refactor: address all implementation comments

Still need testing.
maxhoesel-ansible · Oct 9, 2021 · b517f16 · b517f16
1 parent 706d2d8
commit b517f16
Show file tree

Hide file tree

Showing 7 changed files with 81 additions and 63 deletions.
diff --git a/roles/step_certificate/README.md b/roles/step_certificate/README.md
@@ -1,6 +1,6 @@
 # maxhoesel.smallstep.step_certificate
 
-Get a certificate from a CA with ACME and setup automatic renewal using `step-cli renew`.
+Get a certificate from a CA, using a specified provisioner, and setup automatic renewal using `step-cli renew`.
 
 This role uses `step-cli` to request and save a certificate from the configured CA,
 before setting up a renewal service using `step-cli ca renew`s `--daemon` mode.
@@ -51,9 +51,13 @@ before setting up a renewal service using `step-cli ca renew`s `--daemon` mode.
 
 #### JWK
 
+##### `step_cert_ca_jwk_password`
+- The password used to decrypt the one-time token generating key from a JWK provisioner on the CA.
+- Required: If using a JWK provisioner, either this or `step_cert_ca_jwk_password_file` is required.
+
 ##### `step_cert_ca_jwk_password_file`
 - Path to the file on the client system containing the password used to decrypt the one-time token generating key from a JWK provisioner on the CA.
-- Required: Yes, if using a JWK provisioner.
+- Required: If using a JWK provisioner, either this or `step_cert_ca_jwk_password` is required.
 
 ### Certificate
 
@@ -150,8 +154,8 @@ When using a JWK provisioner, you will need a shared secret between the CA serve
   tasks:
     - name: step-ca | deploy CA JWK provisioner password
       copy:
-        dest: "{{ step_jwk_provisioner_password_file }}"
-        content: "SUPER SECRET {{ step_provisioner_token_password_secret_thing }}"
+        dest: "{{ step_ca_jwk_provisioner_password_file }}"
+        content: "SUPER SECRET JWK Provisioner Password"
         owner: step-ca
         group: step-ca
         mode: 0600
@@ -160,7 +164,7 @@ When using a JWK provisioner, you will need a shared secret between the CA serve
       maxhoesel.smallstep.step_ca_provisioner:
         type: JWK
         name: "JWK@{{ ansible_domain }}"
-        jwk_password_file: "{{ step_jwk_provisioner_password_file }}"
+        jwk_password_file: "{{ step_ca_jwk_provisioner_password_file }}"
       become_user: step-ca
       notify: reload step-ca
 
@@ -180,18 +184,12 @@ When using a JWK provisioner, you will need a shared secret between the CA serve
         step_bootstrap_fingerprint: your CAs fingerprint
       become: yes
 
