def test_invalid_data(tmpdir):
result = False
cert_file = tmpdir / 'invalid-cert.pub'
cert_file.write(INVALID_DATA)
try:
OpensshCertificate.load(str(cert_file))
except ValueError:
result = True
assert result
def test_ed25519_certificate(tmpdir):
cert_file = tmpdir / 'id_ed25519-cert.pub'
cert_file.write(ED25519_CERT_SIGNED_BY_RSA_INVALID_OPTS)
cert = OpensshCertificate.load(str(cert_file))
assert cert.type_string == b'*****@*****.**'
assert cert.public_key == ED25519_FINGERPRINT
assert cert.signing_key == RSA_FINGERPRINT
assert cert.critical_options == INVALID_OPTS
assert cert.extensions == INVALID_EXTENSIONS
def test_ecdsa_certificate(tmpdir):
cert_file = tmpdir / 'id_ecdsa-cert.pub'
cert_file.write(ECDSA_CERT_SIGNED_BY_ED25519_VALID_OPTS)
cert = OpensshCertificate.load(str(cert_file))
assert cert.type_string == b'*****@*****.**'
assert cert.public_key == ECDSA_FINGERPRINT
assert cert.signing_key == ED25519_FINGERPRINT
assert cert.critical_options == VALID_OPTS
assert cert.extensions == VALID_EXTENSIONS
def test_rsa_certificate(tmpdir):
cert_file = tmpdir / 'id_rsa-cert.pub'
cert_file.write(RSA_CERT_SIGNED_BY_DSA, mode='wb')
cert = OpensshCertificate.load(str(cert_file))
assert cert.key_id == b'test'
assert cert.serial == 0
assert cert.type_string == b'*****@*****.**'
assert cert.public_key == RSA_FINGERPRINT
assert cert.signing_key == DSA_FINGERPRINT
def test_dsa_certificate(tmpdir):
cert_file = tmpdir / 'id_dsa-cert.pub'
cert_file.write(DSA_CERT_SIGNED_BY_ECDSA_NO_OPTS)
cert = OpensshCertificate.load(str(cert_file))
assert cert.type_string == b'*****@*****.**'
assert cert.public_key == DSA_FINGERPRINT
assert cert.signing_key == ECDSA_FINGERPRINT
assert cert.critical_options == []
assert cert.extensions == []
def generate(self):
if not self._is_valid() or self.force:
if not self.check_mode:
key_copy = os.path.join(self.module.tmpdir,
os.path.basename(self.public_key))
try:
self.module.preserved_copy(self.public_key, key_copy)
except OSError as e:
self.module.fail_json(
msg="Unable to stage temporary key: %s" % to_native(e))
self.module.add_cleanup_file(key_copy)
self.module.run_command(self._command_arguments(key_copy),
environ_update=dict(TZ="UTC"),
check_rc=True)
temp_cert = os.path.splitext(key_copy)[0] + '-cert.pub'
self.module.add_cleanup_file(temp_cert)
backup_cert = self.module.backup_local(
self.path) if self.exists() else None
try:
self.module.atomic_move(temp_cert, self.path)
except OSError as e:
if backup_cert is not None:
self.module.atomic_move(backup_cert, self.path)
self.module.fail_json(
msg="Unable to write certificate to %s: %s" %
(self.path, to_native(e)))
else:
if backup_cert is not None:
self.module.add_cleanup_file(backup_cert)
try:
self.data = OpensshCertificate.load(self.path)
except (TypeError, ValueError) as e:
self.module.fail_json(
msg="Unable to read new certificate: %s" %
to_native(e))
self.changed = True
if self.exists():
self._update_permissions()
def __init__(self, module):
self.check_mode = module.check_mode
self.module = module
self.ssh_keygen = module.get_bin_path('ssh-keygen', True)
self.force = module.params['force']
self.identifier = module.params['identifier'] or ""
self.options = module.params['options']
self.path = module.params['path']
self.pkcs11_provider = module.params['pkcs11_provider']
self.principals = module.params['principals'] or []
self.public_key = module.params['public_key']
self.serial_number = module.params['serial_number']
self.signing_key = module.params['signing_key']
self.state = module.params['state']
self.type = module.params['type']
self.use_agent = module.params['use_agent']
self.valid_at = module.params['valid_at']
self.changed = False
self.data = None
self.original_data = None
self.time_parameters = None
if self.state == 'present':
try:
self.time_parameters = OpensshCertificateTimeParameters(
valid_from=module.params['valid_from'],
valid_to=module.params['valid_to'],
)
except ValueError as e:
self.module.fail_json(msg=to_native(e))
if self.exists():
try:
self.original_data = OpensshCertificate.load(self.path)
except (TypeError, ValueError) as e:
self.module.warn("Unable to read existing certificate: %s" %
to_native(e))
self._validate_parameters()