Fix main for new cryptography 37.0.0 release (#445)

* Fix empty check for openssl_pkcs12 tests. * Remove unnecessary imports. * Prevent crash if PyOpenSSL cannot be imported because of an AttributeError. * Add changelog fragment. * Fix constraints file. * Use Python 2.7 instead of 3.5 for 2.9 cloud tests (pip module is broken). * Prevent upgrading cryptography on ansible-core 2.12's default container with Python 3.9.
2022-04-26 22:18:37 +02:00 · 2022-04-26 22:18:37 +02:00 · 91f192ce5b
parent e560acdac5
commit 91f192ce5b
19 changed files with 17 additions and 33 deletions
--- a/.azure-pipelines/azure-pipelines.yml
+++ b/.azure-pipelines/azure-pipelines.yml
@ -368,7 +368,7 @@ stages:
          nameFormat: Python {0}
          testFormat: 2.9/cloud/{0}/1
          targets:
-            - test: 3.5
+            - test: 2.7

  ## Finally

--- a/changelogs/fragments/445-fix.yml
+++ b/changelogs/fragments/445-fix.yml
@ -0,0 +1,2 @@
+bugfixes:
+  - "Make collection more robust when PyOpenSSL is used with an incompatible cryptography version (https://github.com/ansible-collections/community.crypto/pull/445)."
--- a/plugins/module_utils/crypto/module_backends/certificate_info.py
+++ b/plugins/module_utils/crypto/module_backends/certificate_info.py
@ -12,12 +12,11 @@ __metaclass__ = type
 import abc
 import binascii
 import datetime
-import re
 import traceback

 from ansible.module_utils import six
 from ansible.module_utils.basic import missing_required_lib
-from ansible.module_utils.common.text.converters import to_native, to_text, to_bytes
+from ansible.module_utils.common.text.converters import to_native

 from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion

--- a/plugins/module_utils/crypto/module_backends/certificate_ownca.py
+++ b/plugins/module_utils/crypto/module_backends/certificate_ownca.py
@ -12,8 +12,6 @@ import os

 from random import randrange

-from ansible.module_utils.common.text.converters import to_bytes
-
 from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion

 from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
@ -41,11 +39,6 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.module_bac
    CertificateProvider,
 )

-try:
-    from OpenSSL import crypto
-except ImportError:
-    pass
-
 try:
    import cryptography
    from cryptography import x509
--- a/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py
+++ b/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py
@ -12,8 +12,6 @@ import os

 from random import randrange

-from ansible.module_utils.common.text.converters import to_bytes
-
 from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
    get_relative_time_option,
    select_message_digest,
@ -31,11 +29,6 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.module_bac
    CertificateProvider,
 )

-try:
-    from OpenSSL import crypto
-except ImportError:
-    pass
-
 try:
    import cryptography
    from cryptography import x509
--- a/plugins/module_utils/crypto/module_backends/csr.py
+++ b/plugins/module_utils/crypto/module_backends/csr.py
@ -14,7 +14,7 @@ import traceback

 from ansible.module_utils import six
 from ansible.module_utils.basic import missing_required_lib
-from ansible.module_utils.common.text.converters import to_bytes, to_native, to_text
+from ansible.module_utils.common.text.converters import to_native, to_text

 from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion

--- a/plugins/module_utils/crypto/module_backends/csr_info.py
+++ b/plugins/module_utils/crypto/module_backends/csr_info.py
@ -15,13 +15,12 @@ import traceback

 from ansible.module_utils import six
 from ansible.module_utils.basic import missing_required_lib
-from ansible.module_utils.common.text.converters import to_native, to_text, to_bytes
+from ansible.module_utils.common.text.converters import to_native

 from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion

 from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
    load_certificate_request,
-    get_fingerprint_of_bytes,
 )

 from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
--- a/plugins/module_utils/crypto/module_backends/privatekey.py
+++ b/plugins/module_utils/crypto/module_backends/privatekey.py
@ -25,11 +25,9 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.basic impo
    CRYPTOGRAPHY_HAS_ED25519,
    CRYPTOGRAPHY_HAS_ED448,
    OpenSSLObjectError,
-    OpenSSLBadPassphraseError,
 )

 from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
-    load_privatekey,
    get_fingerprint_of_privatekey,
 )

--- a/plugins/module_utils/crypto/support.py
+++ b/plugins/module_utils/crypto/support.py
@ -32,7 +32,7 @@ from ansible.module_utils.common.text.converters import to_native, to_bytes
 try:
    from OpenSSL import crypto
    HAS_PYOPENSSL = True
-except ImportError:
+except (ImportError, AttributeError):
    # Error handled in the calling module.
    HAS_PYOPENSSL = False

--- a/plugins/module_utils/ecs/api.py
+++ b/plugins/module_utils/ecs/api.py
@ -34,7 +34,6 @@ __metaclass__ = type
 import json
 import os
 import re
-import time
 import traceback

 from ansible.module_utils.common.text.converters import to_text, to_native
--- a/plugins/modules/openssh_cert.py
+++ b/plugins/modules/openssh_cert.py
@ -273,7 +273,7 @@ info:
 import os

 from ansible.module_utils.basic import AnsibleModule
-from ansible.module_utils.common.text.converters import to_native, to_text
+from ansible.module_utils.common.text.converters import to_native

 from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion

--- a/plugins/modules/openssl_pkcs12.py
+++ b/plugins/modules/openssl_pkcs12.py
@ -276,7 +276,7 @@ try:
    import OpenSSL
    from OpenSSL import crypto
    PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__)
-except ImportError:
+except (ImportError, AttributeError):
    PYOPENSSL_IMP_ERR = traceback.format_exc()
    PYOPENSSL_FOUND = False
 else:
--- a/plugins/modules/openssl_privatekey.py
+++ b/plugins/modules/openssl_privatekey.py
@ -142,7 +142,6 @@ privatekey:

 import os

-from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.common.text.converters import to_native

 from ansible_collections.community.crypto.plugins.module_utils.io import (
--- a/plugins/modules/openssl_signature.py
+++ b/plugins/modules/openssl_signature.py
@ -123,7 +123,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
    load_privatekey,
 )

-from ansible.module_utils.common.text.converters import to_native, to_bytes
+from ansible.module_utils.common.text.converters import to_native
 from ansible.module_utils.basic import AnsibleModule, missing_required_lib


--- a/plugins/modules/openssl_signature_info.py
+++ b/plugins/modules/openssl_signature_info.py
@ -123,7 +123,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
    load_certificate,
 )

-from ansible.module_utils.common.text.converters import to_native, to_bytes
+from ansible.module_utils.common.text.converters import to_native
 from ansible.module_utils.basic import AnsibleModule, missing_required_lib


--- a/plugins/modules/x509_certificate_pipe.py
+++ b/plugins/modules/x509_certificate_pipe.py
@ -123,8 +123,6 @@ certificate:
 '''


-import os
-
 from ansible.module_utils.common.text.converters import to_native

 from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import (
--- a/tests/integration/targets/openssl_pkcs12/tests/validate.yml
+++ b/tests/integration/targets/openssl_pkcs12/tests/validate.yml
@ -83,4 +83,4 @@
      - p12_empty is changed
      - p12_empty_idem is not changed
      - p12_empty_concat_idem is not changed
-      - empty_contents == (empty_expected_pyopenssl if select_crypto_backend == 'pyopenssl' else empty_expected_cryptography)
+      - (empty_contents == empty_expected_cryptography) or (empty_contents == empty_expected_pyopenssl and select_crypto_backend == 'pyopenssl')
--- a/tests/integration/targets/setup_python_info/vars/main.yml
+++ b/tests/integration/targets/setup_python_info/vars/main.yml
@ -70,3 +70,6 @@ cannot_upgrade_cryptography:
      - '3.8'  # on the VMs in CI, system packages are used for this version as well
    '13.0':
      - '3.8'  # on the VMs in CI, system packages are used for this version as well
+  Ubuntu:
+    '18':
+      - '3.9'  # this is the default container for ansible-core 2.12; upgrading cryptography wrecks pyOpenSSL
--- a/tests/utils/constraints.txt
+++ b/tests/utils/constraints.txt
@ -1,7 +1,8 @@
 coverage >= 4.2, < 5.0.0, != 4.3.2 ; python_version <= '3.7' # features in 4.2+ required, avoid known bug in 4.3.2 on python 2.6, coverage 5.0+ incompatible
 coverage >= 4.5.4, < 5.0.0 ; python_version > '3.7' # coverage had a bug in < 4.5.4 that would cause unit tests to hang in Python 3.8, coverage 5.0+ incompatible
 cryptography < 2.2 ; python_version < '2.7' # cryptography 2.2 drops support for python 2.6
-cryptography >= 3.0, < 3.4 ; python_version < '3.6' # cryptography 3.4 drops support for python 2.7
+cryptography >= 3.0, < 3.4 ; python_version < '3.5' # cryptography 3.4 drops support for python 2.7
+cryptography >= 3.0, < 3.3 ; python_version == '3.5' # cryptography 3.3 drops support for python 3.5
 urllib3 < 1.24 ; python_version < '2.7' # urllib3 1.24 and later require python 2.7 or later
 idna < 2.6, >= 2.5 # linode requires idna < 2.9, >= 2.5, requests requires idna < 2.6, but cryptography will cause the latest version to be installed instead
 requests < 2.20.0 ; python_version < '2.7' # requests 2.20.0 drops support for python 2.6