0

I have a command output that looks like this in stdout_lines:

        "stdout_lines": [
            "Keystore type: jks",
            "Keystore provider: SUN",
            "",
            "Your keystore contains 6 entries",
            "",
            "Alias name: alias1",
            "Creation date: Oct 16, 2015",
            "Entry type: PrivateKeyEntry",
            "Certificate chain length: 1",
            "Certificate[1]:",
            "Owner: CN=*.example.com, O=Example, L=Some, ST=Where, C=DE",
            "Issuer: CN=some issuer cert",
            "Valid from: Wed Oct 14 02:00:00 CEST 2015 until: Thu Oct 18 14:00:00 CEST 2018",
            "Signature algorithm name: SHA256withRSA",
            "Subject Public Key Algorithm: 2048-bit RSA key",
            "Version: 3",
            "" ]

So from such a keystore with several certificates stored, I like to extract the information to a list of dictionary that looks like this:

"keystore_values": [
    {"Alias name": "alias1", "Owner": "CN=*.example.com",
     "Valid until": "Thu Oct 18 14:00:00 CEST 2018" },
    {"Alias name": "alias2", "Owner": "CN=*.example2.com",
     "Valid until": "Thu Oct 18 14:00:00 CEST 2018" },
    {"Alias name": "alias3", "Owner": "CN=*.example3.com",
     "Valid until": "Thu Oct 18 14:00:00 CEST 2018" }]

Right now I think I should go over "stdout" with regex_findall where I define all the parts I need and then maybe I could zip them

Improve this question
1
  • Your example shows only a single key. Are subsequent keys separated by blank lines? Commented Apr 25, 2019 at 16:09

1 Answer 1

Reset to default
1

I've made some assumptions about your question:

  • I'm assuming you're dealing with output from the keytool -list -v command, because that's what it looks like.
  • I'm assuming that the output of the command when you run it looks like the output when I run it. Since you didn't provide complete output in your question, including what it looks like when listing multiple keys, I needed to produce my own data for testing.

Ansible isn't really a great tool for complex text transformations, which is effectively what you're doing here. I'd like to suggest two different solutions, both relying on some sort of external tool to perform the heavy lifting.

Using awk

In this example, we use awk to read the output from keytool and generate JSON output.

I've hardcoded some output into this playbook for testing; obviously you would replace this in practice with a command task:

---
- hosts: localhost
  gather_facts: false
  vars:
    storepass: secret
  tasks:
    - command: keytool -list -v -storepass {{ storepass }}
      register: keytool
      changed_when: false

    - command:
      args:
        argv:
          - "awk"
          - "-F"
          - ": "
          - |
            # this function prints out a single key as a JSON
            # object
            function print_key(key) {
              if (not_first_key) print ","
              not_first_key=1
              print "{"
              not_first_line=0
              for (i in key) {
                if (not_first_line) print ","
                not_first_line=1
                printf "\"%s\": \"%s\"\n", i, key[i]
              }
              print "}"
            }
            BEGIN {
              split("", key)
              print "["
            }

            # We recognize the start of a new key by the Alias name
            # field. When we see it, we will (a) check if we have data
            # for a prior key and print it out and then (b) reset the
            # key array and start collecting new data.
            /^Alias name/ {
              if (length(key) > 0) {
                print_key(key)
                delete(key)
              }
              key["Alias name"] = $2
            }

            # The "Valid from" line requires special parsing.
            /^Valid from/ {
              key["Valid from"] = substr($2, 0, length($2)-6)
              key["Valid until"] = $3
            }

            # Simple fields that we're interested in
            /^(Owner|Issuer|Creation date)/ {
              key[$1] = $2
            }

            END {
              if (length(key) > 0) {
                print_key(key)
              }
              print "]"
            }
        stdin: "{{ keytool.stdout }}"
      register: keytool_json
      changed_when: false

    - set_fact:
        key_list_1: "{{ keytool_json.stdout|from_json }}"

    - debug:
        var: key_list_1

Running the above playbook will produce:

TASK [debug] **********************************************************************************
ok: [localhost] => {
    "key_list_1": [
        {
            "Alias name": "alias1", 
            "Creation date": "Apr 25, 2019", 
            "Issuer": "CN=Alice McHacker, OU=Unknown, O=Example Company, Inc., L=Boston, ST=MA, C=US", 
            "Owner": "CN=Alice McHacker, OU=Unknown, O=Example Company, Inc., L=Boston, ST=MA, C=US", 
            "Valid from": "Thu Apr 25 19:14:01 EDT 2019", 
            "Valid until": "Wed Jul 24 19:14:01 EDT 2019"
        }, 
        {
            "Alias name": "alias2", 
            "Creation date": "Apr 25, 2019", 
            "Issuer": "CN=Mallory Root, OU=Unknown, O=Example Company, Inc., L=New York, ST=NY, C=US", 
            "Owner": "CN=Mallory Root, OU=Unknown, O=Example Company, Inc., L=New York, ST=NY, C=US", 
            "Valid from": "Thu Apr 25 19:17:03 EDT 2019", 
            "Valid until": "Wed Jul 24 19:17:03 EDT 2019"
        }
    ]
}

...which I think produces the data you want.

Using a custom filter plugin

Alternatively -- and probably more robustly -- you could move the logic into a custom filter plugin. If we put the following in filter_plugins/keys_to_list.py:

#!/usr/bin/python


def filter_keys_to_list(v):
    key_list = []
    key = {}
    for line in v.splitlines():
        # Just skip lines that don't look like a Key: Value line.
        if ': ' not in line:
            continue

        # Same logic as the awk script: "Alias name" identifies the
        # start of key data.
        if line.startswith('Alias name'):
            if key:
                key_list.append(key)
                key = {}

        field, value = line.split(': ', 1)
        if field in ['Alias name', 'Owner', 'Issuer', 'Creation date']:
            key[field] = value
        elif field == 'Valid from':
            key['Valid from'], key['Valid until'] = value.split(' until: ')

    if key:
        key_list.append(key)

    return key_list


class FilterModule(object):
    filter_map = {
        'keys_to_list': filter_keys_to_list,
    }

    def filters(self):
        return self.filter_map

Then our playbook becomes much simpler:

---
- hosts: localhost
  gather_facts: false
  vars:
    storepass: secret
  tasks:
    - command: keytool -list -v -storepass {{ storepass }}
      register: keytool
      changed_when: false

    - set_fact:
        key_list_2: "{{ keytool.stdout|keys_to_list }}"

    - debug:
        var: key_list_2

And that produces the same final output:

TASK [debug] **********************************************************************************
ok: [localhost] => {
    "key_list_2": [
        {
            "Alias name": "alias1", 
            "Creation date": "Apr 25, 2019", 
            "Issuer": "CN=Lars Kellogg-Stedman, OU=Unknown, O=The Odd Bit, L=Boston, ST=MA, C=US", 
            "Owner": "CN=Lars Kellogg-Stedman, OU=Unknown, O=The Odd Bit, L=Boston, ST=MA, C=US", 
            "Valid from": "Thu Apr 25 19:14:01 EDT 2019", 
            "Valid until": "Wed Jul 24 19:14:01 EDT 2019"
        }, 
        {
            "Alias name": "alias2", 
            "Creation date": "Apr 25, 2019", 
            "Issuer": "CN=Mallory Root, OU=Unknown, O=The Odd Bit, L=New York, ST=NY, C=US", 
            "Owner": "CN=Mallory Root, OU=Unknown, O=The Odd Bit, L=New York, ST=NY, C=US", 
            "Valid from": "Thu Apr 25 19:17:03 EDT 2019", 
            "Valid until": "Wed Jul 24 19:17:03 EDT 2019"
        }
    ]
}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I've made some substantial updates to this answer after having figured out you're using the keytool command and producing my own test data, which invalidated some of the assumptions I had made earlier based on the sample output in your question.
You are fucking awesome! Very good and well worked out solutions. For the "Issuer" field I had cases where some quotes were in that string, so I had to remove them, by adding gsub(/"/, "", $2) in your awk script. I also like the idea with the filter. When I have more time, I will sit down for an overall better solution, maybe I even go for my own keystore module or pull request to the existing one.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.