From 7ff067937a12659afccdf5cfb99aa148dc8acedb Mon Sep 17 00:00:00 2001
From: Andrew Pantuso <ajpantuso@gmail.com>
Date: Sat, 5 Feb 2022 04:00:07 -0500
Subject: [PATCH] openssh_cert - fix full_idempotence for host certificates
 (#396) (#397)

* fixing host cert idempotence

* adding changelog fragment

(cherry picked from commit a3076188721878f9ce000385a83ab19c1f6aefa5)
---
 ...openssh_cert-host-cert-idempotence-fix.yml |  5 +++++
 plugins/modules/openssh_cert.py               |  2 +-
 .../tests/options_idempotency.yml             | 22 +++++++++++++++++++
 3 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/fragments/396-openssh_cert-host-cert-idempotence-fix.yml

diff --git a/changelogs/fragments/396-openssh_cert-host-cert-idempotence-fix.yml b/changelogs/fragments/396-openssh_cert-host-cert-idempotence-fix.yml
new file mode 100644
index 000000000..70cc9c31d
--- /dev/null
+++ b/changelogs/fragments/396-openssh_cert-host-cert-idempotence-fix.yml
@@ -0,0 +1,5 @@
+---
+bugfixes:
+  - openssh_cert - fixed false ``changed`` status for ``host`` certificates when using ``full_idempotence``
+    (https://github.com/ansible-collections/community.crypto/issues/395,
+    https://github.com/ansible-collections/community.crypto/pull/396).
\ No newline at end of file
diff --git a/plugins/modules/openssh_cert.py b/plugins/modules/openssh_cert.py
index e79b09a4e..d60bfe6dd 100644
--- a/plugins/modules/openssh_cert.py
+++ b/plugins/modules/openssh_cert.py
@@ -379,7 +379,7 @@ def _should_generate(self):
 
     def _is_fully_valid(self):
         return self._is_partially_valid() and all([
-            self._compare_options(),
+            self._compare_options() if self.original_data.type == 'user' else True,
             self.original_data.key_id == self.identifier,
             self.original_data.public_key == self._get_key_fingerprint(self.public_key),
             self.original_data.signing_key == self._get_key_fingerprint(self.signing_key),
diff --git a/tests/integration/targets/openssh_cert/tests/options_idempotency.yml b/tests/integration/targets/openssh_cert/tests/options_idempotency.yml
index cb2c35e25..13361f942 100644
--- a/tests/integration/targets/openssh_cert/tests/options_idempotency.yml
+++ b/tests/integration/targets/openssh_cert/tests/options_idempotency.yml
@@ -86,6 +86,27 @@
     regenerate: full_idempotence
   register: default_options
 
+- name: Generate host cert full_idempotence
+  openssh_cert:
+    type: host
+    path: "{{ certificate_path }}"
+    public_key: "{{ public_key }}"
+    signing_key: "{{ signing_key }}"
+    valid_from: always
+    valid_to: forever
+    regenerate: full_idempotence
+
+- name: Generate host cert full_idempotence again
+  openssh_cert:
+    type: host
+    path: "{{ certificate_path }}"
+    public_key: "{{ public_key }}"
+    signing_key: "{{ signing_key }}"
+    valid_from: always
+    valid_to: forever
+    regenerate: full_idempotence
+  register: host_cert_full_idempotence
+
 - name: Assert options results
   assert:
     that:
@@ -95,6 +116,7 @@
       - explicit_extension_after is not changed
       - explicit_extension_and_directive is changed
       - default_options is not changed
+      - host_cert_full_idempotence is not changed
 
 - name: Remove certificate
   openssh_cert: