mirror of
https://github.com/ansible-collections/community.crypto.git
synced 2026-05-06 13:22:58 +00:00
Cleanup with ruff check (#963)
* Implement improvements suggested by ruff check. * Add ruff check to CI. * Add changelog fragment.
This commit is contained in:
Felix Fontein
GitHub
@@ -41,9 +41,6 @@ if t.TYPE_CHECKING:
|
||||
import datetime # pragma: no cover
|
||||
|
||||
from ansible.module_utils.basic import AnsibleModule # pragma: no cover
|
||||
from cryptography.hazmat.primitives.asymmetric.types import ( # pragma: no cover
|
||||
CertificateIssuerPrivateKeyTypes,
|
||||
)
|
||||
|
||||
from ansible_collections.community.crypto.plugins.module_utils._crypto.cryptography_support import ( # pragma: no cover
|
||||
CertificatePrivateKeyTypes,
|
||||
@@ -324,15 +321,19 @@ class CertificateBackend(metaclass=abc.ABCMeta):
|
||||
return True
|
||||
|
||||
# Check not before
|
||||
if not_before is not None and not self.ignore_timestamps:
|
||||
if get_not_valid_before(self.existing_certificate) != not_before:
|
||||
return True
|
||||
if (
|
||||
not_before is not None
|
||||
and not self.ignore_timestamps
|
||||
and get_not_valid_before(self.existing_certificate) != not_before
|
||||
):
|
||||
return True
|
||||
|
||||
# Check not after
|
||||
if not_after is not None and not self.ignore_timestamps:
|
||||
if get_not_valid_after(self.existing_certificate) != not_after:
|
||||
return True
|
||||
return False
|
||||
return bool(
|
||||
not_after is not None
|
||||
and not self.ignore_timestamps
|
||||
and get_not_valid_after(self.existing_certificate) != not_after
|
||||
)
|
||||
|
||||
def dump(self, *, include_certificate: bool) -> dict[str, t.Any]:
|
||||
"""Serialize the object into a dictionary."""
|
||||
|
||||
@@ -46,9 +46,6 @@ if t.TYPE_CHECKING:
|
||||
PublicKeyTypes, # pragma: no cover
|
||||
)
|
||||
|
||||
from ansible_collections.community.crypto.plugins.module_utils._argspec import ( # pragma: no cover
|
||||
ArgumentSpec,
|
||||
)
|
||||
from ansible_collections.community.crypto.plugins.plugin_utils._action_module import ( # pragma: no cover
|
||||
AnsibleActionModule,
|
||||
)
|
||||
@@ -56,7 +53,7 @@ if t.TYPE_CHECKING:
|
||||
FilterModuleMock,
|
||||
)
|
||||
|
||||
GeneralAnsibleModule = t.Union[
|
||||
GeneralAnsibleModule = t.Union[ # noqa: UP007
|
||||
AnsibleModule, AnsibleActionModule, FilterModuleMock
|
||||
] # pragma: no cover
|
||||
|
||||
@@ -270,9 +267,11 @@ class CertificateInfoRetrieval:
|
||||
x509.AuthorityInformationAccess
|
||||
)
|
||||
for desc in ext.value:
|
||||
if desc.access_method == x509.oid.AuthorityInformationAccessOID.OCSP:
|
||||
if isinstance(desc.access_location, x509.UniformResourceIdentifier):
|
||||
return desc.access_location.value
|
||||
if (
|
||||
desc.access_method == x509.oid.AuthorityInformationAccessOID.OCSP
|
||||
and isinstance(desc.access_location, x509.UniformResourceIdentifier)
|
||||
):
|
||||
return desc.access_location.value
|
||||
except x509.ExtensionNotFound:
|
||||
pass
|
||||
return None
|
||||
@@ -286,9 +285,8 @@ class CertificateInfoRetrieval:
|
||||
if (
|
||||
desc.access_method
|
||||
== x509.oid.AuthorityInformationAccessOID.CA_ISSUERS
|
||||
):
|
||||
if isinstance(desc.access_location, x509.UniformResourceIdentifier):
|
||||
return desc.access_location.value
|
||||
) and isinstance(desc.access_location, x509.UniformResourceIdentifier):
|
||||
return desc.access_location.value
|
||||
except x509.ExtensionNotFound:
|
||||
pass
|
||||
return None
|
||||
|
||||
@@ -45,9 +45,6 @@ if t.TYPE_CHECKING:
|
||||
import datetime # pragma: no cover
|
||||
|
||||
from ansible.module_utils.basic import AnsibleModule # pragma: no cover
|
||||
from cryptography.hazmat.primitives.asymmetric.types import ( # pragma: no cover
|
||||
CertificateIssuerPrivateKeyTypes,
|
||||
)
|
||||
|
||||
from ansible_collections.community.crypto.plugins.module_utils._argspec import ( # pragma: no cover
|
||||
ArgumentSpec,
|
||||
|
||||
@@ -181,7 +181,7 @@ class SelfSignedCertificateBackendCryptography(CertificateBackend):
|
||||
assert self.existing_certificate is not None
|
||||
|
||||
# Check whether certificate is signed by private key
|
||||
if not cryptography_verify_certificate_signature(
|
||||
if not cryptography_verify_certificate_signature( # noqa: SIM103
