Merge pull request #54991 from mchugh19/port-52126

master-port #52126

Author: dwoz

doc/ref/modules/all/index.rst

@@ -210,6 +210,7 @@ execution modules
     keyboard
     keystone
     keystoneng
+    keystore
     kmod
     kubernetesmod
     launchctl_service

doc/ref/modules/all/salt.modules.keystore.rst

@@ -0,0 +1,6 @@
+=====================
+salt.modules.keystore
+=====================
+
+.. automodule:: salt.modules.keystore
+    :members:

doc/ref/states/all/index.rst

@@ -149,6 +149,7 @@ state modules
     keystone_role_grant
     keystone_service
     keystone_user
+    keystore
     kmod
     kubernetes
     layman

doc/ref/states/all/salt.states.keystore.rst

@@ -0,0 +1,6 @@
+====================
+salt.states.keystore
+====================
+
+.. automodule:: salt.states.keystore
+    :members:

doc/topics/releases/neon.rst

@@ -4,6 +4,54 @@
 Salt Release Notes - Codename Neon
 ==================================
 
+
+Keystore State and Module
+=========================
+
+A new :py:func:`state <salt.states.keystore>` and
+:py:func:`execution module <salt.modules.keystore>` for manaing Java
+Keystore files is now included. It allows for adding/removing/listing
+as well as managing keystore files.
+
+.. code-block:: bash
+
+  # salt-call keystore.list /path/to/keystore.jks changeit
+  local:
+    |_
+      ----------
+      alias:
+          hostname1
+      expired:
+          True
+      sha1:
+          CB:5E:DE:50:57:99:51:87:8E:2E:67:13:C5:3B:E9:38:EB:23:7E:40
+      type:
+          TrustedCertEntry
+      valid_start:
+          August 22 2012
+      valid_until:
+          August 21 2017
+
+.. code-block:: yaml
+
+  define_keystore:
+    keystore.managed:
+      - name: /tmp/statestore.jks
+      - passphrase: changeit
+      - force_remove: True
+      - entries:
+        - alias: hostname1
+          certificate: /tmp/testcert.crt
+        - alias: remotehost
+          certificate: /tmp/512.cert
+          private_key: /tmp/512.key
+        - alias: stringhost
+          certificate: |
+            -----BEGIN CERTIFICATE-----
+            MIICEjCCAX
+            Hn+GmxZA
+            -----END CERTIFICATE-----
+
 Slot Syntax Updates
 ===================
 
@@ -60,4 +108,4 @@ Returner Removal
 
 - The hipchat returner has been removed due to the service being retired. For users migrating
   to Slack, the :py:func:`slack <salt.returners.slack_returner>` returner may be a suitable
-  replacement.
+  replacement.

