ansible_freeipa_module: New function load_cert_from_str

For certmapdata processing in ipauser it is needed to be able to load a cert from a string given in the task to be able to get the issuer and subject of the certificate. The format of the certifiacte here is lacking the markers for the begin and end of the certificate. Therefore load_pem_x509_certificate can not be used directly. Also in IPA < 4.5 it is needed to load the certificate with load_certificate instead of load_pem_x509_certificate. The function is implementing this properly.

ansible_freeipa_module: New function load_cert_from_str
571cc210 · Thomas Woerner · a432c3ff · 571cc210
Commit 571cc210 authored 4 years ago by Thomas Woerner
--- a/plugins/module_utils/ansible_freeipa_module.py
+++ b/plugins/module_utils/ansible_freeipa_module.py
@@ -48,6 +48,13 @@ try:
    from ipalib.x509 import Encoding
 except ImportError:
    from cryptography.hazmat.primitives.serialization import Encoding
+
+try:
+    from ipalib.x509 import load_pem_x509_certificate
+except ImportError:
+    from ipalib.x509 import load_certificate
+    load_pem_x509_certificate = None
+
 import socket
 import base64
 import six
@@ -323,6 +330,20 @@ def encode_certificate(cert):
    return encoded


+def load_cert_from_str(cert):
+    cert = cert.strip()
+    if not cert.startswith("-----BEGIN CERTIFICATE-----"):
+        cert = "-----BEGIN CERTIFICATE-----\n" + cert
+    if not cert.endswith("-----END CERTIFICATE-----"):
+        cert += "\n-----END CERTIFICATE-----"
+
+    if load_pem_x509_certificate is not None:
+        cert = load_pem_x509_certificate(cert.encode('utf-8'))
+    else:
+        cert = load_certificate(cert.encode('utf-8'))
+    return cert
+
+
 def is_valid_port(port):
    if not isinstance(port, int):
        return False