Reenrollment causes Authorisation Failure (#585)

When setting 'forcerenroll' on the anisble enrolled_identity task this would fail with an authorization error Believe that the task was calling the wrong method on the 'fabric-ca-client' Any certificate created with TLS isnot support (yet) for re-enrollment Signed-off-by: Matthew B White <whitemat@uk.ibm.com>
IBM-Blockchain · Jan 18, 2022 · 5d6c32a · 5d6c32a
1 parent a2039c2
commit 5d6c32a
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 2 deletions.
diff --git a/plugins/module_utils/certificate_authorities.py b/plugins/module_utils/certificate_authorities.py
@@ -171,6 +171,38 @@ def _get_tlsca_chain(self):
         cainfo = json.load(response)
         return cainfo['result']['CAChain']
 
+    def reenroll(self, name, identity):
+        return self._run_with_retry(lambda: self._reenroll(name, identity))
+
+    def _reenroll(self, name, identity):
+        if self.tls:
+            raise Exception("Reenrolling TLS Certs not supported")
+        else:
+            return self._reenroll_ca(name, identity)
+
+    def _reenroll_ca(self, name, identity):
+
+        enrollment = self.ca_service.reenroll(self._get_enrollment(identity))
+        cert = enrollment.cert
+        if self.hsm:
+            hsm = True
+            private_key = None
+        else:
+            hsm = False
+            private_key = enrollment.private_key.private_bytes(
+                encoding=serialization.Encoding.PEM,
+                format=serialization.PrivateFormat.PKCS8,
+                encryption_algorithm=serialization.NoEncryption()
+            )
+        ca = enrollment.caCert
+        return EnrolledIdentity(
+            name=name,
+            cert=cert,
+            private_key=private_key,
+            ca=ca,
+            hsm=hsm
+        )
+
     def enroll(self, name, enrollment_id, enrollment_secret, hosts):
         return self._run_with_retry(lambda: self._enroll(name, enrollment_id, enrollment_secret, hosts))
 

diff --git a/plugins/modules/enrolled_identity.py b/plugins/modules/enrolled_identity.py
@@ -338,7 +338,7 @@ def main():
 
                 # If we need to re-enroll the certificate, do it now.
                 if reenroll_required:
-                    new_identity = connection.enroll(name, enrollment_id, enrollment_secret, hosts)
+                    new_identity = connection.reenroll(name, identity)
 
             # Check if it has changed.
             changed = not new_identity.equals(identity)

diff --git a/requirements.txt b/requirements.txt
@@ -3,7 +3,7 @@
 #
 ansible >= 2.9, <2.10
 ansible-doc-extractor
-ansible-lint == 5.0.3
+ansible-lint == 5.3.2
 flake8
 fabric-sdk-py
 openshift == 0.11.2