diff --git a/.azure-pipelines/azure-pipelines.yml b/.azure-pipelines/azure-pipelines.yml index 7f38a9d3..5c7dc40a 100644 --- a/.azure-pipelines/azure-pipelines.yml +++ b/.azure-pipelines/azure-pipelines.yml @@ -368,7 +368,7 @@ stages: nameFormat: Python {0} testFormat: 2.9/cloud/{0}/1 targets: - - test: 3.5 + - test: 2.7 ## Finally diff --git a/changelogs/fragments/445-fix.yml b/changelogs/fragments/445-fix.yml new file mode 100644 index 00000000..751d4daf --- /dev/null +++ b/changelogs/fragments/445-fix.yml @@ -0,0 +1,2 @@ +bugfixes: + - "Make collection more robust when PyOpenSSL is used with an incompatible cryptography version (https://github.com/ansible-collections/community.crypto/pull/445)." diff --git a/plugins/module_utils/crypto/module_backends/certificate_info.py b/plugins/module_utils/crypto/module_backends/certificate_info.py index 252e730b..15c08a93 100644 --- a/plugins/module_utils/crypto/module_backends/certificate_info.py +++ b/plugins/module_utils/crypto/module_backends/certificate_info.py @@ -12,12 +12,11 @@ __metaclass__ = type import abc import binascii import datetime -import re import traceback from ansible.module_utils import six from ansible.module_utils.basic import missing_required_lib -from ansible.module_utils.common.text.converters import to_native, to_text, to_bytes +from ansible.module_utils.common.text.converters import to_native from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion diff --git a/plugins/module_utils/crypto/module_backends/certificate_ownca.py b/plugins/module_utils/crypto/module_backends/certificate_ownca.py index f84c2d37..0af7ac9e 100644 --- a/plugins/module_utils/crypto/module_backends/certificate_ownca.py +++ b/plugins/module_utils/crypto/module_backends/certificate_ownca.py @@ -12,8 +12,6 @@ import os from random import randrange -from ansible.module_utils.common.text.converters import to_bytes - from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import ( @@ -41,11 +39,6 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.module_bac CertificateProvider, ) -try: - from OpenSSL import crypto -except ImportError: - pass - try: import cryptography from cryptography import x509 diff --git a/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py b/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py index 7b5484ab..35671c45 100644 --- a/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py +++ b/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py @@ -12,8 +12,6 @@ import os from random import randrange -from ansible.module_utils.common.text.converters import to_bytes - from ansible_collections.community.crypto.plugins.module_utils.crypto.support import ( get_relative_time_option, select_message_digest, @@ -31,11 +29,6 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.module_bac CertificateProvider, ) -try: - from OpenSSL import crypto -except ImportError: - pass - try: import cryptography from cryptography import x509 diff --git a/plugins/module_utils/crypto/module_backends/csr.py b/plugins/module_utils/crypto/module_backends/csr.py index 697afe47..c111ddc8 100644 --- a/plugins/module_utils/crypto/module_backends/csr.py +++ b/plugins/module_utils/crypto/module_backends/csr.py @@ -14,7 +14,7 @@ import traceback from ansible.module_utils import six from ansible.module_utils.basic import missing_required_lib -from ansible.module_utils.common.text.converters import to_bytes, to_native, to_text +from ansible.module_utils.common.text.converters import to_native, to_text from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion diff --git a/plugins/module_utils/crypto/module_backends/csr_info.py b/plugins/module_utils/crypto/module_backends/csr_info.py index 4f528659..8e733147 100644 --- a/plugins/module_utils/crypto/module_backends/csr_info.py +++ b/plugins/module_utils/crypto/module_backends/csr_info.py @@ -15,13 +15,12 @@ import traceback from ansible.module_utils import six from ansible.module_utils.basic import missing_required_lib -from ansible.module_utils.common.text.converters import to_native, to_text, to_bytes +from ansible.module_utils.common.text.converters import to_native from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion from ansible_collections.community.crypto.plugins.module_utils.crypto.support import ( load_certificate_request, - get_fingerprint_of_bytes, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import ( diff --git a/plugins/module_utils/crypto/module_backends/privatekey.py b/plugins/module_utils/crypto/module_backends/privatekey.py index 0d12a711..071acb81 100644 --- a/plugins/module_utils/crypto/module_backends/privatekey.py +++ b/plugins/module_utils/crypto/module_backends/privatekey.py @@ -25,11 +25,9 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.basic impo CRYPTOGRAPHY_HAS_ED25519, CRYPTOGRAPHY_HAS_ED448, OpenSSLObjectError, - OpenSSLBadPassphraseError, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.support import ( - load_privatekey, get_fingerprint_of_privatekey, ) diff --git a/plugins/module_utils/crypto/support.py b/plugins/module_utils/crypto/support.py index 64619985..1577abc8 100644 --- a/plugins/module_utils/crypto/support.py +++ b/plugins/module_utils/crypto/support.py @@ -32,7 +32,7 @@ from ansible.module_utils.common.text.converters import to_native, to_bytes try: from OpenSSL import crypto HAS_PYOPENSSL = True -except ImportError: +except (ImportError, AttributeError): # Error handled in the calling module. HAS_PYOPENSSL = False diff --git a/plugins/module_utils/ecs/api.py b/plugins/module_utils/ecs/api.py index 0c98dbd4..896be00c 100644 --- a/plugins/module_utils/ecs/api.py +++ b/plugins/module_utils/ecs/api.py @@ -34,7 +34,6 @@ __metaclass__ = type import json import os import re -import time import traceback from ansible.module_utils.common.text.converters import to_text, to_native diff --git a/plugins/modules/openssh_cert.py b/plugins/modules/openssh_cert.py index 9f6d1a65..6304abcd 100644 --- a/plugins/modules/openssh_cert.py +++ b/plugins/modules/openssh_cert.py @@ -273,7 +273,7 @@ info: import os from ansible.module_utils.basic import AnsibleModule -from ansible.module_utils.common.text.converters import to_native, to_text +from ansible.module_utils.common.text.converters import to_native from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion diff --git a/plugins/modules/openssl_pkcs12.py b/plugins/modules/openssl_pkcs12.py index 5c91d6e8..2702914e 100644 --- a/plugins/modules/openssl_pkcs12.py +++ b/plugins/modules/openssl_pkcs12.py @@ -276,7 +276,7 @@ try: import OpenSSL from OpenSSL import crypto PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__) -except ImportError: +except (ImportError, AttributeError): PYOPENSSL_IMP_ERR = traceback.format_exc() PYOPENSSL_FOUND = False else: diff --git a/plugins/modules/openssl_privatekey.py b/plugins/modules/openssl_privatekey.py index 32e3e716..ca200d6f 100644 --- a/plugins/modules/openssl_privatekey.py +++ b/plugins/modules/openssl_privatekey.py @@ -142,7 +142,6 @@ privatekey: import os -from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.common.text.converters import to_native from ansible_collections.community.crypto.plugins.module_utils.io import ( diff --git a/plugins/modules/openssl_signature.py b/plugins/modules/openssl_signature.py index ca71988b..583985e2 100644 --- a/plugins/modules/openssl_signature.py +++ b/plugins/modules/openssl_signature.py @@ -123,7 +123,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im load_privatekey, ) -from ansible.module_utils.common.text.converters import to_native, to_bytes +from ansible.module_utils.common.text.converters import to_native from ansible.module_utils.basic import AnsibleModule, missing_required_lib diff --git a/plugins/modules/openssl_signature_info.py b/plugins/modules/openssl_signature_info.py index 9a945f35..78a62264 100644 --- a/plugins/modules/openssl_signature_info.py +++ b/plugins/modules/openssl_signature_info.py @@ -123,7 +123,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im load_certificate, ) -from ansible.module_utils.common.text.converters import to_native, to_bytes +from ansible.module_utils.common.text.converters import to_native from ansible.module_utils.basic import AnsibleModule, missing_required_lib diff --git a/plugins/modules/x509_certificate_pipe.py b/plugins/modules/x509_certificate_pipe.py index cf4d1309..76dfe9f0 100644 --- a/plugins/modules/x509_certificate_pipe.py +++ b/plugins/modules/x509_certificate_pipe.py @@ -123,8 +123,6 @@ certificate: ''' -import os - from ansible.module_utils.common.text.converters import to_native from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import ( diff --git a/tests/integration/targets/openssl_pkcs12/tests/validate.yml b/tests/integration/targets/openssl_pkcs12/tests/validate.yml index 740070e3..f03e6d24 100644 --- a/tests/integration/targets/openssl_pkcs12/tests/validate.yml +++ b/tests/integration/targets/openssl_pkcs12/tests/validate.yml @@ -83,4 +83,4 @@ - p12_empty is changed - p12_empty_idem is not changed - p12_empty_concat_idem is not changed - - empty_contents == (empty_expected_pyopenssl if select_crypto_backend == 'pyopenssl' else empty_expected_cryptography) + - (empty_contents == empty_expected_cryptography) or (empty_contents == empty_expected_pyopenssl and select_crypto_backend == 'pyopenssl') diff --git a/tests/integration/targets/setup_python_info/vars/main.yml b/tests/integration/targets/setup_python_info/vars/main.yml index def42900..d6d7a221 100644 --- a/tests/integration/targets/setup_python_info/vars/main.yml +++ b/tests/integration/targets/setup_python_info/vars/main.yml @@ -70,3 +70,6 @@ cannot_upgrade_cryptography: - '3.8' # on the VMs in CI, system packages are used for this version as well '13.0': - '3.8' # on the VMs in CI, system packages are used for this version as well + Ubuntu: + '18': + - '3.9' # this is the default container for ansible-core 2.12; upgrading cryptography wrecks pyOpenSSL diff --git a/tests/utils/constraints.txt b/tests/utils/constraints.txt index 1471d8f4..0c818ad7 100644 --- a/tests/utils/constraints.txt +++ b/tests/utils/constraints.txt @@ -1,7 +1,8 @@ coverage >= 4.2, < 5.0.0, != 4.3.2 ; python_version <= '3.7' # features in 4.2+ required, avoid known bug in 4.3.2 on python 2.6, coverage 5.0+ incompatible coverage >= 4.5.4, < 5.0.0 ; python_version > '3.7' # coverage had a bug in < 4.5.4 that would cause unit tests to hang in Python 3.8, coverage 5.0+ incompatible cryptography < 2.2 ; python_version < '2.7' # cryptography 2.2 drops support for python 2.6 -cryptography >= 3.0, < 3.4 ; python_version < '3.6' # cryptography 3.4 drops support for python 2.7 +cryptography >= 3.0, < 3.4 ; python_version < '3.5' # cryptography 3.4 drops support for python 2.7 +cryptography >= 3.0, < 3.3 ; python_version == '3.5' # cryptography 3.3 drops support for python 3.5 urllib3 < 1.24 ; python_version < '2.7' # urllib3 1.24 and later require python 2.7 or later idna < 2.6, >= 2.5 # linode requires idna < 2.9, >= 2.5, requests requires idna < 2.6, but cryptography will cause the latest version to be installed instead requests < 2.20.0 ; python_version < '2.7' # requests 2.20.0 drops support for python 2.6