Cleanup with ruff check (#963)

* Implement improvements suggested by ruff check.

* Add ruff check to CI.

* Add changelog fragment.

plugins/module_utils/_crypto/cryptography_support.py

@@ -114,19 +114,16 @@ if t.TYPE_CHECKING:
         PrivateKeyTypes,
         PublicKeyTypes,
     )
-    from cryptography.hazmat.primitives.serialization.pkcs12 import (  # pragma: no cover
-        PKCS12KeyAndCertificates,
-    )
 
-    CertificatePrivateKeyTypes = t.Union[
+    CertificatePrivateKeyTypes = t.Union[  # noqa: UP007
         CertificateIssuerPrivateKeyTypes,
         cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey,
         cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey,
     ]  # pragma: no cover
-    PublicKeyTypesWOEdwards = t.Union[  # pylint: disable=invalid-name
+    PublicKeyTypesWOEdwards = t.Union[  # noqa: UP007 # pylint: disable=invalid-name
         DHPublicKey, DSAPublicKey, EllipticCurvePublicKey, RSAPublicKey
     ]  # pragma: no cover
-    PrivateKeyTypesWOEdwards = t.Union[  # pylint: disable=invalid-name
+    PrivateKeyTypesWOEdwards = t.Union[  # noqa: UP007 # pylint: disable=invalid-name
         DHPrivateKey, DSAPrivateKey, EllipticCurvePrivateKey, RSAPrivateKey
     ]  # pragma: no cover
 else:
@@ -727,9 +724,9 @@ def cryptography_key_needs_digest_for_signing(
         key, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey
     ):
         return False
-    if isinstance(key, cryptography.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey):
-        return False
-    return True
+    return not isinstance(
+        key, cryptography.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey
+    )
 
 
 def _compare_public_keys(

plugins/module_utils/_crypto/module_backends/certificate.py

@@ -41,9 +41,6 @@ if t.TYPE_CHECKING:
     import datetime  # pragma: no cover
 
     from ansible.module_utils.basic import AnsibleModule  # pragma: no cover
-    from cryptography.hazmat.primitives.asymmetric.types import (  # pragma: no cover
-        CertificateIssuerPrivateKeyTypes,
-    )
 
     from ansible_collections.community.crypto.plugins.module_utils._crypto.cryptography_support import (  # pragma: no cover
         CertificatePrivateKeyTypes,
@@ -324,15 +321,19 @@ class CertificateBackend(metaclass=abc.ABCMeta):
             return True
 
         # Check not before
-        if not_before is not None and not self.ignore_timestamps:
-            if get_not_valid_before(self.existing_certificate) != not_before:
-                return True
+        if (
+            not_before is not None
+            and not self.ignore_timestamps
+            and get_not_valid_before(self.existing_certificate) != not_before
+        ):
+            return True
 
         # Check not after
-        if not_after is not None and not self.ignore_timestamps:
-            if get_not_valid_after(self.existing_certificate) != not_after:
-                return True
-        return False
+        return bool(
+            not_after is not None
+            and not self.ignore_timestamps
+            and get_not_valid_after(self.existing_certificate) != not_after
+        )
 
     def dump(self, *, include_certificate: bool) -> dict[str, t.Any]:
         """Serialize the object into a dictionary."""

plugins/module_utils/_crypto/module_backends/certificate_info.py

@@ -46,9 +46,6 @@ if t.TYPE_CHECKING:
         PublicKeyTypes,  # pragma: no cover
     )
 
-    from ansible_collections.community.crypto.plugins.module_utils._argspec import (  # pragma: no cover
-        ArgumentSpec,
-    )
     from ansible_collections.community.crypto.plugins.plugin_utils._action_module import (  # pragma: no cover
         AnsibleActionModule,
     )
@@ -56,7 +53,7 @@ if t.TYPE_CHECKING:
         FilterModuleMock,
     )
 
-    GeneralAnsibleModule = t.Union[
+    GeneralAnsibleModule = t.Union[  # noqa: UP007
         AnsibleModule, AnsibleActionModule, FilterModuleMock
     ]  # pragma: no cover
 
