Explicitly use UTC timezone in ACME OpenSSL backend (#811)

* Allow abstract backend class to handle both with and without timezone.

* Explicitly use UTC timezone in OpenSSL backend code.

plugins/module_utils/acme/backend_cryptography.py

@@ -11,7 +11,6 @@ __metaclass__ = type
 
 import base64
 import binascii
-import datetime
 import os
 import traceback
 
@@ -22,7 +21,6 @@ from ansible_collections.community.crypto.plugins.module_utils.version import Lo
 from ansible_collections.community.crypto.plugins.module_utils.acme.backends import (
     CertificateInformation,
     CryptoBackend,
-    _parse_acme_timestamp,
 )
 
 from ansible_collections.community.crypto.plugins.module_utils.acme.certificates import (
@@ -38,10 +36,6 @@ from ansible_collections.community.crypto.plugins.module_utils.acme.io import re
 
 from ansible_collections.community.crypto.plugins.module_utils.acme.utils import nopad_b64
 
-from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
-    OpenSSLObjectError,
-)
-
 from ansible_collections.community.crypto.plugins.module_utils.crypto.math import (
     convert_int_to_bytes,
     convert_int_to_hex,
@@ -64,12 +58,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
 )
 
 from ansible_collections.community.crypto.plugins.module_utils.time import (
-    ensure_utc_timezone,
-    from_epoch_seconds,
-    get_epoch_seconds,
-    get_now_datetime,
-    get_relative_time_option,
-    UTC,
+    add_or_remove_timezone,
 )
 
 CRYPTOGRAPHY_MINIMAL_VERSION = '1.5'
@@ -184,33 +173,7 @@ class CryptographyChainMatcher(ChainMatcher):
 
 class CryptographyBackend(CryptoBackend):
     def __init__(self, module):
-        super(CryptographyBackend, self).__init__(module)
-
-    def get_now(self):
-        return get_now_datetime(with_timezone=CRYPTOGRAPHY_TIMEZONE)
-
-    def parse_acme_timestamp(self, timestamp_str):
-        return _parse_acme_timestamp(timestamp_str, with_timezone=CRYPTOGRAPHY_TIMEZONE)
-
-    def parse_module_parameter(self, value, name):
-        try:
-            return get_relative_time_option(value, name, backend='cryptography', with_timezone=CRYPTOGRAPHY_TIMEZONE)
-        except OpenSSLObjectError as exc:
-            raise BackendException(to_native(exc))
-
-    def interpolate_timestamp(self, timestamp_start, timestamp_end, percentage):
-        start = get_epoch_seconds(timestamp_start)
-        end = get_epoch_seconds(timestamp_end)
-        return from_epoch_seconds(start + percentage * (end - start), with_timezone=CRYPTOGRAPHY_TIMEZONE)
-
-    def get_utc_datetime(self, *args, **kwargs):
-        kwargs_ext = dict(kwargs)
-        if CRYPTOGRAPHY_TIMEZONE and ('tzinfo' not in kwargs_ext and len(args) < 8):
-            kwargs_ext['tzinfo'] = UTC
-        result = datetime.datetime(*args, **kwargs_ext)
-        if CRYPTOGRAPHY_TIMEZONE and ('tzinfo' in kwargs or len(args) >= 8):
-            result = ensure_utc_timezone(result)
-        return result
+        super(CryptographyBackend, self).__init__(module, with_timezone=CRYPTOGRAPHY_TIMEZONE)
 
     def parse_key(self, key_file=None, key_content=None, passphrase=None):
         '''
@@ -419,8 +382,8 @@ class CryptographyBackend(CryptoBackend):
 
         if now is None:
             now = self.get_now()
-        elif CRYPTOGRAPHY_TIMEZONE:
-            now = ensure_utc_timezone(now)
+        else:
+            now = add_or_remove_timezone(now, with_timezone=CRYPTOGRAPHY_TIMEZONE)
         return (get_not_valid_after(cert) - now).days
 
     def create_chain_matcher(self, criterium):

plugins/module_utils/acme/backend_openssl_cli.py

@@ -33,6 +33,8 @@ from ansible_collections.community.crypto.plugins.module_utils.acme.utils import
 
 from ansible_collections.community.crypto.plugins.module_utils.crypto.math import convert_bytes_to_int
 
