step_ca_provisioner: make idempotent, remove 'updated' state

This commit allows `step_ca_provisioner` to determine whether a given provisioner has been changed, be that through creation or an update. We do this by comparing the provisioner config before and after running the `create/update` command. This has the side-effect of making this module check-mode-incompatible, since there is no way to tell whether a provisioner has changed without actually applying it. This commit also fixes some behavior around the --create parameter to ensure idempotency, as well as some other minor details.
maxhoesel-ansible · Nov 1, 2023 · f4cefda · f4cefda
1 parent 3072e17
commit f4cefda
Show file tree

Hide file tree

Showing 5 changed files with 432 additions and 137 deletions.
diff --git a/after.json b/after.json
@@ -0,0 +1,101 @@
+{
+    "root": "/home/step/certs/root_ca.crt",
+    "federatedRoots": null,
+    "crt": "/home/step/certs/intermediate_ca.crt",
+    "key": "/home/step/secrets/intermediate_ca_key",
+    "address": "127.0.0.1:9000",
+    "insecureAddress": "",
+    "dnsNames": [
+        "localhost",
+        "step-ca"
+    ],
+    "logger": {
+        "format": "text"
+    },
+    "db": {
+        "type": "badgerv2",
+        "dataSource": "/home/step/db",
+        "badgerFileLoadingMode": ""
+    },
+    "authority": {
+        "provisioners": [
+            {
+                "type": "ACME",
+                "name": "tests-ACME",
+                "claims": {
+                    "enableSSHCA": true,
+                    "disableRenewal": false,
+                    "allowRenewalAfterExpiry": false
+                },
+                "options": {
+                    "x509": {},
+                    "ssh": {}
+                }
+            },
+            {
+                "type": "X5C",
+                "name": "tests-x5c",
+                "roots": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJhRENDQVEyZ0F3SUJBZ0lRRk1xbFVDTDY0c3g2ZzBNVjhPWm5oREFLQmdncWhrak9QUVFEQWpBU01SQXcKRGdZRFZRUURFd2R5YjI5MExXTmhNQjRYRFRJd01URXhNREl6TXpVd01sb1hEVE13TVRFd09ESXpNelV3TWxvdwpFakVRTUE0R0ExVUVBeE1IY205dmRDMWpZVEJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCQXRZClpUSUw0RitNak5nZHJ0c2hWVFE2S2MveVBCOC90Zm0raTBDWE1OcS8xMzN5Z1FUZXVadGJDN3NaVXBMR0s4NnQKckxhZFJtd0pqcmNwVythbFl5MmpSVEJETUE0R0ExVWREd0VCL3dRRUF3SUJCakFTQmdOVkhSTUJBZjhFQ0RBRwpBUUgvQWdFQk1CMEdBMVVkRGdRV0JCUVlMOG9JMU9ENUd3cUhzcmMxTmgrYVRjMmRFakFLQmdncWhrak9QUVFECkFnTkpBREJHQWlFQXhOMHpHSWpWTnJzMGlmTFlKejNwK0xVdjFzbCtBQ2tnSExqby9DNWdJd2NDSVFEdStpSloKeDI3L2M2a3FNNmpUejJ2clFZMjF5bENmcTlLTjVadzIzRjNxU3c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==",
+                "claims": {
+                    "enableSSHCA": true,
+                    "disableRenewal": false,
+                    "allowRenewalAfterExpiry": false
+                },
+                "options": {
+                    "x509": {},
+                    "ssh": {}
+                }
+            },
+            {
+                "type": "K8SSA",
+                "name": "tests-k8s",
+                "publicKeys": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFQzFobE1ndmdYNHlNMkIydTJ5RlZORG9wei9JOApIeisxK2I2TFFKY3cyci9YZmZLQkJONjVtMXNMdXhsU2tzWXJ6cTJzdHAxR2JBbU90eWxiNXFWakxRPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==",
+                "claims": {
+                    "enableSSHCA": true,
+                    "disableRenewal": false,
+                    "allowRenewalAfterExpiry": false
+                },
+                "options": {
+                    "x509": {},
+                    "ssh": {}
+                }
+            },
+            {
+                "type": "JWK",
+                "name": "tests-JWK",
+                "key": {
+                    "use": "sig",
