Output all validated challenges with basic infos.

2024-05-15 08:08:37 +02:00 · 2024-05-15 08:08:37 +02:00 · a1ad4ac9d6
parent 0737fc4eaf
commit a1ad4ac9d6
6 changed files with 64 additions and 12 deletions
--- a/plugins/module_utils/acme/certificate.py
+++ b/plugins/module_utils/acme/certificate.py
@ -161,11 +161,12 @@ class ACMECertificateClient(object):
        return [authz for authz in order.authorizations.values() if authz.status == 'pending']

    def call_validate(self, pending_authzs, get_challenge, wait=True):
-        authzs_to_wait_for = []
+        authzs_with_challenges_to_wait_for = []
        for authz in pending_authzs:
-            authz.call_validate(self.client, get_challenge(authz), wait=wait)
-            authzs_to_wait_for.append(authz)
-        return authzs_to_wait_for
+            challenge_type = get_challenge(authz)
+            authz.call_validate(self.client, challenge_type, wait=wait)
+            authzs_with_challenges_to_wait_for.append((authz, challenge_type, authz.find_challenge(challenge_type)))
+        return authzs_with_challenges_to_wait_for

    def wait_for_validation(self, authzs_to_wait_for):
        wait_for_validation(authzs_to_wait_for, self.client)
--- a/plugins/modules/acme_certificate_order_validate.py
+++ b/plugins/modules/acme_certificate_order_validate.py
@ -191,6 +191,44 @@ account_uri:
  description: ACME account URI.
  returned: success
  type: str
+validating_challenges:
+  description: List of challenges whose validation was triggered.
+  returned: success
+  type: list
+  elements: dict
+  contains:
+    identifier:
+      description:
+        - The identifier the challenge is for.
+      type: str
+      returned: always
+    identifier_type:
+      description:
+        - The identifier's type for the challenge.
+      type: str
+      returned: always
+      choices:
+        - dns
+        - ip
+    authz_url:
+      description:
+        - The URL of the authorization object for this challenge.
+      type: str
+      returned: always
+    challenge_type:
+      description:
+        - The challenge's type.
+      type: str
+      returned: always
+      choices:
+        - http-01
+        - dns-01
+        - tls-alpn-01
+    challenge_url:
+      description:
+        - The URL of the challenge object.
+      type: str
+      returned: always
 '''

 from ansible_collections.community.crypto.plugins.module_utils.acme.acme import (
@ -266,7 +304,7 @@ def main():
            ]

