More refactorings (#890)

* Improve typing. * Improve version parameter validation for x509_certificate* modules. * Use utils for parsing retry-after.
2026-05-06 21:33:00 +00:00 · 2025-05-16 21:53:18 +02:00
parent 44bcc8cebc
commit 56f004dc63
11 changed files with 41 additions and 33 deletions
--- a/plugins/module_utils/_crypto/module_backends/certificate.py
+++ b/plugins/module_utils/_crypto/module_backends/certificate.py
@@ -360,10 +360,6 @@ class CertificateProvider(metaclass=abc.ABCMeta):
    def validate_module_args(self, module: AnsibleModule) -> None:
        """Check module arguments"""

-    @abc.abstractmethod
-    def needs_version_two_certs(self, module: AnsibleModule) -> bool:
-        """Whether the provider needs to create a version 2 certificate."""
-
    @abc.abstractmethod
    def create_backend(self, module: AnsibleModule) -> CertificateBackend:
        """Create an implementation for a backend.
@@ -381,12 +377,6 @@ def select_backend(
        module, minimum_cryptography_version=MINIMAL_CRYPTOGRAPHY_VERSION
    )

-    if provider.needs_version_two_certs(module):
-        # TODO: remove
-        module.fail_json(
-            msg="The cryptography backend does not support v2 certificates"
-        )
-
    return provider.create_backend(module)


--- a/plugins/module_utils/_crypto/module_backends/certificate_acme.py
+++ b/plugins/module_utils/_crypto/module_backends/certificate_acme.py
@@ -121,9 +121,6 @@ class AcmeCertificateProvider(CertificateProvider):
                msg="The acme_challenge_path option must be specified for the acme provider."
            )

-    def needs_version_two_certs(self, module: AnsibleModule) -> bool:
-        return False
-
    def create_backend(self, module: AnsibleModule) -> AcmeCertificateBackend:
        return AcmeCertificateBackend(module=module)

--- a/plugins/module_utils/_crypto/module_backends/certificate_entrust.py
+++ b/plugins/module_utils/_crypto/module_backends/certificate_entrust.py
@@ -226,9 +226,6 @@ class EntrustCertificateProvider(CertificateProvider):
    def validate_module_args(self, module: AnsibleModule) -> None:
        pass

-    def needs_version_two_certs(self, module: AnsibleModule) -> t.Literal[False]:
-        return False
-
    def create_backend(self, module: AnsibleModule) -> EntrustCertificateBackend:
        return EntrustCertificateBackend(module=module)

--- a/plugins/module_utils/_crypto/module_backends/certificate_ownca.py
+++ b/plugins/module_utils/_crypto/module_backends/certificate_ownca.py
@@ -82,7 +82,6 @@ class OwnCACertificateBackendCryptography(CertificateBackend):
            with_timezone=CRYPTOGRAPHY_TIMEZONE,
        )
        self.digest = select_message_digest(module.params["ownca_digest"])
-        self.version: int = module.params["ownca_version"]
        self.serial_number = x509.random_serial_number()
        self.ca_cert_path: str | None = module.params["ownca_path"]
        ca_cert_content: str | None = module.params["ownca_content"]
@@ -335,9 +334,6 @@ class OwnCACertificateProvider(CertificateProvider):
                msg="One of ownca_privatekey_path and ownca_privatekey_content must be specified for the ownca provider."
            )

-    def needs_version_two_certs(self, module: AnsibleModule) -> bool:
-        return module.params["ownca_version"] == 2
-
    def create_backend(
        self, module: AnsibleModule
    ) -> OwnCACertificateBackendCryptography:
@@ -354,7 +350,7 @@ def add_ownca_provider_to_argument_spec(argument_spec: ArgumentSpec) -> None:
            ownca_privatekey_content=dict(type="str", no_log=True),
            ownca_privatekey_passphrase=dict(type="str", no_log=True),
            ownca_digest=dict(type="str", default="sha256"),
-            ownca_version=dict(type="int", default=3),
+            ownca_version=dict(type="int", default=3, choices=[3]),  # not used
            ownca_not_before=dict(type="str", default="+0s"),
            ownca_not_after=dict(type="str", default="+3650d"),
            ownca_create_subject_key_identifier=dict(
--- a/plugins/module_utils/_crypto/module_backends/certificate_selfsigned.py
+++ b/plugins/module_utils/_crypto/module_backends/certificate_selfsigned.py
@@ -75,7 +75,6 @@ class SelfSignedCertificateBackendCryptography(CertificateBackend):
            with_timezone=CRYPTOGRAPHY_TIMEZONE,
        )
        self.digest = select_message_digest(module.params["selfsigned_digest"])
-        self.version: int = module.params["selfsigned_version"]
        self.serial_number = x509.random_serial_number()

        if self.csr_path is not None and not os.path.exists(self.csr_path):
@@ -235,9 +234,6 @@ class SelfSignedCertificateProvider(CertificateProvider):
                msg="One of privatekey_path and privatekey_content must be specified for the selfsigned provider."
            )

-    def needs_version_two_certs(self, module: AnsibleModule) -> bool:
-        return module.params["selfsigned_version"] == 2
-
    def create_backend(
        self, module: AnsibleModule
    ) -> SelfSignedCertificateBackendCryptography:
@@ -248,7 +244,7 @@ def add_selfsigned_provider_to_argument_spec(argument_spec: ArgumentSpec) -> Non
    argument_spec.argument_spec["provider"]["choices"].append("selfsigned")
    argument_spec.argument_spec.update(
        dict(
-            selfsigned_version=dict(type="int", default=3),
+            selfsigned_version=dict(type="int", default=3, choices=[3]),  # not used
            selfsigned_digest=dict(type="str", default="sha256"),
            selfsigned_not_before=dict(
                type="str", default="+0s", aliases=["selfsigned_notBefore"]