+                    "kty": "EC",
+                    "kid": "J7rqBT78gLTmxWb4Lhsta08YfdrZ5EdJ1pGOucOUf9Q",
+                    "crv": "P-256",
+                    "alg": "ES256",
+                    "x": "6BgLlN4xva8bb0ofJFouHoZPLKpstiyzOtiizRYKmmM",
+                    "y": "Z2syRe6HsOUXPfcdqckflS7JanNZ4IftwN9f8QMrfck"
+                },
+                "encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZDR5UHVOdlpkZVI4S2VRTnRteDJ4USJ9.N0gaMzMUC8162Q57z0SIbd9pdej5y8ALtTIgHyBeRnzrPS_3nrYBdA.LhiQ33SeX29wlp7i.y3tdON5pbl1GVhUqSd9X3hYvKWBElEdDZpGwyH3g1jT_NmiQjSti4E8gvWE1ZPLX4_2XhYPE0xbxZESIgzYumQiXbEvLWD3w_FkdxEOO6okwtHFYGOR6GwapurClDwh5sZW9yzMW4qCNJSsxMDag8FyA2KGXPziLRij-rkYdSI1Nk-dBNkR5dYc3cwaZXlLQrwuRxG4gMNQBpgJVUVTi3lRGJ2UUUr8l0DIi_-YbxzH7p3JxD8NX1PJ6vMLI125sUaXjqWUccPtDmTkDxu-GP6-9q3Mwl3FE4yiXvH4RcbzjDOkqE0OIw9ybtylkHhUUFxzww8Kzq7OeKV3jkDw.LSByCENRg1iFLRX-MhOCew",
+                "claims": {
+                    "defaultTLSCertDuration": "1h0m0s",
+                    "enableSSHCA": true,
+                    "disableRenewal": false,
+                    "allowRenewalAfterExpiry": false
+                },
+                "options": {
+                    "x509": {},
+                    "ssh": {}
+                }
+            }
+        ],
+        "template": {},
+        "backdate": "1m0s"
+    },
+    "tls": {
+        "cipherSuites": [
+            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+        ],
+        "minVersion": 1.2,
+        "maxVersion": 1.3,
+        "renegotiation": false
+    },
+    "commonName": "Step Online CA"
+}
diff --git a/before.json b/before.json
@@ -0,0 +1,101 @@
+{
+    "root": "/home/step/certs/root_ca.crt",
+    "federatedRoots": null,
+    "crt": "/home/step/certs/intermediate_ca.crt",
+    "key": "/home/step/secrets/intermediate_ca_key",
+    "address": "127.0.0.1:9000",
+    "insecureAddress": "",
+    "dnsNames": [
+        "localhost",
+        "step-ca"
+    ],
+    "logger": {
+        "format": "text"
+    },
+    "db": {
+        "type": "badgerv2",
+        "dataSource": "/home/step/db",
+        "badgerFileLoadingMode": ""
+    },
+    "authority": {
+        "provisioners": [
+            {
+                "type": "JWK",
+                "name": "tests-JWK",
+                "key": {
+                    "use": "sig",
+                    "kty": "EC",
+                    "kid": "J7rqBT78gLTmxWb4Lhsta08YfdrZ5EdJ1pGOucOUf9Q",
+                    "crv": "P-256",
+                    "alg": "ES256",
+                    "x": "6BgLlN4xva8bb0ofJFouHoZPLKpstiyzOtiizRYKmmM",
+                    "y": "Z2syRe6HsOUXPfcdqckflS7JanNZ4IftwN9f8QMrfck"
+                },
+                "encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZDR5UHVOdlpkZVI4S2VRTnRteDJ4USJ9.N0gaMzMUC8162Q57z0SIbd9pdej5y8ALtTIgHyBeRnzrPS_3nrYBdA.LhiQ33SeX29wlp7i.y3tdON5pbl1GVhUqSd9X3hYvKWBElEdDZpGwyH3g1jT_NmiQjSti4E8gvWE1ZPLX4_2XhYPE0xbxZESIgzYumQiXbEvLWD3w_FkdxEOO6okwtHFYGOR6GwapurClDwh5sZW9yzMW4qCNJSsxMDag8FyA2KGXPziLRij-rkYdSI1Nk-dBNkR5dYc3cwaZXlLQrwuRxG4gMNQBpgJVUVTi3lRGJ2UUUr8l0DIi_-YbxzH7p3JxD8NX1PJ6vMLI125sUaXjqWUccPtDmTkDxu-GP6-9q3Mwl3FE4yiXvH4RcbzjDOkqE0OIw9ybtylkHhUUFxzww8Kzq7OeKV3jkDw.LSByCENRg1iFLRX-MhOCew",
+                "claims": {
+                    "defaultTLSCertDuration": "1h0m0s",
+                    "enableSSHCA": true,
+                    "disableRenewal": false,
+                    "allowRenewalAfterExpiry": false
+                },
+                "options": {
+                    "x509": {},
+                    "ssh": {}
+                }
+            },
+            {
+                "type": "ACME",
+                "name": "tests-ACME",
+                "claims": {
+                    "enableSSHCA": true,
