From 029e009db14e24586febfeb020f2b85290a2cd8d Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Wed, 8 Jan 2025 22:08:18 +0100 Subject: [PATCH] CI: Add Fedora 41, Alpine 3.21, RHEL 9.5, FreeBSD 14.2 to CI for devel (#834) * Add Fedora 41, Alpine 3.21, RHEL 9.5, FreeBSD 14.2 to CI for devel. * Fedora 41 also doesn't allow SHA-1 apparently. Ref: https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer * Work around broken cryptography in Fedora 41. --- .azure-pipelines/azure-pipelines.yml | 30 +++++++++++-------- .../fragments/834-crypto_info-fedora-41.yml | 5 ++++ plugins/modules/crypto_info.py | 13 ++++++++ .../openssh_cert/tests/key_idempotency.yml | 8 +++-- 4 files changed, 41 insertions(+), 15 deletions(-) create mode 100644 changelogs/fragments/834-crypto_info-fedora-41.yml diff --git a/.azure-pipelines/azure-pipelines.yml b/.azure-pipelines/azure-pipelines.yml index 612e4618..b3387cbf 100644 --- a/.azure-pipelines/azure-pipelines.yml +++ b/.azure-pipelines/azure-pipelines.yml @@ -118,12 +118,12 @@ stages: parameters: testFormat: devel/linux/{0} targets: - - name: Fedora 40 - test: fedora40 + - name: Fedora 41 + test: fedora41 - name: Ubuntu 24.04 test: ubuntu2404 - - name: Alpine 3.20 - test: alpine320 + - name: Alpine 3.21 + test: alpine321 groups: - 1 - 2 @@ -135,8 +135,12 @@ stages: parameters: testFormat: 2.18/linux/{0} targets: + - name: Fedora 40 + test: fedora40 - name: Ubuntu 24.04 test: ubuntu2404 + - name: Alpine 3.20 + test: alpine320 groups: - 1 - 2 @@ -218,10 +222,10 @@ stages: parameters: testFormat: devel/{0} targets: - - name: Alpine 3.20 - test: alpine/3.20 - - name: Fedora 40 - test: fedora/40 + - name: Alpine 3.21 + test: alpine/3.21 + - name: Fedora 41 + test: fedora/41 - name: Ubuntu 22.04 test: ubuntu/22.04 - name: Ubuntu 24.04 @@ -238,10 +242,10 @@ stages: targets: - name: macOS 14.3 test: macos/14.3 - - name: RHEL 9.4 - test: rhel/9.4 - - name: FreeBSD 14.1 - test: freebsd/14.1 + - name: RHEL 9.5 + test: rhel/9.5 + - name: FreeBSD 14.2 + test: freebsd/14.2 - name: FreeBSD 13.4 test: freebsd/13.4 groups: @@ -257,6 +261,8 @@ stages: targets: - name: RHEL 9.4 test: rhel/9.4 + - name: FreeBSD 14.1 + test: freebsd/14.1 groups: - 1 - 2 diff --git a/changelogs/fragments/834-crypto_info-fedora-41.yml b/changelogs/fragments/834-crypto_info-fedora-41.yml new file mode 100644 index 00000000..6a66c56f --- /dev/null +++ b/changelogs/fragments/834-crypto_info-fedora-41.yml @@ -0,0 +1,5 @@ +bugfixes: + - "crypto_info - when running the module on Fedora 41 with ``cryptography`` installed from the package repository, + the module crashed apparently due to some elliptic curves being removed from libssl against which cryptography + is running, which cryptography did not expect + (https://github.com/ansible-collections/community.crypto/pull/834)." diff --git a/plugins/modules/crypto_info.py b/plugins/modules/crypto_info.py index 6eab6f76..7e887141 100644 --- a/plugins/modules/crypto_info.py +++ b/plugins/modules/crypto_info.py @@ -177,8 +177,16 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.basic impo try: import cryptography from cryptography.exceptions import UnsupportedAlgorithm + + try: + # While UnsupportedAlgorithm got added in cryptography 0.1, InternalError + # only got added in 0.2, so let's guard the import + from cryptography.exceptions import InternalError as CryptographyInternalError + except ImportError: + CryptographyInternalError = Exception except ImportError: UnsupportedAlgorithm = Exception + CryptographyInternalError = Exception CRYPTOGRAPHY_VERSION = None CRYPTOGRAPHY_IMP_ERR = traceback.format_exc() else: @@ -274,6 +282,11 @@ def add_crypto_information(module): curves.append(curve_name) except UnsupportedAlgorithm: pass + except CryptographyInternalError: # pylint: disable=duplicate-except,bad-except-order + # On Fedora 41, some curves result in InternalError. This is probably because + # Fedora's cryptography is linked against the system libssl, which has the + # curves removed. + pass info = { 'version': CRYPTOGRAPHY_VERSION, diff --git a/tests/integration/targets/openssh_cert/tests/key_idempotency.yml b/tests/integration/targets/openssh_cert/tests/key_idempotency.yml index d66886a0..71bef854 100644 --- a/tests/integration/targets/openssh_cert/tests/key_idempotency.yml +++ b/tests/integration/targets/openssh_cert/tests/key_idempotency.yml @@ -74,9 +74,11 @@ assert: that: - second_signature_algorithm is changed - # RHEL9 disables SHA-1 algorithms by default making this test fail with a 'libcrypt' error. Other systems which - # impose a similar restriction may also need to skip this block in the future. - when: not (ansible_facts['distribution'] == "RedHat" and (ansible_facts['distribution_major_version'] | int) >= 9) + # RHEL9 and Fedora 41 disable the SHA-1 algorithms by default, making this test fail with a 'libcrypt' error. + # Other systems which impose a similar restriction may also need to skip this block in the future. + when: + - not (ansible_facts['distribution'] == "RedHat" and (ansible_facts['distribution_major_version'] | int) >= 9) + - not (ansible_facts['distribution'] == "Fedora" and (ansible_facts['distribution_major_version'] | int) >= 41) - name: Omit signature algorithm openssh_cert: