[pfsense_ca] Refactor _copy_and_* methods and allow for disabling ran…

…domserial and trust parameters
pfsensible · Jan 11, 2024 · 3e717eb · 3e717eb
1 parent a63e3e2
commit 3e717eb
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 22 deletions.
diff --git a/changelogs/fragments/pfsense_ca-allow-disabling.yml b/changelogs/fragments/pfsense_ca-allow-disabling.yml
@@ -0,0 +1,2 @@
+minor_changes:
+  - pfsense_ca - allow for disabling `randomserial` and `trust` parameters.
diff --git a/plugins/modules/pfsense_ca.py b/plugins/modules/pfsense_ca.py
@@ -1,7 +1,7 @@
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
 
-# Copyright: (c) 2018-2021, Orion Poplawski <orion@nwra.com>
+# Copyright: (c) 2018-2024, Orion Poplawski <orion@nwra.com>
 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
 
 from __future__ import absolute_import, division, print_function
@@ -32,11 +32,11 @@
     choices: [ "present", "absent" ]
     type: str
   trust:
-    description: Add this Certificate Authority to the Operating System Trust Store.
+    description: Add this Certificate Authority to the Operating System Trust Store. Defaults to false.
     type: bool
     version_added: 0.5.0
   randomserial:
-    description:  Use random serial numbers when signing certifices.
+    description:  Use random serial numbers when signing certifices. Defaults to false.
     type: bool
     version_added: 0.5.0
   certificate:
@@ -234,21 +234,23 @@ def _find_crl_by_refid(self, crlrefid):
     def _create_target(self):
         """ create the XML target_elt """
         elt = self.pfsense.new_element('ca')
-        obj = dict(trust='disabled', randomserial='disabled', serial='0')
-        self.pfsense.copy_dict_to_element(obj, elt)
+        # We need this later in _copy_and_add_target()
+        self.obj['refid'] = self.pfsense.uniqid()
+        elt.append(self.pfsense.new_element('refid', text=self.obj['refid']))
+        # These are default but not enforced values
+        elt.append(self.pfsense.new_element('randomserial', text='disabled'))
+        elt.append(self.pfsense.new_element('serial', text='0'))
+        elt.append(self.pfsense.new_element('trust', text='disabled'))
         return elt
 
     def _copy_and_add_target(self):
         """ populate the XML target_elt """
-        obj = self.obj
-
-        obj['refid'] = self.pfsense.uniqid()
-        self.pfsense.copy_dict_to_element(obj, self.target_elt)
+        self.pfsense.copy_dict_to_element(self.obj, self.target_elt)
         self.diff['after'] = self.pfsense.element_to_dict(self.target_elt)
         self.root_elt.insert(self._find_last_ca_index(), self.target_elt)
         if self.crl is not None:
             crl_elt = self.pfsense.new_element('crl')
-            self.crl['caref'] = obj['refid']
+            self.crl['caref'] = self.obj['refid']
             if 'refid' not in self.crl:
                 self.crl['refid'] = self.pfsense.uniqid()
             self.pfsense.copy_dict_to_element(self.crl, crl_elt)
@@ -258,12 +260,7 @@ def _copy_and_add_target(self):
 
     def _copy_and_update_target(self):
         """ update the XML target_elt """
-        obj = self.obj
-        before = self.pfsense.element_to_dict(self.target_elt)
-        self.diff['before'] = before
-
-        changed = self.pfsense.copy_dict_to_element(obj, self.target_elt)
-        self.diff['after'] = self.pfsense.element_to_dict(self.target_elt)
+        (before, changed) = super(PFSenseCAModule, self)._copy_and_update_target()
 
         if self.crl is not None:
             crl_elt = None

diff --git a/tests/unit/plugins/modules/pfsense_module.py b/tests/unit/plugins/modules/pfsense_module.py
@@ -1,6 +1,6 @@
 # Copyright: (c) 2018 Red Hat Inc.
 # Copyright: (c) 2018, Frederic Bor <frederic.bor@wanadoo.fr>
-# Copyright: (c) 2022, Orion Poplawski <orion@nwra.com>
+# Copyright: (c) 2024, Orion Poplawski <orion@nwra.com>
 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
 
 from __future__ import (absolute_import, division, print_function)
@@ -408,9 +408,9 @@ def check_param_equal(self, params, target_elt, param, default=None, xml_field=N
         else:
             self.assert_xml_elt_is_none_or_empty(target_elt, xml_field)
 
-    def check_param_bool(self, params, target_elt, param, default=False, value_true=None, xml_field=None):
+    def check_param_bool(self, params, target_elt, param, default=False, value_true=None, value_false=None, xml_field=None):
         """ if param is defined, check the elt exist and text equals value_true, otherwise that it does not exist in XML or
-            is empty if value_true is not None """
+            is empty if value_true is not None or equals value_false if set """
         if xml_field is None:
             xml_field = param
 
@@ -423,7 +423,10 @@ def check_param_bool(self, params, target_elt, param, default=False, value_true=
             if value_true is None:
                 self.assert_not_find_xml_elt(target_elt, xml_field)
             else:
-                self.assert_xml_elt_is_none_or_empty(target_elt, xml_field)
+                if value_false is not None:
+                    self.assert_xml_elt_equal(target_elt, xml_field, value_false)
+                else:
+                    self.assert_xml_elt_is_none_or_empty(target_elt, xml_field)
 
     def check_value_equal(self, target_elt, xml_field, value, empty=True):
         """ if value is defined, check if target_elt has the right value, otherwise that it does not exist in XML """

diff --git a/tests/unit/plugins/modules/test_pfsense_ca.py b/tests/unit/plugins/modules/test_pfsense_ca.py
@@ -84,8 +84,10 @@ def check_target_elt(self, obj, target_elt):
         """ check XML definition of target elt """
 
         self.check_param_equal(obj, target_elt, 'name', xml_field='descr')
-        self.check_param_equal_or_present(obj, target_elt, 'trust')
-        self.check_param_equal_or_present(obj, target_elt, 'randomserial')
+        if 'trust' in obj:
+            self.check_param_bool(obj, target_elt, 'trust', value_true='enabled', value_false='disabled')
+        if 'randomserial' in obj:
+            self.check_param_bool(obj, target_elt, 'randomserial', value_true='enabled', value_false='disabled')
         self.check_param_equal_or_present(obj, target_elt, 'serial')
         self.check_param_equal(obj, target_elt, 'certificate', xml_field='crt')
 
@@ -122,6 +124,11 @@ def test_ca_update_serial(self):
         obj = dict(name='testdel', certificate=CERTIFICATE, serial=10)
         self.do_module_test(obj, command='update ca testdel set ')
 
+    def test_ca_update_trust(self):
+        """ test updating trust of a ca """
+        obj = dict(name='testdel', certificate=CERTIFICATE, trust=False)
+        self.do_module_test(obj, command='update ca testdel set ')
+
     ##############
     # misc
     #