|
||||
certificate=self.existing_certificate,
|
||||
signer_public_key=self.privatekey.public_key(),
|
||||
):
|
||||
|
||||
@@ -29,9 +29,6 @@ from ansible_collections.community.crypto.plugins.module_utils._cryptography_dep
|
||||
|
||||
if t.TYPE_CHECKING:
|
||||
from ansible.module_utils.basic import AnsibleModule # pragma: no cover
|
||||
from cryptography.hazmat.primitives.asymmetric.types import ( # pragma: no cover
|
||||
PrivateKeyTypes,
|
||||
)
|
||||
|
||||
from ansible_collections.community.crypto.plugins.plugin_utils._action_module import ( # pragma: no cover
|
||||
AnsibleActionModule,
|
||||
@@ -40,7 +37,7 @@ if t.TYPE_CHECKING:
|
||||
FilterModuleMock,
|
||||
)
|
||||
|
||||
GeneralAnsibleModule = t.Union[
|
||||
GeneralAnsibleModule = t.Union[ # noqa: UP007
|
||||
AnsibleModule, AnsibleActionModule, FilterModuleMock
|
||||
] # pragma: no cover
|
||||
|
||||
|
||||
@@ -52,11 +52,6 @@ if t.TYPE_CHECKING:
|
||||
from ansible.module_utils.basic import AnsibleModule # pragma: no cover
|
||||
from cryptography.hazmat.primitives.asymmetric.types import ( # pragma: no cover
|
||||
CertificateIssuerPrivateKeyTypes,
|
||||
PrivateKeyTypes,
|
||||
)
|
||||
|
||||
from ansible_collections.community.crypto.plugins.module_utils._crypto.cryptography_support import ( # pragma: no cover
|
||||
CertificatePrivateKeyTypes,
|
||||
)
|
||||
|
||||
_ET = t.TypeVar("_ET", bound="cryptography.x509.ExtensionType") # pragma: no cover
|
||||
@@ -533,10 +528,11 @@ class CertificateSigningRequestBackend:
|
||||
)
|
||||
if set(altnames) != set(current_altnames):
|
||||
return False
|
||||
if altnames and current_altnames_ext:
|
||||
if current_altnames_ext.critical != self.subject_alt_name_critical:
|
||||
return False
|
||||
return True
|
||||
return not (
|
||||
altnames
|
||||
and current_altnames_ext
|
||||
and current_altnames_ext.critical != self.subject_alt_name_critical
|
||||
)
|
||||
|
||||
def _check_key_usage(extensions: cryptography.x509.Extensions) -> bool:
|
||||
current_keyusage_ext = _find_extension(
|
||||
@@ -578,10 +574,11 @@ class CertificateSigningRequestBackend:
|
||||
)
|
||||
if set(current_usages) != set(usages):
|
||||
return False
|
||||
if usages and current_usages_ext:
|
||||
if current_usages_ext.critical != self.extended_key_usage_critical:
|
||||
return False
|
||||
return True
|
||||
return not (
|
||||
usages
|
||||
and current_usages_ext
|
||||
and current_usages_ext.critical != self.extended_key_usage_critical
|
||||
)
|
||||
|
||||
def _check_basic_constraints(extensions: cryptography.x509.Extensions) -> bool:
|
||||
bc_ext = _find_extension(extensions, cryptography.x509.BasicConstraints)
|
||||
@@ -652,10 +649,11 @@ class CertificateSigningRequestBackend:
|
||||
current_nc_excl
|
||||
):
|
||||
return False
|
||||
if (nc_perm or nc_excl) and current_nc_ext:
|
||||
if current_nc_ext.critical != self.name_constraints_critical:
|
||||
return False
|
||||
return True
|
||||
return not (
|
||||
(nc_perm or nc_excl)
|
||||
and current_nc_ext
|
||||
and current_nc_ext.critical != self.name_constraints_critical
|
||||
)
|
||||
|
||||
def _check_subject_key_identifier(
|
||||
extensions: cryptography.x509.Extensions,
|
||||
|
||||
@@ -35,7 +35,6 @@ if t.TYPE_CHECKING:
|
||||
from ansible.module_utils.basic import AnsibleModule # pragma: no cover
|
||||
from cryptography.hazmat.primitives.asymmetric.types import ( # pragma: no cover
|
||||
CertificatePublicKeyTypes,
|
||||
PrivateKeyTypes,
|
||||
)
|
||||
|
||||
from ansible_collections.community.crypto.plugins.plugin_utils._action_module import ( # pragma: no cover
|
||||
@@ -45,7 +44,7 @@ if t.TYPE_CHECKING:
|
||||
FilterModuleMock,
|
||||
)
|
||||
|
||||
GeneralAnsibleModule = t.Union[
|
||||
GeneralAnsibleModule = t.Union[ # noqa: UP007
|
||||
AnsibleModule, AnsibleActionModule, FilterModuleMock
|
||||
] # pragma: no cover
|
||||
|
||||
|
||||
@@ -47,7 +47,7 @@ if t.TYPE_CHECKING:
|
||||
AnsibleActionModule,
|
||||
)
|
||||
|
||||
GeneralAnsibleModule = t.Union[
|
||||
GeneralAnsibleModule = t.Union[ # noqa: UP007
|
||||
AnsibleModule, AnsibleActionModule
|
||||
] # pragma: no cover
|
||||
|
||||
@@ -495,26 +495,28 @@ class PrivateKeyBackend:
|
||||
" set to `full_idempotence` or `always`, or with `force=true`."
|
||||
)
|
||||
self._ensure_existing_private_key_loaded()
|
||||
if self.regenerate != "never":
|
||||
if not self._check_size_and_type():
|
||||
if self.regenerate in ("partial_idempotence", "full_idempotence"):
|
||||
return True
|
||||
self.module.fail_json(
|
||||
msg="Key has wrong type and/or size."
|
||||
" Will not proceed. To force regeneration, call the module with `generate`"
|
||||
" set to `partial_idempotence`, `full_idempotence` or `always`, or with `force=true`."
|
||||
)
|
||||
if self.regenerate != "never" and not self._check_size_and_type():
|
||||
if self.regenerate in ("partial_idempotence", "full_idempotence"):
|
||||
return True
|
||||
self.module.fail_json(
|
||||
msg="Key has wrong type and/or size."
|
||||
" Will not proceed. To force regeneration, call the module with `generate`"
|
||||
" set to `partial_idempotence`, `full_idempotence` or `always`, or with `force=true`."
|
||||
)
|
||||
# During generation step, regenerate if format does not match and format_mismatch == 'regenerate'
|
||||
if self.format_mismatch == "regenerate" and self.regenerate != "never":
|
||||
if not self._check_format():
|
||||
if self.regenerate in ("partial_idempotence", "full_idempotence"):
|
||||
return True
|
||||
self.module.fail_json(
|
||||
msg="Key has wrong format."
|
||||
" Will not proceed. To force regeneration, call the module with `generate`"
|
||||
" set to `partial_idempotence`, `full_idempotence` or `always`, or with `force=true`."
|
||||
" To convert the key, set `format_mismatch` to `convert`."
|
||||
)
|
||||
if (
|
||||
self.format_mismatch == "regenerate"
|
||||
and self.regenerate != "never"
|
||||
and not self._check_format()
|
||||
):
|
||||
if self.regenerate in ("partial_idempotence", "full_idempotence"):
|
||||
return True
|
||||
self.module.fail_json(
|
||||
msg="Key has wrong format."
|
||||
" Will not proceed. To force regeneration, call the module with `generate`"
|
||||
" set to `partial_idempotence`, `full_idempotence` or `always`, or with `force=true`."
|
||||
" To convert the key, set `format_mismatch` to `convert`."
|
||||
)
|
||||
return False
|
||||
|
||||
def needs_conversion(self) -> bool:
|
||||
|
||||
@@ -47,7 +47,7 @@ if t.TYPE_CHECKING:
|
||||
FilterModuleMock,
|
||||
)
|
||||
|
||||
GeneralAnsibleModule = t.Union[
|
||||
GeneralAnsibleModule = t.Union[ # noqa: UP007
|
||||
AnsibleModule, AnsibleActionModule, FilterModuleMock
|
||||
] # pragma: no cover
|
||||
|
||||
@@ -122,9 +122,7 @@ def _check_dsa_consistency(
|
||||
if binary_exp_mod(g, x, m=p) != y:
|
||||
return False
|
||||
# Check (quickly) whether p or q are not primes
|
||||
if quick_is_not_prime(q) or quick_is_not_prime(p):
|
||||
return False
|
||||
return True
|
||||
return not (quick_is_not_prime(q) or quick_is_not_prime(p))
|
||||
|
||||
|
||||
def _is_cryptography_key_consistent(
|
||||
|
||||
@@ -35,7 +35,7 @@ if t.TYPE_CHECKING:
|
||||
FilterModuleMock,
|
||||
)
|
||||
|
||||
GeneralAnsibleModule = t.Union[
|
||||
GeneralAnsibleModule = t.Union[ # noqa: UP007
|
||||
AnsibleModule, AnsibleActionModule, FilterModuleMock
|
||||
] # pragma: no cover
|
||||
|
||||
|
||||
Reference in New Issue
Block a user