+from ansible_collections.community.crypto.plugins.module_utils.time import ensure_utc_timezone
+
 try:
     import ipaddress
 except ImportError:
@@ -45,7 +47,11 @@ _OPENSSL_ENVIRONMENT_UPDATE = dict(LANG='C', LC_ALL='C', LC_MESSAGES='C', LC_CTY
 def _extract_date(out_text, name, cert_filename_suffix=""):
     try:
         date_str = re.search(r"\s+%s\s*:\s+(.*)" % name, out_text).group(1)
-        return datetime.datetime.strptime(date_str, '%b %d %H:%M:%S %Y %Z')
+        # For some reason Python's strptime() doesn't return any timezone information,
+        # even though the information is there and a supported timezone for all supported
+        # Python implementations (GMT). So we have to modify the datetime object by
+        # replacing it by UTC.
+        return ensure_utc_timezone(datetime.datetime.strptime(date_str, '%b %d %H:%M:%S %Y %Z'))
     except AttributeError:
         raise BackendException("No '{0}' date found{1}".format(name, cert_filename_suffix))
     except ValueError as exc:
@@ -71,7 +77,7 @@ def _extract_octets(out_text, name, required=True, potential_prefixes=None):
 
 class OpenSSLCLIBackend(CryptoBackend):
     def __init__(self, module, openssl_binary=None):
-        super(OpenSSLCLIBackend, self).__init__(module)
+        super(OpenSSLCLIBackend, self).__init__(module, with_timezone=True)
         if openssl_binary is None:
             openssl_binary = module.get_bin_path('openssl', True)
         self.openssl_binary = openssl_binary
@@ -340,7 +346,9 @@ class OpenSSLCLIBackend(CryptoBackend):
         out_text = to_text(out, errors='surrogate_or_strict')
         not_after = _extract_date(out_text, 'Not After', cert_filename_suffix=cert_filename_suffix)
         if now is None:
-            now = datetime.datetime.now()
+            now = self.get_now()
+        else:
+            now = ensure_utc_timezone(now)
         return (not_after - now).days
 
     def create_chain_matcher(self, criterium):

plugins/module_utils/acme/backends.py

@@ -32,6 +32,7 @@ from ansible_collections.community.crypto.plugins.module_utils.time import (
     get_now_datetime,
     get_relative_time_option,
     remove_timezone,
+    UTC,
 )
 
 
@@ -85,31 +86,35 @@ def _parse_acme_timestamp(timestamp_str, with_timezone):
 
 @six.add_metaclass(abc.ABCMeta)
 class CryptoBackend(object):
-    def __init__(self, module):
+    def __init__(self, module, with_timezone=False):
         self.module = module
+        self._with_timezone = with_timezone
 
     def get_now(self):
-        return get_now_datetime(with_timezone=False)
+        return get_now_datetime(with_timezone=self._with_timezone)
 
     def parse_acme_timestamp(self, timestamp_str):
         # RFC 3339 (https://www.rfc-editor.org/info/rfc3339)
-        return _parse_acme_timestamp(timestamp_str, with_timezone=False)
+        return _parse_acme_timestamp(timestamp_str, with_timezone=self._with_timezone)
 
     def parse_module_parameter(self, value, name):
         try:
-            return get_relative_time_option(value, name, backend='cryptography', with_timezone=False)
+            return get_relative_time_option(value, name, backend='cryptography', with_timezone=self._with_timezone)
         except OpenSSLObjectError as exc:
             raise BackendException(to_native(exc))
 
     def interpolate_timestamp(self, timestamp_start, timestamp_end, percentage):
         start = get_epoch_seconds(timestamp_start)
         end = get_epoch_seconds(timestamp_end)
-        return from_epoch_seconds(start + percentage * (end - start), with_timezone=False)
+        return from_epoch_seconds(start + percentage * (end - start), with_timezone=self._with_timezone)
 
     def get_utc_datetime(self, *args, **kwargs):
-        result = datetime.datetime(*args, **kwargs)
-        if 'tzinfo' in kwargs or len(args) >= 8:
-            result = remove_timezone(result)
+        kwargs_ext = dict(kwargs)
+        if self._with_timezone and ('tzinfo' not in kwargs_ext and len(args) < 8):
+            kwargs_ext['tzinfo'] = UTC
+        result = datetime.datetime(*args, **kwargs_ext)
+        if self._with_timezone and ('tzinfo' in kwargs or len(args) >= 8):
+            result = ensure_utc_timezone(result)
         return result
 
     @abc.abstractmethod