From 84cf53cd8b10fd558831e620dd39ac75f452d9e8 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Thu, 14 Sep 2023 20:42:18 +0200
Subject: uacme: make eab config more generic and ensure the right base64
 encoding is used

---
 roles/x509/uacme/base/defaults/main.yml       |  4 +++-
 roles/x509/uacme/base/filter_plugins/uacme.py | 26 ++++++++++++++++++++++++++
 roles/x509/uacme/base/tasks/main.yml          |  2 +-
 3 files changed, 30 insertions(+), 2 deletions(-)
 create mode 100644 roles/x509/uacme/base/filter_plugins/uacme.py

(limited to 'roles')

diff --git a/roles/x509/uacme/base/defaults/main.yml b/roles/x509/uacme/base/defaults/main.yml
index 264bc2d9..7164da62 100644
--- a/roles/x509/uacme/base/defaults/main.yml
+++ b/roles/x509/uacme/base/defaults/main.yml
@@ -5,4 +5,6 @@ uacme_directory_server: "{{ acme_directory_server }}"
 ### this defaults to '/var/run/acme/acme-challenge'
 # uacme_challenge_webroot_path: "/path/to/acme-challenge"
 
-# uacme_eab: <keyid>:base64(<key>)
+uacme_eab: "{{ acme_eab }}"
+#  keyid: "<keyid>"
+#  key: "<key>"
diff --git a/roles/x509/uacme/base/filter_plugins/uacme.py b/roles/x509/uacme/base/filter_plugins/uacme.py
new file mode 100644
index 00000000..07a87db5
--- /dev/null
+++ b/roles/x509/uacme/base/filter_plugins/uacme.py
@@ -0,0 +1,26 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+from functools import partial
+from base64 import urlsafe_b64encode
+
+from ansible import errors
+from ansible.module_utils.common.text import formatters
+from ansible.module_utils._text import to_bytes, to_text
+
+
+def uacme_eab_param(eab):
+    try:
+        return "%s:%s" % (eab['keyid'], to_text(urlsafe_b64encode(to_bytes(eab['key'], errors='surrogate_or_strict'))).strip("="))
+    except Exception as e:
+        raise errors.AnsibleFilterError("uacme_eab_param(): %s" % str(e))
+
+
+class FilterModule(object):
+
+    filter_map = {
+        'uacme_eab_param': uacme_eab_param,
+    }
+
+    def filters(self):
+        return self.filter_map
diff --git a/roles/x509/uacme/base/tasks/main.yml b/roles/x509/uacme/base/tasks/main.yml
index ff7c880d..f52c3cf0 100644
--- a/roles/x509/uacme/base/tasks/main.yml
+++ b/roles/x509/uacme/base/tasks/main.yml
@@ -7,7 +7,7 @@
     state: present
 
 - name: create acme account key
-  command: "uacme -c /var/lib/uacme.d -a '{{ uacme_directory_server }}' -y{% if uacme_eab is defined %} -e {{ uacme_eab }}{% endif %} new '{{ uacme_account_email }}'"
+  command: "uacme -c /var/lib/uacme.d -a '{{ uacme_directory_server }}' -y{% if uacme_eab is defined %} -e '{{ uacme_eab | uacme_eab_param }}'{% endif %} new '{{ uacme_account_email }}'"
   args:
     creates: /var/lib/uacme.d/private/key.pem
 
-- 
cgit v1.2.3