1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2026-07-02 16:48:56 +00:00

openssl_csr: ignore empty strings in altnames (#51473)

* Ignore empty strings in altnames.

* Add changelog.

* Add idempotence check without SAN.

* Fix bug in cryptography backend.
This commit is contained in:
Felix Fontein 2019-02-11 11:30:56 +01:00 committed by John R Barker
parent 52d0d51f97
commit 9b1cbcf3a4
4 changed files with 54 additions and 2 deletions

View file

@ -41,6 +41,48 @@
check_mode: yes
register: generate_csr_check_idempotent_check
- name: Generate CSR without SAN (check mode)
openssl_csr:
path: '{{ output_dir }}/csr-nosan.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject:
commonName: www.ansible.com
useCommonNameForSAN: no
select_crypto_backend: '{{ select_crypto_backend }}'
check_mode: yes
register: generate_csr_nosan_check
- name: Generate CSR without SAN
openssl_csr:
path: '{{ output_dir }}/csr-nosan.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject:
commonName: www.ansible.com
useCommonNameForSAN: no
select_crypto_backend: '{{ select_crypto_backend }}'
register: generate_csr_nosan
- name: Generate CSR without SAN (idempotent)
openssl_csr:
path: '{{ output_dir }}/csr-nosan.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject:
commonName: www.ansible.com
useCommonNameForSAN: no
select_crypto_backend: '{{ select_crypto_backend }}'
register: generate_csr_nosan_check_idempotent
- name: Generate CSR without SAN (idempotent, check mode)
openssl_csr:
path: '{{ output_dir }}/csr-nosan.csr'
privatekey_path: '{{ output_dir }}/privatekey.pem'
subject:
commonName: www.ansible.com
useCommonNameForSAN: no
select_crypto_backend: '{{ select_crypto_backend }}'
check_mode: yes
register: generate_csr_nosan_check_idempotent_check
# keyUsage longname and shortname should be able to be used
# interchangeably. Hence the long name is specified here
# but the short name is used to test idempotency for ipsecuser

View file

@ -25,6 +25,14 @@
- generate_csr_check_idempotent is not changed
- generate_csr_check_idempotent_check is not changed
- name: Validate CSR without SAN (check mode, idempotency)
assert:
that:
- generate_csr_nosan_check is changed
- generate_csr_nosan is changed
- generate_csr_nosan_check_idempotent is not changed
- generate_csr_nosan_check_idempotent_check is not changed
- name: Validate CSR_KU_XKU (assert idempotency, change)
assert:
that: