openssl_pkcs12: Add a check for parsed pkcs12 files (#145)

* openssl_pkcs12: Add a check for parsed pkcs12 files

Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>

* Add changelog fragment

Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>

* openssl_pkcs12: Report changed state when a pkcs12 file is dumped

Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>

* Add a basic test for dumping a pkcs12 file

Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>

* Update changelog fragment

Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>

* Add test for dumped pkcs12 file in check mode

Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>

changelogs/fragments/145-add-check-for-parsed-pkcs12-files.yml

@@ -0,0 +1,2 @@
+bugfixes:
+ - openssl_pkcs12 - report the correct state when ``action`` is ``parse`` (https://github.com/ansible-collections/community.crypto/issues/143).

plugins/modules/openssl_pkcs12.py

@@ -302,6 +302,17 @@ def _check_pkey_passphrase():
                         return False
                 elif bool(self.pkcs12.get_friendlyname()) != bool(pkcs12_friendly_name):
                     return False
+        elif module.params['action'] == 'parse' and os.path.exists(self.src) and os.path.exists(self.path):
+            try:
+                pkey, cert, other_certs, friendly_name = self.parse()
+            except crypto.Error:
+                return False
+            expected_content = to_bytes(
+                ''.join([to_native(pem) for pem in [pkey, cert] + other_certs if pem is not None])
+            )
+            dumped_content = load_file_if_exists(self.path, ignore_errors=True)
+            if expected_content != dumped_content:
+                return False
         else:
             return False
 
@@ -448,6 +459,7 @@ def main():
                     pkey, cert, other_certs, friendly_name = pkcs12.parse()
                     dump_content = ''.join([to_native(pem) for pem in [pkey, cert] + other_certs if pem is not None])
                     pkcs12.write(module, to_bytes(dump_content))
+                    changed = True
 
             file_args = module.load_file_common_arguments(module.params)
             if module.set_fs_attributes_if_different(file_args, changed):

tests/integration/targets/openssl_pkcs12/tasks/impl.yml

@@ -88,6 +88,22 @@
       path: '{{ output_dir }}/ansible_parse.pem'
       action: parse
       state: present
+    register: p12_dumped
+  - name: Dump PKCS#12 file again, idempotency
+    openssl_pkcs12:
+      src: '{{ output_dir }}/ansible.p12'
+      path: '{{ output_dir }}/ansible_parse.pem'
+      action: parse
+      state: present
+    register: p12_dumped_idempotency
+  - name: Dump PKCS#12, check mode
+    openssl_pkcs12:
+      src: '{{ output_dir }}/ansible.p12'
+      path: '{{ output_dir }}/ansible_parse.pem'
+      action: parse
+      state: present
+    check_mode: true
+    register: p12_dumped_check_mode
   - name: Generate PKCS#12 file with multiple certs
     openssl_pkcs12:
       path: '{{ output_dir }}/ansible_multi_certs.p12'

tests/integration/targets/openssl_pkcs12/tests/validate.yml

@@ -20,8 +20,11 @@
       - p12_validate_no_pkey.stdout_lines[-1] == '-----END CERTIFICATE-----'
       - p12_force.changed
       - p12_force_and_mode.mode == '0644' and p12_force_and_mode.changed
+      - p12_dumped.changed
       - not p12_standard_idempotency.changed
       - not p12_multiple_certs_idempotency.changed
+      - not p12_dumped_idempotency.changed
+      - not p12_dumped_check_mode.changed
       - "'www.' in p12_validate_multi_certs.stdout"
       - "'www2.' in p12_validate_multi_certs.stdout"
       - "'www3.' in p12_validate_multi_certs.stdout"