java_cert: detect silent keytool failures by verifying import outcome (#12238)

* fix(java_cert): detect silent keytool failures by verifying import outcome Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * test(java_cert): add integration tests for silent keytool failure detection Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * changelog: add fragment for PR 12238 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * dummy --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-15 20:37:43 +00:00 · 2026-06-14 18:18:31 +12:00 · 2026-06-14 18:18:31 +12:00 · f4339d8c0d
commit f4339d8c0d
parent ebb813680e
3 changed files with 51 additions and 1 deletions
--- a/changelogs/fragments/12238-java-cert-keytool-failure-detection.yml
+++ b/changelogs/fragments/12238-java-cert-keytool-failure-detection.yml
@ -0,0 +1,4 @@
+bugfixes:
+  - "java_cert - detect silent ``keytool`` failures by verifying the import outcome after the command exits with ``rc=0``
+    (https://github.com/ansible-collections/community.general/issues/6685,
+    https://github.com/ansible-collections/community.general/pull/12238)."
--- a/plugins/modules/java_cert.py
+++ b/plugins/modules/java_cert.py
@ -411,6 +411,14 @@ def import_pkcs12_path(
    if import_rc != 0 or not os.path.exists(keystore_path):
        module.fail_json(msg=import_out, rc=import_rc, cmd=import_cmd, error=import_err)

+    check_alias = keystore_alias or pkcs12_alias
+    if check_alias:
+        alias_exists, dummy = _check_cert_present(
+            module, executable, keystore_path, keystore_pass, check_alias, keystore_type
+        )
+        if not alias_exists:
+            module.fail_json(msg=import_out, rc=import_rc, cmd=import_cmd, error=import_err)
+
    return dict(
        changed=True, msg=import_out, rc=import_rc, cmd=import_cmd, stdout=import_out, error=import_err, diff=diff
    )
@ -431,7 +439,11 @@ def import_cert_path(module, executable, path, keystore_path, keystore_pass, ali
    )
    diff = {"before": "\n", "after": f"{alias}\n"}

-    if import_rc != 0:
+    if import_rc != 0 or not os.path.exists(keystore_path):
+        module.fail_json(msg=import_out, rc=import_rc, cmd=import_cmd, error=import_err)
+
+    alias_exists, dummy = _check_cert_present(module, executable, keystore_path, keystore_pass, alias, keystore_type)
+    if not alias_exists:
        module.fail_json(msg=import_out, rc=import_rc, cmd=import_cmd, error=import_err)

    return dict(
--- a/tests/integration/targets/java_cert/tasks/state_change.yml
+++ b/tests/integration/targets/java_cert/tasks/state_change.yml
@ -93,6 +93,40 @@
 # Run tests
 #

+- name: import cert with too-short keystore password should fail
+  community.general.java_cert:
+    cert_alias: test_cert
+    cert_path: "{{ test_cert_path }}"
+    keystore_path: "{{ remote_tmp_dir }}/keystore_short_pass.jks"
+    keystore_pass: ""
+    keystore_create: true
+    state: present
+  ignore_errors: true
+  register: result_short_pass_cert
+
+- name: verify failure with too-short keystore password for cert import
+  ansible.builtin.assert:
+    that:
+      - result_short_pass_cert is failed
+
+- name: import pkcs12 with too-short keystore password should fail
+  community.general.java_cert:
+    cert_alias: test_pkcs12_cert
+    pkcs12_alias: test_pkcs12_cert
+    pkcs12_path: "{{ test_pkcs_path }}"
+    pkcs12_password: "{{ test_keystore2_password }}"
+    keystore_path: "{{ remote_tmp_dir }}/keystore_short_pass_pkcs12.jks"
+    keystore_pass: ""
+    keystore_create: true
+    state: present
+  ignore_errors: true
+  register: result_short_pass_pkcs12
+
+- name: verify failure with too-short keystore password for pkcs12 import
+  ansible.builtin.assert:
+    that:
+      - result_short_pass_pkcs12 is failed
+
 - name: try to create the test keystore based on the just created pkcs12, keystore_create flag not enabled
  community.general.java_cert:
    cert_alias: test_pkcs12_cert