a-c-m
/
community.crypto
mirror of https://github.com/ansible-collections/community.crypto.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Handle pyOpenSSL 23.3.0, which removed PKCS#12 support (at least partially). (#666)

pull/669/head
Felix Fontein 2023-10-28 15:38:07 +02:00 committed by GitHub
parent fccc9d32ee
commit d1299c11d6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 29 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
changelogs/fragments/pkcs12.yml Normal file
View File

@ -0,0 +1,2 @@
bugfixes:
- "openssl_pkcs12 - modify autodetect to not detect pyOpenSSL >= 23.3.0, which removed PKCS#12 support (https://github.com/ansible-collections/community.crypto/pull/666)."

21
plugins/modules/openssl_pkcs12.py
View File

@ -24,7 +24,7 @@ description:
# Please note that the C(pyopenssl) backend has been deprecated in community.crypto x.y.0, # Please note that the C(pyopenssl) backend has been deprecated in community.crypto x.y.0,
# and will be removed in community.crypto (x+1).0.0. # and will be removed in community.crypto (x+1).0.0.
requirements: requirements:
- PyOpenSSL >= 0.15 or cryptography >= 3.0 - PyOpenSSL >= 0.15, < 23.3.0 or cryptography >= 3.0
extends_documentation_fragment: extends_documentation_fragment:
- ansible.builtin.files - ansible.builtin.files
- community.crypto.attributes - community.crypto.attributes
@ -302,11 +302,13 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import
MINIMAL_CRYPTOGRAPHY_VERSION = '3.0' MINIMAL_CRYPTOGRAPHY_VERSION = '3.0'
MINIMAL_PYOPENSSL_VERSION = '0.15' MINIMAL_PYOPENSSL_VERSION = '0.15'
MAXIMAL_PYOPENSSL_VERSION = '23.3.0'
PYOPENSSL_IMP_ERR = None PYOPENSSL_IMP_ERR = None
try: try:
import OpenSSL import OpenSSL
from OpenSSL import crypto from OpenSSL import crypto
from OpenSSL.crypto import load_pkcs12 as _load_pkcs12 # this got removed in pyOpenSSL 23.3.0
PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__) PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__)
except (ImportError, AttributeError): except (ImportError, AttributeError):
PYOPENSSL_IMP_ERR = traceback.format_exc() PYOPENSSL_IMP_ERR = traceback.format_exc()
@ -711,7 +713,11 @@ def select_backend(module, backend):
if backend == 'auto': if backend == 'auto':
# Detection what is possible # Detection what is possible
can_use_cryptography = CRYPTOGRAPHY_FOUND and CRYPTOGRAPHY_VERSION >= LooseVersion(MINIMAL_CRYPTOGRAPHY_VERSION) can_use_cryptography = CRYPTOGRAPHY_FOUND and CRYPTOGRAPHY_VERSION >= LooseVersion(MINIMAL_CRYPTOGRAPHY_VERSION)
can_use_pyopenssl = PYOPENSSL_FOUND and PYOPENSSL_VERSION >= LooseVersion(MINIMAL_PYOPENSSL_VERSION) can_use_pyopenssl = (
PYOPENSSL_FOUND and
PYOPENSSL_VERSION >= LooseVersion(MINIMAL_PYOPENSSL_VERSION) and
PYOPENSSL_VERSION < LooseVersion(MAXIMAL_PYOPENSSL_VERSION)
)
# If no restrictions are provided, first try cryptography, then pyOpenSSL # If no restrictions are provided, first try cryptography, then pyOpenSSL
if ( if (
@ -728,14 +734,17 @@ def select_backend(module, backend):
# Success? # Success?
if backend == 'auto': if backend == 'auto':
module.fail_json(msg=("Cannot detect any of the required Python libraries " module.fail_json(msg=("Cannot detect any of the required Python libraries "
"cryptography (>= {0}) or PyOpenSSL (>= {1})").format( "cryptography (>= {0}) or PyOpenSSL (>= {1}, < {2})").format(
MINIMAL_CRYPTOGRAPHY_VERSION, MINIMAL_CRYPTOGRAPHY_VERSION,
MINIMAL_PYOPENSSL_VERSION)) MINIMAL_PYOPENSSL_VERSION,
MAXIMAL_PYOPENSSL_VERSION))
if backend == 'pyopenssl': if backend == 'pyopenssl':
if not PYOPENSSL_FOUND: if not PYOPENSSL_FOUND:
module.fail_json(msg=missing_required_lib('pyOpenSSL >= {0}'.format(MINIMAL_PYOPENSSL_VERSION)), msg = missing_required_lib(
exception=PYOPENSSL_IMP_ERR) 'pyOpenSSL >= {0}, < {1}'.format(MINIMAL_PYOPENSSL_VERSION, MAXIMAL_PYOPENSSL_VERSION)
)
module.fail_json(msg=msg, exception=PYOPENSSL_IMP_ERR)
# module.deprecate('The module is using the PyOpenSSL backend. This backend has been deprecated', # module.deprecate('The module is using the PyOpenSSL backend. This backend has been deprecated',
# version='x.0.0', collection_name='community.crypto') # version='x.0.0', collection_name='community.crypto')
return backend, PkcsPyOpenSSL(module) return backend, PkcsPyOpenSSL(module)

14
tests/integration/targets/openssl_pkcs12/tasks/main.yml
View File

@ -69,7 +69,10 @@
vars: vars:
select_crypto_backend: pyopenssl select_crypto_backend: pyopenssl
when: (pyopenssl_version.stdout | default('0.0')) is version('0.15', '>=') when: >-
(pyopenssl_version.stdout | default('0.0')) is version('0.15', '>=')
and
(pyopenssl_version.stdout | default('0.0')) is version('23.3.0', '<')
- block: - block:
- name: Running tests with cryptography backend - name: Running tests with cryptography backend
@ -79,4 +82,11 @@
when: cryptography_version.stdout is version('3.0', '>=') when: cryptography_version.stdout is version('3.0', '>=')
when: (pyopenssl_version.stdout | default('0.0')) is version('0.15', '>=') or cryptography_version.stdout is version('3.0', '>=') when: >-
(
(pyopenssl_version.stdout | default('0.0')) is version('0.15', '>=')
and
(pyopenssl_version.stdout | default('0.0')) is version('23.3.0', '<')
)
or
cryptography_version.stdout is version('3.0', '>=')