CI: Add Fedora 41, Alpine 3.21, RHEL 9.5, FreeBSD 14.2 to CI for devel (#834)

* Add Fedora 41, Alpine 3.21, RHEL 9.5, FreeBSD 14.2 to CI for devel. * Fedora 41 also doesn't allow SHA-1 apparently. Ref: https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer * Work around broken cryptography in Fedora 41.
2025-01-08 22:08:18 +01:00 · 2025-01-08 22:08:18 +01:00 · 029e009db1
parent cfd524f345
commit 029e009db1
4 changed files with 41 additions and 15 deletions
--- a/.azure-pipelines/azure-pipelines.yml
+++ b/.azure-pipelines/azure-pipelines.yml
@ -118,12 +118,12 @@ stages:
        parameters:
          testFormat: devel/linux/{0}
          targets:
-            - name: Fedora 40
-              test: fedora40
+            - name: Fedora 41
+              test: fedora41
            - name: Ubuntu 24.04
              test: ubuntu2404
-            - name: Alpine 3.20
-              test: alpine320
+            - name: Alpine 3.21
+              test: alpine321
          groups:
            - 1
            - 2
@ -135,8 +135,12 @@ stages:
        parameters:
          testFormat: 2.18/linux/{0}
          targets:
+            - name: Fedora 40
+              test: fedora40
            - name: Ubuntu 24.04
              test: ubuntu2404
+            - name: Alpine 3.20
+              test: alpine320
          groups:
            - 1
            - 2
@ -218,10 +222,10 @@ stages:
        parameters:
          testFormat: devel/{0}
          targets:
-            - name: Alpine 3.20
-              test: alpine/3.20
-            - name: Fedora 40
-              test: fedora/40
+            - name: Alpine 3.21
+              test: alpine/3.21
+            - name: Fedora 41
+              test: fedora/41
            - name: Ubuntu 22.04
              test: ubuntu/22.04
            - name: Ubuntu 24.04
@ -238,10 +242,10 @@ stages:
          targets:
            - name: macOS 14.3
              test: macos/14.3
-            - name: RHEL 9.4
-              test: rhel/9.4
-            - name: FreeBSD 14.1
-              test: freebsd/14.1
+            - name: RHEL 9.5
+              test: rhel/9.5
+            - name: FreeBSD 14.2
+              test: freebsd/14.2
            - name: FreeBSD 13.4
              test: freebsd/13.4
          groups:
@ -257,6 +261,8 @@ stages:
          targets:
            - name: RHEL 9.4
              test: rhel/9.4
+            - name: FreeBSD 14.1
+              test: freebsd/14.1
          groups:
            - 1
            - 2
--- a/changelogs/fragments/834-crypto_info-fedora-41.yml
+++ b/changelogs/fragments/834-crypto_info-fedora-41.yml
@ -0,0 +1,5 @@
+bugfixes:
+  - "crypto_info - when running the module on Fedora 41 with ``cryptography`` installed from the package repository,
+     the module crashed apparently due to some elliptic curves being removed from libssl against which cryptography
+     is running, which cryptography did not expect
+     (https://github.com/ansible-collections/community.crypto/pull/834)."
--- a/plugins/modules/crypto_info.py
+++ b/plugins/modules/crypto_info.py
@ -177,8 +177,16 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.basic impo
 try:
    import cryptography
    from cryptography.exceptions import UnsupportedAlgorithm
+
+    try:
+        # While UnsupportedAlgorithm got added in cryptography 0.1, InternalError
+        # only got added in 0.2, so let's guard the import
+        from cryptography.exceptions import InternalError as CryptographyInternalError
+    except ImportError:
+        CryptographyInternalError = Exception
 except ImportError:
    UnsupportedAlgorithm = Exception
+    CryptographyInternalError = Exception
    CRYPTOGRAPHY_VERSION = None
    CRYPTOGRAPHY_IMP_ERR = traceback.format_exc()
 else:
@ -274,6 +282,11 @@ def add_crypto_information(module):
                    curves.append(curve_name)
                except UnsupportedAlgorithm:
                    pass
+                except CryptographyInternalError:  # pylint: disable=duplicate-except,bad-except-order
+                    # On Fedora 41, some curves result in InternalError. This is probably because
+                    # Fedora's cryptography is linked against the system libssl, which has the
+                    # curves removed.
+                    pass

    info = {
        'version': CRYPTOGRAPHY_VERSION,
--- a/tests/integration/targets/openssh_cert/tests/key_idempotency.yml
+++ b/tests/integration/targets/openssh_cert/tests/key_idempotency.yml
@ -74,9 +74,11 @@
        assert:
          that:
            - second_signature_algorithm is changed
-      # RHEL9 disables SHA-1 algorithms by default making this test fail with a 'libcrypt' error. Other systems which
-      # impose a similar restriction may also need to skip this block in the future.
-      when: not (ansible_facts['distribution'] == "RedHat" and (ansible_facts['distribution_major_version'] | int) >= 9)
+      # RHEL9 and Fedora 41 disable the SHA-1 algorithms by default, making this test fail with a 'libcrypt' error.
+      # Other systems which impose a similar restriction may also need to skip this block in the future.
+      when:
+        - not (ansible_facts['distribution'] == "RedHat" and (ansible_facts['distribution_major_version'] | int) >= 9)
+        - not (ansible_facts['distribution'] == "Fedora" and (ansible_facts['distribution_major_version'] | int) >= 41)

    - name: Omit signature algorithm
      openssh_cert: