From a49711d38379a59945352288358e7669dd4291f0 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Fri, 30 Aug 2024 09:49:20 +0200 Subject: [PATCH] openssl_privatekey*: add default value for cipher option (#794) * Add default value for 'cipher' option. * Adjust tests. * Add changelog fragment. * Clarify that cipher is used only when passphrase is provided. --- changelogs/fragments/794-openssl_privatekey-cipher.yml | 4 ++++ plugins/doc_fragments/module_privatekey.py | 4 +++- plugins/module_utils/crypto/module_backends/privatekey.py | 5 +---- tests/integration/targets/acme_account/tasks/impl.yml | 1 - tests/integration/targets/ecs_certificate/tasks/main.yml | 1 - .../targets/filter_openssl_csr_info/tasks/main.yml | 1 - .../targets/filter_openssl_privatekey_info/tasks/main.yml | 1 - .../targets/filter_x509_certificate_info/tasks/main.yml | 1 - tests/integration/targets/openssl_csr/tasks/impl.yml | 1 - tests/integration/targets/openssl_csr_info/tasks/main.yml | 1 - tests/integration/targets/openssl_pkcs12/tasks/main.yml | 1 - tests/integration/targets/openssl_privatekey/tasks/impl.yml | 4 ---- .../targets/openssl_privatekey_convert/tasks/main.yml | 1 - .../targets/openssl_privatekey_info/tasks/main.yml | 1 - tests/integration/targets/openssl_publickey/tasks/impl.yml | 2 -- tests/integration/targets/openssl_signature/tasks/main.yml | 2 -- tests/integration/targets/setup_acme/tasks/obtain-cert.yml | 1 - tests/integration/targets/x509_certificate/tasks/ownca.yml | 2 -- .../targets/x509_certificate/tasks/selfsigned.yml | 1 - .../integration/targets/x509_certificate_info/tasks/main.yml | 1 - 20 files changed, 8 insertions(+), 28 deletions(-) create mode 100644 changelogs/fragments/794-openssl_privatekey-cipher.yml diff --git a/changelogs/fragments/794-openssl_privatekey-cipher.yml b/changelogs/fragments/794-openssl_privatekey-cipher.yml new file mode 100644 index 00000000..c58b44c2 --- /dev/null +++ b/changelogs/fragments/794-openssl_privatekey-cipher.yml @@ -0,0 +1,4 @@ +minor_changes: + - "openssl_privatekey, openssl_privatekey_pipe - add default value ``auto`` for ``cipher`` option, which happens to be the only supported value + for this option anyway. Therefore it is no longer necessary to specify ``cipher=auto`` when providing ``passphrase`` + (https://github.com/ansible-collections/community.crypto/issues/793, https://github.com/ansible-collections/community.crypto/pull/794)." diff --git a/plugins/doc_fragments/module_privatekey.py b/plugins/doc_fragments/module_privatekey.py index d039cf1c..36a7bc97 100644 --- a/plugins/doc_fragments/module_privatekey.py +++ b/plugins/doc_fragments/module_privatekey.py @@ -71,8 +71,10 @@ options: type: str cipher: description: - - The cipher to encrypt the private key. Must be V(auto). + - The cipher to encrypt the private key. This is only used when O(passphrase) is provided. + - Must be V(auto). type: str + default: auto select_crypto_backend: description: - Determines which crypto backend to use. diff --git a/plugins/module_utils/crypto/module_backends/privatekey.py b/plugins/module_utils/crypto/module_backends/privatekey.py index 36d50ae3..f1b21ad7 100644 --- a/plugins/module_utils/crypto/module_backends/privatekey.py +++ b/plugins/module_utils/crypto/module_backends/privatekey.py @@ -514,7 +514,7 @@ def get_privatekey_argument_spec(): 'sect283r1', 'sect409k1', 'sect409r1', 'sect571k1', 'sect571r1', ]), passphrase=dict(type='str', no_log=True), - cipher=dict(type='str'), + cipher=dict(type='str', default='auto'), format=dict(type='str', default='auto_ignore', choices=['pkcs1', 