+                    "disableRenewal": false,
+                    "allowRenewalAfterExpiry": false
+                },
+                "options": {
+                    "x509": {},
+                    "ssh": {}
+                }
+            },
+            {
+                "type": "X5C",
+                "name": "tests-x5c",
+                "roots": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJhRENDQVEyZ0F3SUJBZ0lRRk1xbFVDTDY0c3g2ZzBNVjhPWm5oREFLQmdncWhrak9QUVFEQWpBU01SQXcKRGdZRFZRUURFd2R5YjI5MExXTmhNQjRYRFRJd01URXhNREl6TXpVd01sb1hEVE13TVRFd09ESXpNelV3TWxvdwpFakVRTUE0R0ExVUVBeE1IY205dmRDMWpZVEJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCQXRZClpUSUw0RitNak5nZHJ0c2hWVFE2S2MveVBCOC90Zm0raTBDWE1OcS8xMzN5Z1FUZXVadGJDN3NaVXBMR0s4NnQKckxhZFJtd0pqcmNwVythbFl5MmpSVEJETUE0R0ExVWREd0VCL3dRRUF3SUJCakFTQmdOVkhSTUJBZjhFQ0RBRwpBUUgvQWdFQk1CMEdBMVVkRGdRV0JCUVlMOG9JMU9ENUd3cUhzcmMxTmgrYVRjMmRFakFLQmdncWhrak9QUVFECkFnTkpBREJHQWlFQXhOMHpHSWpWTnJzMGlmTFlKejNwK0xVdjFzbCtBQ2tnSExqby9DNWdJd2NDSVFEdStpSloKeDI3L2M2a3FNNmpUejJ2clFZMjF5bENmcTlLTjVadzIzRjNxU3c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==",
+                "claims": {
+                    "enableSSHCA": true,
+                    "disableRenewal": false,
+                    "allowRenewalAfterExpiry": false
+                },
+                "options": {
+                    "x509": {},
+                    "ssh": {}
+                }
+            },
+            {
+                "type": "K8SSA",
+                "name": "tests-k8s",
+                "publicKeys": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFQzFobE1ndmdYNHlNMkIydTJ5RlZORG9wei9JOApIeisxK2I2TFFKY3cyci9YZmZLQkJONjVtMXNMdXhsU2tzWXJ6cTJzdHAxR2JBbU90eWxiNXFWakxRPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==",
+                "claims": {
+                    "enableSSHCA": true,
+                    "disableRenewal": false,
+                    "allowRenewalAfterExpiry": false
+                },
+                "options": {
+                    "x509": {},
+                    "ssh": {}
+                }
+            }
+        ],
+        "template": {},
+        "backdate": "1m0s"
+    },
+    "tls": {
+        "cipherSuites": [
+            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+        ],
+        "minVersion": 1.2,
+        "maxVersion": 1.3,
+        "renegotiation": false
+    },
+    "commonName": "Step Online CA"
+}
diff --git a/plugins/module_utils/cli_wrapper.py b/plugins/module_utils/cli_wrapper.py
@@ -60,11 +60,16 @@ def build_params(self, module_params_cliarg_map: Dict[str, str]) -> List[str]:
             if param_name not in module_params:
                 raise CLIError(f"Could not build command parameters: "
                                f"param '{param_name}' not in module argspec, this is most likely a bug")
+            if param_type == "bool":
+                if bool(module_params[param_name]) is False:
+                    # some flags (such as --ssh in ca provisioner add/update are enabled by default),
+                    # this allows the user to disable them if needed
+                    args.append(f"{module_params_cliarg_map[param_name]}=false")
+                else:
+                    args.append(module_params_cliarg_map[param_name])
             elif not module_params[param_name]:
-                # param not set
+                # parameter is unset
                 pass
-            elif param_type == "bool" and bool(module_params[param_name]):
-                args.append(module_params_cliarg_map[param_name])
             elif param_type == "list":
                 for item in cast(List, module_params[param_name]):
                     args.extend([module_params_cliarg_map[param_name], str(item)])