Check NGINX Plus license is valid (#538)

Author: alessfg

.github/workflows/requirements/requirements_ansible.yml

@@ -4,5 +4,7 @@ collections:
     version: 5.4.0
   - name: ansible.posix
     version: 1.4.0
+  - name: community.crypto
+    version: 2.5.0
   - name: community.docker
     version: 2.7.0

CHANGELOG.md

@@ -4,6 +4,7 @@
 
 FEATURES:
 
+* Check NGINX Plus license is valid before trying to install NGINX Plus (this means the role now requires the `community.crypto` collection).
 * Add Ubuntu jammy (22.04) to the NGINX list of tested and supported platforms.
 * Add RHEL 9 to the NGINX list of tested and supported platforms.
 * Add Alpine Linux 3.16 to the NGINX list of tested and supported platforms (and remove Alpine Linux 3.12).

README.md

@@ -28,7 +28,9 @@ If you wish to install NGINX Plus using this role, you will need to obtain an NG
         version: 5.4.0
       - name: ansible.posix
         version: 1.4.0
-      - name: community.docker  # Only required if you plan to use Molecule (see below)
+      - name: community.crypto # Only required if you plan to install NGINX Plus
+        version: 2.5.0
+      - name: community.docker # Only required if you plan to use Molecule (see below)
         version: 2.7.0
     ```
 

meta/main.yml

@@ -51,4 +51,5 @@ galaxy_info:
 
 collections:
   - ansible.posix
+  - community.crypto
   - community.general

tasks/plus/setup-license.yml

@@ -17,6 +17,28 @@
         - "{{ nginx_license['certificate'] }}"
         - "{{ nginx_license['key'] }}"
 
+    - name: (Debian/Red Hat/SLES OSs) Install cryptography package
+      ansible.builtin.package:
+        name: "{{ (ansible_python['version']['major'] == 3) | ternary('python3-cryptography', 'python2-cryptography') }}"
+
+    - name: (Debian/Red Hat/SLES OSs) Check that NGINX Plus certificate is valid
+      community.crypto.x509_certificate_info:
+        path: /etc/ssl/nginx/nginx-repo.crt
+      register: cert
+
+    - name: (Debian/Red Hat/SLES OSs) Check that NGINX Plus key is valid
+      community.crypto.openssl_privatekey_info:
+        path: /etc/ssl/nginx/nginx-repo.key
+      register: key
+
+    - name: (Debian/Red Hat/SLES OSs) Check that NGINX Plus license is valid
+      ansible.builtin.assert:
+        that:
+          - cert.expired == false
+          - cert.public_key == key.public_key
+        success_msg: Your NGINX Plus license is valid!
+        fail_msg: Something went wrong! Make sure your NGINX Plus license is valid!
+
     - name: (SLES) Create NGINX Plus license bundle
       block:
         - name: (SLES) Check combined NGINX Plus license bundle exists
@@ -35,23 +57,45 @@
 
 - name: (Alpine Linux) Set up NGINX Plus license
   block:
+    - name: Install cryptography package
+      ansible.builtin.package:
+        name: py3-cryptography
+
     - name: (Alpine Linux) Create APK directory
       ansible.builtin.file:
         path: /etc/apk
         state: directory
         mode: 0755
 
-    - name: (Alpine Linux) Copy NGINX Plus key
+    - name: (Alpine Linux) Copy NGINX Plus certificate
       ansible.builtin.copy:
-        src: "{{ nginx_license['key'] }}"
-        dest: /etc/apk/cert.key
+        src: "{{ nginx_license['certificate'] }}"
+        dest: /etc/apk/cert.pem
         decrypt: true
         mode: 0444
 
-    - name: (Alpine Linux) Copy NGINX Plus certificate
+    - name: (Alpine Linux) Copy NGINX Plus key
       ansible.builtin.copy:
-        src: "{{ nginx_license['certificate'] }}"
-        dest: /etc/apk/cert.pem
+        src: "{{ nginx_license['key'] }}"
+        dest: /etc/apk/cert.key
         decrypt: true
         mode: 0444
+
+    - name: (Alpine Linux) Check that NGINX Plus certificate is valid
+      community.crypto.x509_certificate_info:
+        path: /etc/apk/cert.pem
+      register: cert
+
+    - name: (Alpine Linux) Check that NGINX Plus key is valid
+      community.crypto.openssl_privatekey_info:
+        path: /etc/apk/cert.key
+      register: key
+
+    - name: (Alpine Linux) Check that NGINX Plus license is valid
+      ansible.builtin.assert:
+        that:
+          - cert.expired == false
+          - cert.public_key == key.public_key
+        success_msg: Your NGINX Plus license is valid!
+        fail_msg: Something went wrong! Make sure your NGINX Plus license is valid!
   when: ansible_facts['os_family'] == "Alpine"