            # Step 4: validate pending authorizations
-            authzs_to_wait_for = client.call_validate(
+            authzs_with_challenges_to_wait_for = client.call_validate(
                really_pending_authzs,
                get_challenge=lambda authz: challenges[authz.combined_identifier],
                wait=False,
@ -277,8 +315,18 @@ def main():
            if order and module.params['deactivate_authzs'] and not done:
                client.deactivate_authzs(order)
        module.exit_json(
-            changed=len(authzs_to_wait_for) > 0,
+            changed=len(authzs_with_challenges_to_wait_for) > 0,
            account_uri=client.client.account_uri,
+            validating_challenges=[
+                dict(
+                    identifier=authz.identifier,
+                    identifier_type=authz.identifier_type,
+                    authz_url=authz.url,
+                    challenge_type=challenge_type,
+                    challenge_url=challenge.url,
+                )
+                for authz, challenge_type, challenge in authzs_with_challenges_to_wait_for
+            ],
        )
    except ModuleFailException as e:
        e.do_fail(module)
--- a/tests/integration/targets/acme_certificate_order/tasks/impl.yml
+++ b/tests/integration/targets/acme_certificate_order/tasks/impl.yml
@ -102,8 +102,8 @@
      - order_info_1.authorizations_by_identifier['dns:' ~ domain_name].identifier.type == 'dns'
      - order_info_1.authorizations_by_identifier['dns:' ~ domain_name].identifier.value == domain_name
      - order_info_1.authorizations_by_identifier['dns:' ~ domain_name].status == 'pending'
-      - (order_info_1.authorizations_by_identifier['dns:' ~ domain_name].challenges | selectattr('type', 'eq', 'http-01') | first).status == 'pending'
-      - (order_info_1.authorizations_by_identifier['dns:' ~ domain_name].challenges | selectattr('type', 'eq', 'dns-01') | first).status == 'pending'
+      - (order_info_1.authorizations_by_identifier['dns:' ~ domain_name].challenges | selectattr('type', 'equalto', 'http-01') | first).status == 'pending'
+      - (order_info_1.authorizations_by_identifier['dns:' ~ domain_name].challenges | selectattr('type', 'equalto', 'dns-01') | first).status == 'pending'
      - order_info_1.authorizations_by_status['deactivated'] | length == 0
      - order_info_1.authorizations_by_status['expired'] | length == 0
      - order_info_1.authorizations_by_status['invalid'] | length == 0
@ -168,8 +168,8 @@
      - order_info_2.authorizations_by_identifier['dns:' ~ domain_name].identifier.type == 'dns'
      - order_info_2.authorizations_by_identifier['dns:' ~ domain_name].identifier.value == domain_name
      - order_info_2.authorizations_by_identifier['dns:' ~ domain_name].status in ['pending', 'valid']
-      - (order_info_2.authorizations_by_identifier['dns:' ~ domain_name].challenges | selectattr('type', 'eq', 'http-01') | first).status in ['processing', 'valid']
-      - (order_info_2.authorizations_by_identifier['dns:' ~ domain_name].challenges | selectattr('type', 'eq', 'dns-01') | first).status == 'pending'
+      - (order_info_2.authorizations_by_identifier['dns:' ~ domain_name].challenges | selectattr('type', 'equalto', 'http-01') | first).status in ['processing', 'valid']
+      - (order_info_2.authorizations_by_identifier['dns:' ~ domain_name].challenges | selectattr('type', 'equalto', 'dns-01') | first).status == 'pending'
      - order_info_2.authorizations_by_status['deactivated'] | length == 0
      - order_info_2.authorizations_by_status['expired'] | length == 0
      - order_info_2.authorizations_by_status['invalid'] | length == 0
@ -264,7 +264,7 @@
      - order_info_3.authorizations_by_identifier['dns:' ~ domain_name].identifier.type == 'dns'
      - order_info_3.authorizations_by_identifier['dns:' ~ domain_name].identifier.value == domain_name
      - order_info_3.authorizations_by_identifier['dns:' ~ domain_name].status == 'valid'
-      - (order_info_3.authorizations_by_identifier['dns:' ~ domain_name].challenges | selectattr('type', 'eq', 'http-01') | first).status == 'valid'
+      - (order_info_3.authorizations_by_identifier['dns:' ~ domain_name].challenges | selectattr('type', 'equalto', 'http-01') | first).status == 'valid'
      - order_info_3.authorizations_by_status['deactivated'] | length == 0
      - order_info_3.authorizations_by_status['expired'] | length == 0
      - order_info_3.authorizations_by_status['invalid'] | length == 0
@ -328,7 +328,7 @@
      - order_info_4.authorizations_by_identifier['dns:' ~ domain_name].identifier.type == 'dns'
      - order_info_4.authorizations_by_identifier['dns:' ~ domain_name].identifier.value == domain_name
      - order_info_4.authorizations_by_identifier['dns:' ~ domain_name].status == 'deactivated'
-      - (order_info_4.authorizations_by_identifier['dns:' ~ domain_name].challenges | selectattr('type', 'eq', 'http-01') | first).status == 'valid'
+      - (order_info_4.authorizations_by_identifier['dns:' ~ domain_name].challenges | selectattr('type', 'equalto', 'http-01') | first).status == 'valid'
      - order_info_4.authorizations_by_status['deactivated'] | length == 1
      - order_info_4.authorizations_by_status['deactivated'][0] == 'dns:' ~ domain_name
      - order_info_4.authorizations_by_status['expired'] | length == 0
--- a/tests/sanity/ignore-2.10.txt
+++ b/tests/sanity/ignore-2.10.txt
@ -8,6 +8,7 @@ docs/docsite/rst/guide_selfsigned.rst rstcheck
 plugins/modules/acme_account_info.py validate-modules:return-syntax-error
 plugins/modules/acme_certificate_order_create.py validate-modules:return-syntax-error
 plugins/modules/acme_certificate_order_info.py validate-modules:return-syntax-error
+plugins/modules/acme_certificate_order_validate.py validate-modules:return-syntax-error
 plugins/modules/acme_challenge_cert_helper.py validate-modules:return-syntax-error
 plugins/modules/ecs_certificate.py validate-modules:invalid-documentation
 plugins/modules/get_certificate.py validate-modules:invalid-documentation
--- a/tests/sanity/ignore-2.11.txt
+++ b/tests/sanity/ignore-2.11.txt
@ -7,6 +7,7 @@
 plugins/modules/acme_account_info.py validate-modules:return-syntax-error
 plugins/modules/acme_certificate_order_create.py validate-modules:return-syntax-error
 plugins/modules/acme_certificate_order_info.py validate-modules:return-syntax-error
+plugins/modules/acme_certificate_order_validate.py validate-modules:return-syntax-error
 plugins/modules/acme_challenge_cert_helper.py validate-modules:return-syntax-error
 plugins/modules/ecs_certificate.py validate-modules:invalid-documentation
 plugins/modules/get_certificate.py validate-modules:invalid-documentation
--- a/tests/sanity/ignore-2.12.txt
+++ b/tests/sanity/ignore-2.12.txt
@ -2,6 +2,7 @@
 plugins/modules/acme_account_info.py validate-modules:return-syntax-error
 plugins/modules/acme_certificate_order_create.py validate-modules:return-syntax-error
 plugins/modules/acme_certificate_order_info.py validate-modules:return-syntax-error
+plugins/modules/acme_certificate_order_validate.py validate-modules:return-syntax-error
 plugins/modules/acme_challenge_cert_helper.py validate-modules:return-syntax-error
 plugins/modules/ecs_certificate.py validate-modules:invalid-documentation
 plugins/modules/get_certificate.py validate-modules:invalid-documentation