@@ -270,9 +267,11 @@ class CertificateInfoRetrieval:
                 x509.AuthorityInformationAccess
             )
             for desc in ext.value:
-                if desc.access_method == x509.oid.AuthorityInformationAccessOID.OCSP:
-                    if isinstance(desc.access_location, x509.UniformResourceIdentifier):
-                        return desc.access_location.value
+                if (
+                    desc.access_method == x509.oid.AuthorityInformationAccessOID.OCSP
+                    and isinstance(desc.access_location, x509.UniformResourceIdentifier)
+                ):
+                    return desc.access_location.value
         except x509.ExtensionNotFound:
             pass
         return None
@@ -286,9 +285,8 @@ class CertificateInfoRetrieval:
                 if (
                     desc.access_method
                     == x509.oid.AuthorityInformationAccessOID.CA_ISSUERS
-                ):
-                    if isinstance(desc.access_location, x509.UniformResourceIdentifier):
-                        return desc.access_location.value
+                ) and isinstance(desc.access_location, x509.UniformResourceIdentifier):
+                    return desc.access_location.value
         except x509.ExtensionNotFound:
             pass
         return None

plugins/module_utils/_crypto/module_backends/certificate_ownca.py

@@ -45,9 +45,6 @@ if t.TYPE_CHECKING:
     import datetime  # pragma: no cover
 
     from ansible.module_utils.basic import AnsibleModule  # pragma: no cover
-    from cryptography.hazmat.primitives.asymmetric.types import (  # pragma: no cover
-        CertificateIssuerPrivateKeyTypes,
-    )
 
     from ansible_collections.community.crypto.plugins.module_utils._argspec import (  # pragma: no cover
         ArgumentSpec,

plugins/module_utils/_crypto/module_backends/certificate_selfsigned.py

@@ -181,7 +181,7 @@ class SelfSignedCertificateBackendCryptography(CertificateBackend):
         assert self.existing_certificate is not None
 
         # Check whether certificate is signed by private key
-        if not cryptography_verify_certificate_signature(
+        if not cryptography_verify_certificate_signature(  # noqa: SIM103
             certificate=self.existing_certificate,
             signer_public_key=self.privatekey.public_key(),
         ):

plugins/module_utils/_crypto/module_backends/crl_info.py

@@ -29,9 +29,6 @@ from ansible_collections.community.crypto.plugins.module_utils._cryptography_dep
 
 if t.TYPE_CHECKING:
     from ansible.module_utils.basic import AnsibleModule  # pragma: no cover
-    from cryptography.hazmat.primitives.asymmetric.types import (  # pragma: no cover
-        PrivateKeyTypes,
-    )
 
     from ansible_collections.community.crypto.plugins.plugin_utils._action_module import (  # pragma: no cover
         AnsibleActionModule,
@@ -40,7 +37,7 @@ if t.TYPE_CHECKING:
         FilterModuleMock,
     )
 
-    GeneralAnsibleModule = t.Union[
+    GeneralAnsibleModule = t.Union[  # noqa: UP007
         AnsibleModule, AnsibleActionModule, FilterModuleMock
     ]  # pragma: no cover
 

plugins/module_utils/_crypto/module_backends/csr.py

@@ -52,11 +52,6 @@ if t.TYPE_CHECKING:
     from ansible.module_utils.basic import AnsibleModule  # pragma: no cover
     from cryptography.hazmat.primitives.asymmetric.types import (  # pragma: no cover
         CertificateIssuerPrivateKeyTypes,
-        PrivateKeyTypes,
-    )
-
-    from ansible_collections.community.crypto.plugins.module_utils._crypto.cryptography_support import (  # pragma: no cover
-        CertificatePrivateKeyTypes,
     )
 
     _ET = t.TypeVar("_ET", bound="cryptography.x509.ExtensionType")  # pragma: no cover
@@ -533,10 +528,11 @@ class CertificateSigningRequestBackend:
             )
             if set(altnames) != set(current_altnames):
                 return False
-            if altnames and current_altnames_ext:
-                if current_altnames_ext.critical != self.subject_alt_name_critical:
-                    return False
-            return True
+            return not (
+                altnames
+                and current_altnames_ext
+                and current_altnames_ext.critical != self.subject_alt_name_critical
+            )
 
         def _check_key_usage(extensions: cryptography.x509.Extensions) -> bool:
             current_keyusage_ext = _find_extension(
@@ -578,10 +574,11 @@ class CertificateSigningRequestBackend:
             )
             if set(current_usages) != set(usages):
                 return False
-            if usages and current_usages_ext:
-                if current_usages_ext.critical != self.extended_key_usage_critical:
-                    return False
-            return True
+            return not (
+                usages
+                and current_usages_ext
+                and current_usages_ext.critical != self.extended_key_usage_critical
+            )
 
         def _check_basic_constraints(extensions: cryptography.x509.Extensions) -> bool:
             bc_ext = _find_extension(extensions, cryptography.x509.BasicConstraints)
@@ -652,10 +649,11 @@ class CertificateSigningRequestBackend:
                 current_nc_excl
             ):
                 return False
-            if (nc_perm or nc_excl) and current_nc_ext:
-                if current_nc_ext.critical != self.name_constraints_critical:
-                    return False
-            return True
+            return not (
+                (nc_perm or nc_excl)
+                and current_nc_ext
+                and current_nc_ext.critical != self.name_constraints_critical
+            )
 
         def _check_subject_key_identifier(
             extensions: cryptography.x509.Extensions,

plugins/module_utils/_crypto/module_backends/csr_info.py

@@ -35,7 +35,6 @@ if t.TYPE_CHECKING:
     from ansible.module_utils.basic import AnsibleModule  # pragma: no cover
     from cryptography.hazmat.primitives.asymmetric.types import (  # pragma: no cover
         CertificatePublicKeyTypes,
-        PrivateKeyTypes,
     )
 
     from ansible_collections.community.crypto.plugins.plugin_utils._action_module import (  # pragma: no cover
@@ -45,7 +44,7 @@ if t.TYPE_CHECKING:
         FilterModuleMock,
     )
 
