new account key error, new_key_data = account.parse_key( module.params.get('new_account_key_src'), module.params.get('new_account_key_content')) if error: raise ModuleFailException( "error while parsing account key: %s" % error) # Verify that the account exists and has not been deactivated created, account_data = account.setup_account(allow_creation=False) if created: raise AssertionError('Unwanted account creation') if account_data is None: raise ModuleFailException( msg='Account does not exist or is deactivated.') diff_before = dict(account_data) diff_before['public_account_key'] = account.key_data['jwk'] # Now we can start the account key rollover if not module.check_mode: # Compose inner signed message # https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-7.3.6 url = account.directory['keyChange'] protected = { "alg": new_key_data['alg'], "jwk": new_key_data['jwk'], "url": url, } payload = { "account": account.uri, "newKey": new_key_data['jwk'], # specified in draft 12 and older "oldKey": account.jwk, # specified in draft 13 and newer } data = account.sign_request(protected, payload, new_key_data) # Send request and verify result result, info = account.send_signed_request(url, data) if info['status'] != 200: raise ModuleFailException( 'Error account key rollover: {0} {1}'.format( info['status'], result)) if module._diff: account.key_data = new_key_data account.jws_header['alg'] = new_key_data['alg'] diff_after = account.get_account_data() elif module._diff: # Kind of fake diff_after diff_after = dict(diff_before) diff_after['public_account_key'] = new_key_data['jwk'] changed = True result = { 'changed': changed, 'account_uri': account.uri, } if module._diff: result['diff'] = { 'before': diff_before, 'after': diff_after, } module.exit_json(**result) except ModuleFailException as e: e.do_fail(module)