salt/modules/keystore.py

@@ -0,0 +1,203 @@
+# -*- coding: utf-8 -*-
+'''
+Module to interact with keystores
+'''
+
+# Import Python libs
+from __future__ import absolute_import, unicode_literals, print_function
+import logging
+from datetime import datetime
+import os
+
+log = logging.getLogger(__name__)
+
+__virtualname__ = 'keystore'
+
+# Import third party libs
+from salt.exceptions import CommandExecutionError, SaltInvocationError
+
+try:
+    import jks
+    import OpenSSL
+    has_depends = True
+except ImportError:
+    has_depends = False
+
+
+def __virtual__():
+    '''
+    Check dependencies
+    '''
+    if has_depends is False:
+        msg = 'jks unavailable: {0} execution module cant be loaded '.format(__virtualname__)
+        return False, msg
+    return __virtualname__
+
+
+def _parse_cert(alias, public_cert, return_cert=False):
+    ASN1 = OpenSSL.crypto.FILETYPE_ASN1
+    PEM = OpenSSL.crypto.FILETYPE_PEM
+    cert_data = {}
+    sha1 = public_cert.digest(b'sha1')
+
+    cert_pem = OpenSSL.crypto.dump_certificate(PEM, public_cert)
+    raw_until = public_cert.get_notAfter()
+    date_until = datetime.strptime(raw_until, '%Y%m%d%H%M%SZ')
+    string_until = date_until.strftime("%B %d %Y")
+
+    raw_start = public_cert.get_notBefore()
+    date_start = datetime.strptime(raw_start, '%Y%m%d%H%M%SZ')
+    string_start = date_start.strftime("%B %d %Y")
+
+    if return_cert:
+        cert_data['pem'] = cert_pem
+    cert_data['alias'] = alias
+    cert_data['sha1'] = sha1
+    cert_data['valid_until'] = string_until
+    cert_data['valid_start'] = string_start
+    cert_data['expired'] = date_until < datetime.now()
+
+    return cert_data
+
+
+def list(keystore, passphrase, alias=None, return_cert=False):
+    '''
+    Lists certificates in a keytool managed keystore.
+
+
+    :param keystore: The path to the keystore file to query
+    :param passphrase: The passphrase to use to decode the keystore
+    :param alias: (Optional) If found, displays details on only this key
+    :param return_certs: (Optional) Also return certificate PEM.
+
+    .. warning::
+
+        There are security implications for using return_cert to return decrypted certificates.
+
+    CLI Example:
+
+    .. code-block:: bash
+
+        salt '*' keystore.list /usr/lib/jvm/java-8/jre/lib/security/cacerts changeit
+        salt '*' keystore.list /usr/lib/jvm/java-8/jre/lib/security/cacerts changeit debian:verisign_-_g5.pem
+
+    '''
+    ASN1 = OpenSSL.crypto.FILETYPE_ASN1
+    PEM = OpenSSL.crypto.FILETYPE_PEM
+    decoded_certs = []
+    entries = []
+
+    keystore = jks.KeyStore.load(keystore, passphrase)
+
+    if alias:
+        # If alias is given, look it up and build expected data structure
+        entry_value = keystore.entries.get(alias)
+        if entry_value:
+            entries = [(alias, entry_value)]
+    else:
+        entries = keystore.entries.items()
+
+    if entries:
+        for entry_alias, cert_enc in entries:
+            entry_data = {}
+            if isinstance(cert_enc, jks.PrivateKeyEntry):
+                cert_result = cert_enc.cert_chain[0][1]
+                entry_data['type'] = 'PrivateKeyEntry'
+            elif isinstance(cert_enc, jks.TrustedCertEntry):
+                cert_result = cert_enc.cert
+                entry_data['type'] = 'TrustedCertEntry'
+            else:
+                raise CommandExecutionError('Unsupported EntryType detected in keystore')
+
+            # Detect if ASN1 binary, otherwise assume PEM
+            if '\x30' in cert_result[0]:
+                public_cert = OpenSSL.crypto.load_certificate(ASN1, cert_result)
+            else:
+                public_cert = OpenSSL.crypto.load_certificate(PEM, cert_result)
+
+            entry_data.update(_parse_cert(entry_alias, public_cert, return_cert))
+            decoded_certs.append(entry_data)
+
+    return decoded_certs
+
+
+def add(name, keystore, passphrase, certificate, private_key=None):
+    '''
+    Adds certificates to an existing keystore or creates a new one if necesssary.
+
+    :param name: alias for the certificate
+    :param keystore: The path to the keystore file to query
+    :param passphrase: The passphrase to use to decode the keystore
+    :param certificate: The PEM public certificate to add to keystore. Can be a string for file.
+    :param private_key: (Optional for TrustedCert) The PEM private key to add to the keystore
+
+    CLI Example:
+
+    .. code-block:: bash
+
+        salt '*' keystore.add aliasname /tmp/test.store changeit /tmp/testcert.crt
+        salt '*' keystore.add aliasname /tmp/test.store changeit certificate="-----BEGIN CERTIFICATE-----SIb...BM=-----END CERTIFICATE-----"
+        salt '*' keystore.add keyname /tmp/test.store changeit /tmp/512.cert private_key=/tmp/512.key
+
+    '''
+    ASN1 = OpenSSL.crypto.FILETYPE_ASN1
+    PEM = OpenSSL.crypto.FILETYPE_PEM
+    certs_list = []
+    if os.path.isfile(keystore):
+        keystore_object = jks.KeyStore.load(keystore, passphrase)
+        for alias, loaded_cert in keystore_object.entries.items():
+            certs_list.append(loaded_cert)
+
+    try:
+        cert_string = __salt__['x509.get_pem_entry'](certificate)
+    except SaltInvocationError:
+        raise SaltInvocationError('Invalid certificate file or string: {0}'.format(certificate))
+
+    if private_key:
+        # Accept PEM input format, but convert to DES for loading into new keystore
+        key_string = __salt__['x509.get_pem_entry'](private_key)
+        loaded_cert = OpenSSL.crypto.load_certificate(PEM, cert_string)
+        loaded_key = OpenSSL.crypto.load_privatekey(PEM, key_string)
+        dumped_cert = OpenSSL.crypto.dump_certificate(ASN1, loaded_cert)
+        dumped_key = OpenSSL.crypto.dump_privatekey(ASN1, loaded_key)
+
+        new_entry = jks.PrivateKeyEntry.new(name, [dumped_cert], dumped_key, 'rsa_raw')
+    else:
+        new_entry = jks.TrustedCertEntry.new(name, cert_string)
+
+    certs_list.append(new_entry)
+
+    keystore_object = jks.KeyStore.new('jks', certs_list)
+    keystore_object.save(keystore, passphrase)
+    return True
+
+
+def remove(name, keystore, passphrase):
+    '''
+    Removes a certificate from an existing keystore.
+    Returns True if remove was successful, otherwise False
+
+    :param name: alias for the certificate
+    :param keystore: The path to the keystore file to query
+    :param passphrase: The passphrase to use to decode the keystore
+
+    CLI Example:
+
+    .. code-block:: bash
+
+        salt '*' keystore.remove aliasname /tmp/test.store changeit
+    '''
+    certs_list = []
+    keystore_object = jks.KeyStore.load(keystore, passphrase)
+    for alias, loaded_cert in keystore_object.entries.items():
+        if name not in alias:
+            certs_list.append(loaded_cert)
+
+    if len(keystore_object.entries) != len(certs_list):
+        # Entry has been removed, save keystore updates
+        keystore_object = jks.KeyStore.new('jks', certs_list)
+        keystore_object.save(keystore, passphrase)
+        return True
+    else:
+        # No alias found, notify user
+        return False