-    GeneralAnsibleModule = t.Union[
+    GeneralAnsibleModule = t.Union[  # noqa: UP007
         AnsibleModule, AnsibleActionModule, FilterModuleMock
     ]  # pragma: no cover
 

plugins/module_utils/_crypto/module_backends/privatekey.py

@@ -47,7 +47,7 @@ if t.TYPE_CHECKING:
         AnsibleActionModule,
     )
 
-    GeneralAnsibleModule = t.Union[
+    GeneralAnsibleModule = t.Union[  # noqa: UP007
         AnsibleModule, AnsibleActionModule
     ]  # pragma: no cover
 
@@ -495,26 +495,28 @@ class PrivateKeyBackend:
                 " set to `full_idempotence` or `always`, or with `force=true`."
             )
         self._ensure_existing_private_key_loaded()
-        if self.regenerate != "never":
-            if not self._check_size_and_type():
-                if self.regenerate in ("partial_idempotence", "full_idempotence"):
-                    return True
-                self.module.fail_json(
-                    msg="Key has wrong type and/or size."
-                    " Will not proceed. To force regeneration, call the module with `generate`"
-                    " set to `partial_idempotence`, `full_idempotence` or `always`, or with `force=true`."
-                )
+        if self.regenerate != "never" and not self._check_size_and_type():
+            if self.regenerate in ("partial_idempotence", "full_idempotence"):
+                return True
+            self.module.fail_json(
+                msg="Key has wrong type and/or size."
+                " Will not proceed. To force regeneration, call the module with `generate`"
+                " set to `partial_idempotence`, `full_idempotence` or `always`, or with `force=true`."
+            )
         # During generation step, regenerate if format does not match and format_mismatch == 'regenerate'
-        if self.format_mismatch == "regenerate" and self.regenerate != "never":
-            if not self._check_format():
-                if self.regenerate in ("partial_idempotence", "full_idempotence"):
-                    return True
-                self.module.fail_json(
-                    msg="Key has wrong format."
-                    " Will not proceed. To force regeneration, call the module with `generate`"
-                    " set to `partial_idempotence`, `full_idempotence` or `always`, or with `force=true`."
-                    " To convert the key, set `format_mismatch` to `convert`."
-                )
+        if (
+            self.format_mismatch == "regenerate"
+            and self.regenerate != "never"
+            and not self._check_format()
+        ):
+            if self.regenerate in ("partial_idempotence", "full_idempotence"):
+                return True
+            self.module.fail_json(
+                msg="Key has wrong format."
+                " Will not proceed. To force regeneration, call the module with `generate`"
+                " set to `partial_idempotence`, `full_idempotence` or `always`, or with `force=true`."
+                " To convert the key, set `format_mismatch` to `convert`."
+            )
         return False
 
     def needs_conversion(self) -> bool:

plugins/module_utils/_crypto/module_backends/privatekey_info.py

@@ -47,7 +47,7 @@ if t.TYPE_CHECKING:
         FilterModuleMock,
     )
 
-    GeneralAnsibleModule = t.Union[
+    GeneralAnsibleModule = t.Union[  # noqa: UP007
         AnsibleModule, AnsibleActionModule, FilterModuleMock
     ]  # pragma: no cover
 
@@ -122,9 +122,7 @@ def _check_dsa_consistency(
     if binary_exp_mod(g, x, m=p) != y:
         return False
     # Check (quickly) whether p or q are not primes
-    if quick_is_not_prime(q) or quick_is_not_prime(p):
-        return False
-    return True
+    return not (quick_is_not_prime(q) or quick_is_not_prime(p))
 
 
 def _is_cryptography_key_consistent(

plugins/module_utils/_crypto/module_backends/publickey_info.py

@@ -35,7 +35,7 @@ if t.TYPE_CHECKING:
         FilterModuleMock,
     )
 
-    GeneralAnsibleModule = t.Union[
+    GeneralAnsibleModule = t.Union[  # noqa: UP007
         AnsibleModule, AnsibleActionModule, FilterModuleMock
     ]  # pragma: no cover