From 5a19c88f231c33c4f7a6d3f06adb8376e6352412 Mon Sep 17 00:00:00 2001
From: Glynn Forrest <glynn@backbeat.tech>
Date: Tue, 21 Apr 2020 18:33:35 +0100
Subject: [PATCH] Always run file.managed on x509 certificates

This ensures that the certificate file has the intended file
properties, even if the certificate contents themselves don't need to change.

See https://github.com/saltstack/salt/pull/52935#issuecomment-616732463
---
 salt/states/x509.py | 31 +++++++++++++++++++++++--------
 1 file changed, 23 insertions(+), 8 deletions(-)

diff --git a/salt/states/x509.py b/salt/states/x509.py
index 04b76f82c807..8d44784dda76 100644
--- a/salt/states/x509.py
+++ b/salt/states/x509.py
@@ -520,6 +520,25 @@ def _certificate_is_valid(name, days_remaining, append_certs, **cert_spec):
         return False, "{0} is not a valid certificate: {1}".format(name, str(e)), {}
 
 
+def _certificate_file_managed(ret, file_args):
+    """
+    Run file.managed and merge the result with an existing return dict.
+    The overall True/False result will be the result of the file.managed call.
+"""
+    file_ret = __states__["file.managed"](**file_args)
+
+    ret["result"] = file_ret["result"]
+    if ret["result"]:
+        ret["comment"] = "Certificate {0} is valid and up to date".format(ret["name"])
+    else:
+        ret["comment"] = file_ret["comment"]
+
+    if file_ret["changes"]:
+        ret["changes"] = {"File": file_ret["changes"]}
+
+    return ret
+
+
 def certificate_managed(
     name, days_remaining=90, append_certs=None, managed_private_key=None, **kwargs
 ):
@@ -619,9 +638,9 @@ def certificate_managed(
     )
 
     if is_valid:
-        ret["result"] = True
-        ret["comment"] = "Certificate {0} is valid and up to date".format(name)
-        return ret
+        file_args, extra_args = _get_file_args(name, **kwargs)
+
+        return _certificate_file_managed(ret, file_args)
 
     if __opts__["test"]:
         ret["result"] = None
@@ -664,10 +683,8 @@ def certificate_managed(
 
     file_args, extra_args = _get_file_args(name, **kwargs)
     file_args["contents"] = contents
-    file_ret = __states__["file.managed"](**file_args)
 
-    if file_ret["changes"]:
-        ret["changes"] = {"File": file_ret["changes"]}
+    ret = _certificate_file_managed(ret, file_args)
 
     ret["changes"]["Certificate"] = {
         "Old": current_cert_info,
@@ -677,8 +694,6 @@ def certificate_managed(
         "Old": invalid_reason,
         "New": "Certificate is valid and up to date",
     }
-    ret["comment"] = "Certificate {0} is valid and up to date".format(name)
-    ret["result"] = True
 
     return ret