'pkcs8', 'raw', 'auto', 'auto_ignore']), format_mismatch=dict(type='str', default='regenerate', choices=['regenerate', 'convert']), select_crypto_backend=dict(type='str', choices=['auto', 'cryptography'], default='auto'), @@ -524,9 +524,6 @@ def get_privatekey_argument_spec(): choices=['never', 'fail', 'partial_idempotence', 'full_idempotence', 'always'] ), ), - required_together=[ - ['cipher', 'passphrase'] - ], required_if=[ ['type', 'ECC', ['curve']], ], diff --git a/tests/integration/targets/acme_account/tasks/impl.yml b/tests/integration/targets/acme_account/tasks/impl.yml index 79fd43eb..5d008fd2 100644 --- a/tests/integration/targets/acme_account/tasks/impl.yml +++ b/tests/integration/targets/acme_account/tasks/impl.yml @@ -8,7 +8,6 @@ openssl_privatekey: path: "{{ remote_tmp_dir }}/{{ item.name }}.pem" passphrase: "{{ item.pass | default(omit) | default(omit, true) }}" - cipher: "{{ 'auto' if (item.pass | default(false)) else omit }}" type: ECC curve: secp256r1 force: true diff --git a/tests/integration/targets/ecs_certificate/tasks/main.yml b/tests/integration/targets/ecs_certificate/tasks/main.yml index ad74aa34..4d51f2ff 100644 --- a/tests/integration/targets/ecs_certificate/tasks/main.yml +++ b/tests/integration/targets/ecs_certificate/tasks/main.yml @@ -68,7 +68,6 @@ openssl_privatekey: path: '{{ privatekey_path }}' passphrase: '{{ privatekey_passphrase }}' - cipher: auto type: RSA size: 2048 diff --git a/tests/integration/targets/filter_openssl_csr_info/tasks/main.yml b/tests/integration/targets/filter_openssl_csr_info/tasks/main.yml index 09446941..0527306f 100644 --- a/tests/integration/targets/filter_openssl_csr_info/tasks/main.yml +++ b/tests/integration/targets/filter_openssl_csr_info/tasks/main.yml @@ -22,7 +22,6 @@ openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekeypw.pem' passphrase: hunter2 - cipher: auto size: '{{ default_rsa_key_size }}' - name: Generate CSR 1 diff --git a/tests/integration/targets/filter_openssl_privatekey_info/tasks/main.yml b/tests/integration/targets/filter_openssl_privatekey_info/tasks/main.yml index fcbd3597..2b13140d 100644 --- a/tests/integration/targets/filter_openssl_privatekey_info/tasks/main.yml +++ b/tests/integration/targets/filter_openssl_privatekey_info/tasks/main.yml @@ -22,7 +22,6 @@ openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekey_3.pem' passphrase: hunter2 - cipher: auto size: '{{ default_rsa_key_size }}' - name: Generate privatekey 4 (ECC) diff --git a/tests/integration/targets/filter_x509_certificate_info/tasks/main.yml b/tests/integration/targets/filter_x509_certificate_info/tasks/main.yml index 37b1fccd..e6286017 100644 --- a/tests/integration/targets/filter_x509_certificate_info/tasks/main.yml +++ b/tests/integration/targets/filter_x509_certificate_info/tasks/main.yml @@ -22,7 +22,6 @@ openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekeypw.pem' passphrase: hunter2 - cipher: auto select_crypto_backend: cryptography size: '{{ default_rsa_key_size_certifiates }}' diff --git a/tests/integration/targets/openssl_csr/tasks/impl.yml b/tests/integration/targets/openssl_csr/tasks/impl.yml index 7ac220e5..39f50da5 100644 --- a/tests/integration/targets/openssl_csr/tasks/impl.yml +++ b/tests/integration/targets/openssl_csr/tasks/impl.yml @@ -269,7 +269,6 @@ openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekeypw.pem' passphrase: hunter2 - cipher: auto select_crypto_backend: cryptography size: '{{ default_rsa_key_size }}' diff --git a/tests/integration/targets/openssl_csr_info/tasks/main.yml