added config checks/validations

2023-02-12 21:45:42 +01:00 · 2023-02-12 21:45:42 +01:00 · 3de0fee286
parent 635ed0c5b0
commit 3de0fee286
7 changed files with 58 additions and 4 deletions
--- a/defaults/main/0_hardcoded.yml
+++ b/defaults/main/0_hardcoded.yml
@ -0,0 +1,12 @@
+---
+
+CERT_HC:
+  letsencrypt:
+    options:
+      service: ['apache', 'nginx']
+      verbosity: ['v', 'vv', 'vvv', 'vvvv']
+
+  options:
+    key_size:
+      ca: [1024, '1024', 2048, '2048', 4096, '4096', 8192, '8192']
+      cert: [1024, '1024', 2048, '2048', 4096, '4096']
--- a/defaults/main/1_main.yml
+++ b/defaults/main/1_main.yml
@ -63,6 +63,7 @@ defaults_certs:
    certs: {}  # see 'default_le_certbot_cert' below
    renew: false  # if a renewal should be started by the role; the renewal service will auto-renew the certificates otherwise
    email:
+    key_size:

  ca:
    path:
@ -100,3 +101,4 @@ default_le_certbot_cert:
 #   example2:
 #     domains: ['example2.ansibleguy.net']
 #     email: 'dummy@ansibleguy.net'
+
--- a/filter_plugins/utils.py
+++ b/filter_plugins/utils.py
@ -13,6 +13,7 @@ class FilterModule(object):
            "check_email": self.check_email,
            "le_domains_changed": self.le_domains_changed,
            "ensure_list": self.ensure_list,
+            "validate_email": self.validate_email,
        }

    @staticmethod
@ -20,7 +21,7 @@ class FilterModule(object):
        return regex_replace(r'[^0-9a-zA-Z\.]+', '', key.replace(' ', '_'))

    @staticmethod
-    def valid_hostname(name: str) -> bool:
+    def _valid_domain(name: str) -> bool:
        # see: https://validators.readthedocs.io/en/latest/_modules/validators/domain.html
        domain = regex_compile(
            r'^(([a-zA-Z]{1})|([a-zA-Z]{1}[a-zA-Z]{1})|'
@ -28,11 +29,14 @@ class FilterModule(object):
            r'([a-zA-Z0-9][-_.a-zA-Z0-9]{0,61}[a-zA-Z0-9]))\.'
            r'([a-zA-Z]{2,13}|[a-zA-Z0-9-]{2,30}.[a-zA-Z]{2,3})$'
        )
-        valid_domain = domain.match(name) is not None
+        return domain.match(name) is not None
+
+    @classmethod
+    def valid_hostname(cls, name: str) -> bool:
        # see: https://en.wikipedia.org/wiki/Hostname#Restrictions_on_valid_host_names
        expr_hostname = r'^[a-zA-Z0-9-\.]{1,253}$'
        valid_hostname = regex_match(expr_hostname, name) is not None
-        return all([valid_domain, valid_hostname])
+        return all([cls._valid_domain(name), valid_hostname])

    @staticmethod
    def valid_ip(ip: str) -> bool:
@ -52,6 +56,20 @@ class FilterModule(object):

        return True

+    @classmethod
+    def validate_email(cls, email: str) -> bool:
+        # ToDo: further checks like https://validators.readthedocs.io/en/latest/_modules/validators/email.html#email
+        if email.find('@') == -1:
+            return False
+
+        full_len = len(email)
+        sub_len = len(email.replace('@', ''))
+
+        if full_len != (sub_len + 1):
+            return False
+
+        return cls._valid_domain(email.split('@', 1)[1])
+
    @staticmethod
    def le_domains_changed(running_config: str, cert_key: str, config_domains: list) -> bool:
        changed = False
--- a/tasks/debian/letsencrypt/cert.yml
+++ b/tasks/debian/letsencrypt/cert.yml
@ -7,6 +7,16 @@
    - debug is defined
    - debug

+# ToDo: path validation
+- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Checking config"
+  ansible.builtin.assert:
+    that:
+      - CERT_CONFIG.letsencrypt.service in CERT_HC.letsencrypt.options.service
+      - CERT_CONFIG.letsencrypt.verbosity in CERT_HC.letsencrypt.options.verbosity
+      - le_cert.key_size in CERT_HC.options.key_size.cert
+      - le_cert.domains | length > 0
+      - le_cert.email | validate_email or CERT_CONFIG.cert.email | validate_email
+
 - name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Creating directory"
  ansible.builtin.file:
    path: "{{ item }}"
--- a/tasks/debian/letsencrypt/main.yml
+++ b/tasks/debian/letsencrypt/main.yml
@ -6,7 +6,7 @@
      - CERT_CONFIG.letsencrypt.certs | length > 0
      - CERT_CONFIG.letsencrypt.service | default(false, true)
      - CERT_CONFIG.letsencrypt.email | default(false, true) or CERT_CONFIG.letsencrypt.certs | check_email
-      - "CERT_CONFIG.letsencrypt.service in ['apache', 'nginx']"
+      - CERT_CONFIG.letsencrypt.service in CERT_HC.letsencrypt.options.service

 - name: Certificates | Debian | LetsEncrypt Certbot | Configure for Apache2
  ansible.builtin.import_tasks: apache.yml
--- a/tasks/internal/ca_minimal.yml
+++ b/tasks/internal/ca_minimal.yml
@ -2,6 +2,12 @@

 # creating a minimal ca

+- name: Certificates | Internal | Minimal CA | Checking config
+  ansible.builtin.assert:
+    that:
+      - config_ca.ca.key_size in CERT_HC.options.key_size.ca
+      - config_ca.ca.email is none or config_ca.ca.email | validate_email
+
 - name: Certificates | Internal | Minimal CA | Creating ca directory
  ansible.builtin.file:
    path: "{{ config_ca.ca.path | default(config_ca.path, true) }}"
--- a/tasks/internal/cert.yml
+++ b/tasks/internal/cert.yml
@ -1,5 +1,11 @@
 ---

+- name: Certificates | Internal | Cert | Checking config
+  ansible.builtin.assert:
+    that:
+      - config_cert.cert.key_size in CERT_HC.options.key_size.cert
+      - config_cert.cert.email is none or config_cert.cert.email | validate_email
+
 - name: Certificates | Internal | Cert | Generate private key (encrypted)
  community.crypto.openssl_privatekey:
    path: "{{ config_cert.path }}/{{ name | default(config_cert.cert.name) }}.{{ config_cert.extension_key }}"