-    - name: step-client | deploy CA JWK provisioner password
-      copy:
-        dest: "{{ step_jwk_provisioner_password_file }}"
-        content: "SUPER SECRET {{ step_provisioner_token_password_secret_thing }}"
-        mode: 0600
-        owner: "{{ system_root_user }}"
-        group: "{{ system_root_group }}"
-
     # Configure a JWK provisioned cert + renewal in /etc/step
     - role: maxhoesel.smallstep.step_certificate
       vars:
         step_cert_ca_provisioner_type: JWK
         step_cert_ca_provisioner_name: "JWK@{{ ansible_domain }}"
-        step_cert_ca_jwk_password_file: "{{ step_jwk_provisioner_password_file }}"
+        step_cert_ca_jwk_password: "SUPER SECRET JWK Provisioner Password"
+        # or:
+        # step_cert_ca_jwk_password_file: "/path/to/file/containing/jwk/provisioner/password/on/step/client/host"
 ```
diff --git a/roles/step_certificate/meta/argument_specs.yml b/roles/step_certificate/meta/argument_specs.yml
@@ -20,6 +20,10 @@ argument_specs:
         type: str
         default: ""
         description: Path to the webroot, for ACME, or empty for standalone mode
+      step_cert_ca_jwk_password:
+        type: str
+        default: ""
+        description: Password used to decrypt the one-time token generating key from a JWK provisioner on the CA.  Either this or `step_cert_ca_jwk_password_file` is required for JWK Provisioners.
       step_cert_ca_jwk_password_file:
         type: str
         default: ""

diff --git a/roles/step_certificate/tasks/cert.yml b/roles/step_certificate/tasks/cert.yml
@@ -11,12 +11,7 @@
   register: _step_cert_check
 
 - name: Include certificate generation tasks, by certificate type
-  include_tasks: "{{ _cert_tasks_file }}"
-  vars:
-    _cert_tasks_paths:
-      - "get_cert/{{ step_cert_ca_provisioner_type | d('UNDEFINED') }}.yml"
-      - "get_cert/default.yml"
-    _cert_tasks_file: "{{ lookup('first_found', _cert_tasks_paths, errors='ignore') }}"
+  include_tasks: "get_cert/{{ step_cert_ca_provisioner_type }}.yml"
   when: (_step_cert_check.rc | d(1)) != 0
 
 - name: Look for existing certificate file

diff --git a/roles/step_certificate/tasks/check.yml b/roles/step_certificate/tasks/check.yml
@@ -8,6 +8,17 @@
       - step_cert_ca_provisioner_name | length > 0
   when: ansible_version.string is version('2.11.1', '<')
 
+- name: Ensure that we know how to handle the requested provisioner type
+  vars:
+    # Add to this list when adding a new provisioner type, with corresponding `get_cert/XXX.yml`.
+    _allowed_provisioner_types:
+      - ACME
+      - JWK
+  assert:
+    that:
+      - step_cert_ca_provisioner_type in _allowed_provisioner_types
+    fail_msg: No known or no support (yet) for type '{{ step_cert_ca_provisioner_type }}' provisioners
+
 - name: Look for step_cli_executable # noqa command-instead-of-shell
   #"command" is a shell builtin, hence the need for the shell module
   shell: "command -v {{ step_cli_executable }}"

diff --git a/roles/step_certificate/tasks/get_cert/default.yml b/roles/step_certificate/tasks/get_cert/default.yml
diff --git a/roles/step_certificate/tasks/get_cert/jwk.yml b/roles/step_certificate/tasks/get_cert/jwk.yml
@@ -1,42 +1,58 @@
 ---
+- name: JWK Certificate Creation (Block)
+  block:
 
-#  CARGS="--ca-url https://hecate.sift.net --root /etc/step/certs/root_ca.crt"
-#  HOST=testing
-#  TOKEN=$(step-cli ca token $HOST.sift.net $CARGS)
-#  step-cli ca certificate $HOST.sift.net $HOST.crt $HOST.key --token $TOKEN $CARGS
-#  openssl x509 -noout -dates <$HOST.crt
-#  step-cli ca renew $HOST.crt $HOST.key $CARGS
-#  openssl x509 -noout -dates <$HOST.crt
-#  step-cli ca certificate $HOST.sift.net $HOST.crt $HOST.key --token $TOKEN $CARGS
+    - name: Create temproary file for JWK password
+      ansible.builtin.tempfile:
+        state: file
+        suffix: jwk
+      register: _jwk_password_file
+      when:
+        - step_cert_ca_jwk_password is defined
+        - step_cert_ca_jwk_password | length > 0
 
-- name: Generate JWK certificate token
-  maxhoesel.smallstep.step_ca_token:
-    name: '{{ step_cert_name }}'
-    san: "{{ step_cert_san }}"
-    provisioner: "{{ step_cert_ca_provisioner_name }}"
-    provisioner_password_file: "{{ step_cert_ca_jwk_password_file }}"
-    not_after: "{{ step_cert_duration | d(omit) }}"
-    return_token: true
-    step_cli_executable: "{{ step_cli_executable }}"
-  register: _step_cert_token
+    - name: deploy JWK provisioner password to temporary file
+      copy:
+        dest: "{{ _jwk_password_file.path }}"
+        content: "{{ step_cert_ca_jwk_password }}"
+        mode: 0600
+      no_log: true
+      when: _jwk_password_file.path is defined
 
-# - debug:
-#    var: _step_cert_token
-#   changed_when: true
+    - name: Generate JWK certificate token
+      maxhoesel.smallstep.step_ca_token:
+        name: '{{ step_cert_name }}'
+        san: "{{ step_cert_san }}"
+        provisioner: "{{ step_cert_ca_provisioner_name }}"
+        provisioner_password_file: "{{ _jwk_password_file.path | d(step_cert_ca_jwk_password_file) | mandatory }}"
+        not_after: "{{ step_cert_duration | d(omit) }}"
+        return_token: true
+        step_cli_executable: "{{ step_cli_executable }}"
+      register: _step_cert_token
 
-- name: Get certificate from CA via JWK provisioner
-  maxhoesel.smallstep.step_ca_certificate:
-    provisioner: "{{ step_cert_ca_provisioner_name }}"
-    token: "{{ _step_cert_token.token }}"
-    name: '{{ step_cert_name }}'
-    san: "{{ step_cert_san }}"
-    contact: "{{ step_cert_contact }}"
-    not_after: "{{ step_cert_duration | d(omit) }}"
-    crt_file: "{{ step_cert_certfile_full.path }}"
-    key_file: "{{ step_cert_keyfile_full.path }}"
-    force: yes  # stupid, but required flag to allow overwriting existing files
-    step_cli_executable: "{{ step_cli_executable }}"
-  become: yes
-  environment:
-    STEPPATH: "{{ step_cli_steppath }}"
-  register: _step_certificate
+    - name: Get certificate from CA via JWK provisioner
+      maxhoesel.smallstep.step_ca_certificate:
+        provisioner: "{{ step_cert_ca_provisioner_name }}"
+        token: "{{ _step_cert_token.token }}"
+        name: '{{ step_cert_name }}'
+        san: "{{ step_cert_san }}"
+        contact: "{{ step_cert_contact }}"
+        not_after: "{{ step_cert_duration | d(omit) }}"
+        crt_file: "{{ step_cert_certfile_full.path }}"
+        key_file: "{{ step_cert_keyfile_full.path }}"
+        force: yes  # stupid, but required flag to allow overwriting existing files
+        step_cli_executable: "{{ step_cli_executable }}"
+      become: yes
+      environment:
+        STEPPATH: "{{ step_cli_steppath }}"
+      register: _step_certificate
+
+  # BLOCK Handling: cleanup temporary files
+  always:
+    - name: Remove temporary JWK password file
+      ansible.builtin.file:
+        path: "{{ _jwk_password_file.path }}"
+        state: absent
+      when: _jwk_password_file.path is defined
+
+# END BLOCK: JWK Certificate Creation (Block)
diff --git a/roles/step_certificate/tasks/main.yml b/roles/step_certificate/tasks/main.yml
@@ -3,7 +3,4 @@
 - include: check.yml
 - include: vars.yml
 - include: cert.yml
-
-# - meta: end_host
-
 - include: renewal.yml