Merge pull request #48635 from nbraud/acme

Bug fixes in the acme module & state
2024-11-07 08:58:59 +00:00 · 2018-07-22 13:53:48 -06:00 · 2018-07-22 13:53:48 -06:00 · 83e4bba916
commit 83e4bba916
parent 85991680c8 3673bae9de
2 changed files with 17 additions and 22 deletions
--- a/salt/modules/acme.py
+++ b/salt/modules/acme.py
@ -101,6 +101,7 @@ def cert(name,
         server=None,
         owner='root',
         group='root',
+         mode='0640',
         certname=None):
    '''
    Obtain/renew a certificate from an ACME CA, probably Let's Encrypt.
@ -113,8 +114,9 @@ def cert(name,
    :param renew: True/'force' to force a renewal, or a window of renewal before expiry in days
    :param keysize: RSA key bits
    :param server: API endpoint to talk to
-    :param owner: owner of private key
-    :param group: group of private key
+    :param owner: owner of the private key file
+    :param group: group of the private key file
+    :param mode: mode of the private key file
    :param certname: Name of the certificate to save
    :return: dict with 'result' True/False/None, 'comment' and certificate's expiry date ('not_after')

@ -170,27 +172,17 @@ def cert(name,
        return {'result': False, 'comment': 'Certificate {0} renewal failed with:\n{1}'.format(name, res['stderr'])}

    if 'no action taken' in res['stdout']:
-        return {'result': None,
-                'comment': 'No action taken on certificate {0}'.format(cert_file),
-                'not_after': expires(name)}
-
-    if renew:
+        comment = 'Certificate {0} unchanged'.format(cert_file)
+    elif renew:
        comment = 'Certificate {0} renewed'.format(name)
    else:
        comment = 'Certificate {0} obtained'.format(name)
-    ret = {'comment': comment, 'not_after': expires(name)}

-    res = __salt__['file.check_perms'](_cert_file(name, 'privkey'), {}, owner, group, '0600', follow_symlinks=True)
-
-    if res is None:
-        ret['result'] = False
-        ret['comment'] += ', but setting permissions failed.'
-    elif not res[0].get('result', False):
-        ret['result'] = False
-        ret['comment'] += ', but setting permissions failed with \n{0}'.format(res[0]['comment'])
-    else:
-        ret['result'] = True
-        ret['comment'] += '.'
+    ret = {'comment': comment, 'not_after': expires(name), 'changes': {}, 'result': True}
+    ret, _ = __salt__['file.check_perms'](_cert_file(name, 'privkey'),
+                                          ret,
+                                          owner, group, mode,
+                                          follow_symlinks=True)

    return ret

--- a/salt/states/acme.py
+++ b/salt/states/acme.py
@ -49,6 +49,7 @@ def cert(name,
         server=None,
         owner='root',
         group='root',
+         mode='0640',
         certname=None):
    '''
    Obtain/renew a certificate from an ACME CA, probably Let's Encrypt.
@ -61,8 +62,9 @@ def cert(name,
    :param renew: True/'force' to force a renewal, or a window of renewal before expiry in days
    :param keysize: RSA key bits
    :param server: API endpoint to talk to
-    :param owner: owner of private key
-    :param group: group of private key
+    :param owner: owner of the private key file
+    :param group: group of the private key file
+    :param mode: mode of the private key file
    :param certname: Name of the certificate to save
    '''

@ -105,7 +107,8 @@ def cert(name,
        keysize=keysize,
        server=server,
        owner=owner,
-        group=group
+        group=group,
+        mode=mode
    )

    ret = {