b/tests/integration/targets/openssl_csr_info/tasks/main.yml index 05ffbc51..ef9ab8da 100644 --- a/tests/integration/targets/openssl_csr_info/tasks/main.yml +++ b/tests/integration/targets/openssl_csr_info/tasks/main.yml @@ -22,7 +22,6 @@ openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekeypw.pem' passphrase: hunter2 - cipher: auto select_crypto_backend: cryptography size: '{{ default_rsa_key_size }}' diff --git a/tests/integration/targets/openssl_pkcs12/tasks/main.yml b/tests/integration/targets/openssl_pkcs12/tasks/main.yml index cad051c6..78af1a1f 100644 --- a/tests/integration/targets/openssl_pkcs12/tasks/main.yml +++ b/tests/integration/targets/openssl_pkcs12/tasks/main.yml @@ -19,7 +19,6 @@ openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekeypw.pem' passphrase: hunter2 - cipher: auto size: '{{ default_rsa_key_size }}' - name: Generate CSRs diff --git a/tests/integration/targets/openssl_privatekey/tasks/impl.yml b/tests/integration/targets/openssl_privatekey/tasks/impl.yml index f12d23ed..b617ebc9 100644 --- a/tests/integration/targets/openssl_privatekey/tasks/impl.yml +++ b/tests/integration/targets/openssl_privatekey/tasks/impl.yml @@ -88,7 +88,6 @@ openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekey6.pem' passphrase: ànsïblé - cipher: auto size: '{{ default_rsa_key_size }}' select_crypto_backend: '{{ select_crypto_backend }}' @@ -221,7 +220,6 @@ openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekeypw.pem' passphrase: hunter2 - cipher: auto size: '{{ default_rsa_key_size }}' select_crypto_backend: '{{ select_crypto_backend }}' backup: true @@ -257,7 +255,6 @@ openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekeypw.pem' passphrase: hunter2 - cipher: auto size: '{{ default_rsa_key_size }}' select_crypto_backend: '{{ select_crypto_backend }}' backup: true @@ -278,7 +275,6 @@ openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekeypw.pem' passphrase: hunter2 - cipher: auto size: '{{ default_rsa_key_size }}' select_crypto_backend: '{{ select_crypto_backend }}' backup: true diff --git a/tests/integration/targets/openssl_privatekey_convert/tasks/main.yml b/tests/integration/targets/openssl_privatekey_convert/tasks/main.yml index ea1dff8a..bfba7258 100644 --- a/tests/integration/targets/openssl_privatekey_convert/tasks/main.yml +++ b/tests/integration/targets/openssl_privatekey_convert/tasks/main.yml @@ -28,7 +28,6 @@ type: '{{ item.type | default(omit) }}' curve: '{{ item.curve | default(omit) }}' passphrase: '{{ item.passphrase | default(omit) }}' - cipher: '{{ "auto" if item.passphrase is defined else omit }}' format: '{{ item.format }}' when: item.condition | default(true) loop: diff --git a/tests/integration/targets/openssl_privatekey_info/tasks/main.yml b/tests/integration/targets/openssl_privatekey_info/tasks/main.yml index 002608cd..26023333 100644 --- a/tests/integration/targets/openssl_privatekey_info/tasks/main.yml +++ b/tests/integration/targets/openssl_privatekey_info/tasks/main.yml @@ -22,7 +22,6 @@ openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekey_3.pem' passphrase: hunter2 - cipher: auto size: '{{ default_rsa_key_size }}' select_crypto_backend: cryptography diff --git a/tests/integration/targets/openssl_publickey/tasks/impl.yml b/tests/integration/targets/openssl_publickey/tasks/impl.yml index ad59cd8f..910b2f0b 100644 --- a/tests/integration/targets/openssl_publickey/tasks/impl.yml +++ b/tests/integration/targets/openssl_publickey/tasks/impl.yml @@ -94,7 +94,6 @@ openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekey3.pem' passphrase: ansible - cipher: auto size: '{{ default_rsa_key_size }}' - name: "({{ select_crypto_backend }}) Generate publickey3 - with passphrase protected privatekey" @@ -156,7 +155,6 @@ openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekeypw.pem' passphrase: hunter2 - cipher: auto select_crypto_backend: cryptography size: '{{ default_rsa_key_size }}' diff --git a/tests/integration/targets/openssl_signature/tasks/main.yml b/tests/integration/targets/openssl_signature/tasks/main.yml index f9ed1dec..b6201269 100644 --- a/tests/integration/targets/openssl_signature/tasks/main.yml +++ b/tests/integration/targets/openssl_signature/tasks/main.yml @@ -22,7 +22,6 @@ - passwd: nopasswd - passwd: passwd privatekey_passphrase: hunter2 - privatekey_cipher: auto - name: Add cryptography backend set_fact: @@ -72,7 +71,6 @@ curve: '{{ item.curve | default(omit) }}' size: '{{ item.size | default(omit) }}' passphrase: '{{ item.privatekey_passphrase | default(omit) }}' - cipher: '{{ item.privatekey_cipher | default(omit) }}' select_crypto_backend: cryptography loop: '{{ all_tests }}' diff --git a/tests/integration/targets/setup_acme/tasks/obtain-cert.yml b/tests/integration/targets/setup_acme/tasks/obtain-cert.yml index 6882e533..4b8a1ced 100644 --- a/tests/integration/targets/setup_acme/tasks/obtain-cert.yml +++ b/tests/integration/targets/setup_acme/tasks/obtain-cert.yml @@ -16,7 +16,6 @@ 'secp521r1' if key_type == 'ec521' else 'invalid value for key_type!' }} passphrase: "{{ certificate_passphrase | default(omit) | default(omit, true) }}" - cipher: "{{ 'auto' if certificate_passphrase | default() else omit }}" force: true ## CSR ######################################################################################## - name: ({{ certgen_title }}) Create cert CSR diff --git a/tests/integration/targets/x509_certificate/tasks/ownca.yml b/tests/integration/targets/x509_certificate/tasks/ownca.yml index 4bbd818e..fb9da118 100644 --- a/tests/integration/targets/x509_certificate/tasks/ownca.yml +++ b/tests/integration/targets/x509_certificate/tasks/ownca.yml @@ -12,7 +12,6 @@ openssl_privatekey: path: '{{ remote_tmp_dir }}/ca_privatekey_pw.pem' passphrase: hunter2 - cipher: auto select_crypto_backend: cryptography size: '{{ default_rsa_key_size_certifiates }}' @@ -589,7 +588,6 @@ openssl_privatekey: path: '{{ remote_tmp_dir }}/ca_privatekey_{{ item }}.pem' type: '{{ item }}' - cipher: auto passphrase: Test123 ignore_errors: true loop: diff --git a/tests/integration/targets/x509_certificate/tasks/selfsigned.yml b/tests/integration/targets/x509_certificate/tasks/selfsigned.yml index eeea25dd..42dec09f 100644 --- a/tests/integration/targets/x509_certificate/tasks/selfsigned.yml +++ b/tests/integration/targets/x509_certificate/tasks/selfsigned.yml @@ -12,7 +12,6 @@ openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekeypw.pem' passphrase: hunter2 - cipher: auto select_crypto_backend: cryptography size: '{{ default_rsa_key_size_certifiates }}' diff --git a/tests/integration/targets/x509_certificate_info/tasks/main.yml b/tests/integration/targets/x509_certificate_info/tasks/main.yml index d9a322ac..dc892a8b 100644 --- a/tests/integration/targets/x509_certificate_info/tasks/main.yml +++ b/tests/integration/targets/x509_certificate_info/tasks/main.yml @@ -22,7 +22,6 @@ openssl_privatekey: path: '{{ remote_tmp_dir }}/privatekeypw.pem' passphrase: hunter2 - cipher: auto select_crypto_backend: cryptography size: '{{ default_rsa_key_size_certifiates }}'