salt/modules/saltcheck.py

@@ -42,6 +42,101 @@
       assertion: assertEqual
       expected-return:  'hello'
 
+Example with jinja
+------------------
+
+.. code-block:: jinja
+
+    {% for package in ["apache2", "openssh"] %}
+    {# or another example #}
+    {# for package in salt['pillar.get']("packages") #}
+    test_{{ package }}_latest:
+      module_and_function: pkg.upgrade_available
+      args:
+        - {{ package }}
+      assertion: assertFalse
+    {% endfor %}
+
+Example with setup state including pillar
+-----------------------------------------
+
+.. code-block:: yaml
+
+    setup_test_environment:
+      module_and_function: saltcheck.state_apply
+      args:
+        - common
+      pillar-data:
+        data: value
+
+    verify_vim:
+      module_and_function: pkg.version
+      args:
+        - vim
+      assertion: assertNotEmpty
+
+Example with skip
+-----------------
+
+.. code-block:: yaml
+
+    package_latest:
+      module_and_function: pkg.upgrade_available
+      args:
+        - apache2
+      assertion: assertFalse
+      skip: True
+
+Example with assertion_section
+------------------------------
+
+.. code-block:: yaml
+
+    validate_shell:
+      module_and_function: user.info
+      args:
+        - root
+      assertion: assertEqual
+      expected-return: /bin/bash
+      assertion_section: shell
+
+Example suppressing print results
+---------------------------------
+
+.. code-block:: yaml
+
+    validate_env_nameNode:
+      module_and_function: hadoop.dfs
+      args:
+        - text
+        - /oozie/common/env.properties
+      expected-return: nameNode = hdfs://nameservice2
+      assertion: assertNotIn
+      print_result: False
+
+Supported assertions
+====================
+
+* assertEqual
+* assertNotEqual
+* assertTrue
+* assertFalse
+* assertIn
+* assertNotIn
+* assertGreater
+* assertGreaterEqual
+* assertLess
+* assertLessEqual
+* assertEmpty
+* assertNotEmpty
+
+.. warning::
+
+  The saltcheck.state_apply function is an alias for
+  :py:func:`state.apply <salt.modules.state.apply>`. If using the
+  :ref:`ACL system <acl-eauth>` ``saltcheck.*`` might provide more capability
+  than intended if only ``saltcheck.run_state_tests`` and
+  ``saltcheck.run_highstate_tests`` are needed.
 '''
 
 # Import Python libs