diff --git a/.azure-pipelines/azure-pipelines.yml b/.azure-pipelines/azure-pipelines.yml index 8d8c30ce..6f0af5de 100644 --- a/.azure-pipelines/azure-pipelines.yml +++ b/.azure-pipelines/azure-pipelines.yml @@ -320,7 +320,7 @@ stages: nameFormat: Python {0} testFormat: 2.9/cloud/{0}/1 targets: - - test: 3.5 + - test: 2.7 ## Finally diff --git a/changelogs/fragments/446-fix.yml b/changelogs/fragments/446-fix.yml new file mode 100644 index 00000000..1ac3f1e4 --- /dev/null +++ b/changelogs/fragments/446-fix.yml @@ -0,0 +1,2 @@ +bugfixes: + - "Make collection more robust when PyOpenSSL is used with an incompatible cryptography version (https://github.com/ansible-collections/community.crypto/pull/446)." diff --git a/plugins/module_utils/crypto/basic.py b/plugins/module_utils/crypto/basic.py index 6bda7aa5..9d9bb2b4 100644 --- a/plugins/module_utils/crypto/basic.py +++ b/plugins/module_utils/crypto/basic.py @@ -26,7 +26,7 @@ try: import OpenSSL # noqa from OpenSSL import crypto # noqa HAS_PYOPENSSL = True -except ImportError: +except (ImportError, AttributeError): # Error handled in the calling module. HAS_PYOPENSSL = False diff --git a/plugins/module_utils/crypto/module_backends/certificate.py b/plugins/module_utils/crypto/module_backends/certificate.py index 557daede..6322691a 100644 --- a/plugins/module_utils/crypto/module_backends/certificate.py +++ b/plugins/module_utils/crypto/module_backends/certificate.py @@ -45,7 +45,7 @@ try: import OpenSSL from OpenSSL import crypto PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__) -except ImportError: +except (ImportError, AttributeError): PYOPENSSL_IMP_ERR = traceback.format_exc() PYOPENSSL_FOUND = False else: diff --git a/plugins/module_utils/crypto/module_backends/certificate_assertonly.py b/plugins/module_utils/crypto/module_backends/certificate_assertonly.py index 016dbbde..dcb45bc0 100644 --- a/plugins/module_utils/crypto/module_backends/certificate_assertonly.py +++ b/plugins/module_utils/crypto/module_backends/certificate_assertonly.py @@ -37,7 +37,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.module_bac try: import OpenSSL from OpenSSL import crypto -except ImportError: +except (ImportError, AttributeError): pass try: diff --git a/plugins/module_utils/crypto/module_backends/certificate_info.py b/plugins/module_utils/crypto/module_backends/certificate_info.py index 8da72d4a..9a7b2b1b 100644 --- a/plugins/module_utils/crypto/module_backends/certificate_info.py +++ b/plugins/module_utils/crypto/module_backends/certificate_info.py @@ -59,7 +59,7 @@ try: # OpenSSL 1.0.x or older OPENSSL_MUST_STAPLE_NAME = b"1.3.6.1.5.5.7.1.24" OPENSSL_MUST_STAPLE_VALUE = b"DER:30:03:02:01:05" -except ImportError: +except (ImportError, AttributeError): PYOPENSSL_IMP_ERR = traceback.format_exc() PYOPENSSL_FOUND = False else: diff --git a/plugins/module_utils/crypto/module_backends/certificate_ownca.py b/plugins/module_utils/crypto/module_backends/certificate_ownca.py index f348e00f..e2391c58 100644 --- a/plugins/module_utils/crypto/module_backends/certificate_ownca.py +++ b/plugins/module_utils/crypto/module_backends/certificate_ownca.py @@ -43,7 +43,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.module_bac try: from OpenSSL import crypto -except ImportError: +except (ImportError, AttributeError): pass try: diff --git a/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py b/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py index 141a6f74..f2249fd1 100644 --- a/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py +++ b/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py @@ -33,7 +33,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.module_bac try: from OpenSSL import crypto -except ImportError: +except (ImportError, AttributeError): pass try: diff --git a/plugins/module_utils/crypto/module_backends/csr.py b/plugins/module_utils/crypto/module_backends/csr.py index 129debe9..4da3b97e 100644 --- a/plugins/module_utils/crypto/module_backends/csr.py +++ b/plugins/module_utils/crypto/module_backends/csr.py @@ -63,7 +63,7 @@ try: import OpenSSL from OpenSSL import crypto PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__) -except ImportError: +except (ImportError, AttributeError): PYOPENSSL_IMP_ERR = traceback.format_exc() PYOPENSSL_FOUND = False else: diff --git a/plugins/module_utils/crypto/module_backends/csr_info.py b/plugins/module_utils/crypto/module_backends/csr_info.py index 2b3f550c..096cd1d2 100644 --- a/plugins/module_utils/crypto/module_backends/csr_info.py +++ b/plugins/module_utils/crypto/module_backends/csr_info.py @@ -57,7 +57,7 @@ try: # OpenSSL 1.0.x or older OPENSSL_MUST_STAPLE_NAME = b"1.3.6.1.5.5.7.1.24" OPENSSL_MUST_STAPLE_VALUE = b"DER:30:03:02:01:05" -except ImportError: +except (ImportError, AttributeError): PYOPENSSL_IMP_ERR = traceback.format_exc() PYOPENSSL_FOUND = False else: diff --git a/plugins/module_utils/crypto/module_backends/privatekey.py b/plugins/module_utils/crypto/module_backends/privatekey.py index 474738bc..7d5803b2 100644 --- a/plugins/module_utils/crypto/module_backends/privatekey.py +++ b/plugins/module_utils/crypto/module_backends/privatekey.py @@ -54,7 +54,7 @@ try: import OpenSSL from OpenSSL import crypto PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__) -except ImportError: +except (ImportError, AttributeError): PYOPENSSL_IMP_ERR = traceback.format_exc() PYOPENSSL_FOUND = False else: diff --git a/plugins/module_utils/crypto/module_backends/privatekey_info.py b/plugins/module_utils/crypto/module_backends/privatekey_info.py index 52bd2c1f..9039dbb8 100644 --- a/plugins/module_utils/crypto/module_backends/privatekey_info.py +++ b/plugins/module_utils/crypto/module_backends/privatekey_info.py @@ -49,7 +49,7 @@ try: import OpenSSL from OpenSSL import crypto PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__) -except ImportError: +except (ImportError, AttributeError): PYOPENSSL_IMP_ERR = traceback.format_exc() PYOPENSSL_FOUND = False else: diff --git a/plugins/module_utils/crypto/module_backends/publickey_info.py b/plugins/module_utils/crypto/module_backends/publickey_info.py index a51363f0..2e071354 100644 --- a/plugins/module_utils/crypto/module_backends/publickey_info.py +++ b/plugins/module_utils/crypto/module_backends/publickey_info.py @@ -38,7 +38,7 @@ try: import OpenSSL from OpenSSL import crypto PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__) -except ImportError: +except (ImportError, AttributeError): PYOPENSSL_IMP_ERR = traceback.format_exc() PYOPENSSL_FOUND = False else: diff --git a/plugins/module_utils/crypto/pyopenssl_support.py b/plugins/module_utils/crypto/pyopenssl_support.py index 9a32253d..e789d236 100644 --- a/plugins/module_utils/crypto/pyopenssl_support.py +++ b/plugins/module_utils/crypto/pyopenssl_support.py @@ -29,7 +29,7 @@ from ._objects import OID_LOOKUP try: import OpenSSL -except ImportError: +except (ImportError, AttributeError): # Error handled in the calling module. pass diff --git a/plugins/module_utils/crypto/support.py b/plugins/module_utils/crypto/support.py index 67b7226c..1353ac24 100644 --- a/plugins/module_utils/crypto/support.py +++ b/plugins/module_utils/crypto/support.py @@ -32,7 +32,7 @@ from ansible.module_utils.common.text.converters import to_native, to_bytes try: from OpenSSL import crypto HAS_PYOPENSSL = True -except ImportError: +except (ImportError, AttributeError): # Error handled in the calling module. HAS_PYOPENSSL = False diff --git a/plugins/modules/get_certificate.py b/plugins/modules/get_certificate.py index d793a1b4..876ad859 100644 --- a/plugins/modules/get_certificate.py +++ b/plugins/modules/get_certificate.py @@ -198,7 +198,7 @@ try: import OpenSSL from OpenSSL import crypto PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__) -except ImportError: +except (ImportError, AttributeError): PYOPENSSL_IMP_ERR = traceback.format_exc() PYOPENSSL_FOUND = False else: diff --git a/plugins/modules/openssl_pkcs12.py b/plugins/modules/openssl_pkcs12.py index d891c9cd..e659d6cd 100644 --- a/plugins/modules/openssl_pkcs12.py +++ b/plugins/modules/openssl_pkcs12.py @@ -276,7 +276,7 @@ try: import OpenSSL from OpenSSL import crypto PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__) -except ImportError: +except (ImportError, AttributeError): PYOPENSSL_IMP_ERR = traceback.format_exc() PYOPENSSL_FOUND = False else: diff --git a/plugins/modules/openssl_publickey.py b/plugins/modules/openssl_publickey.py index 57cb50d7..60f71c77 100644 --- a/plugins/modules/openssl_publickey.py +++ b/plugins/modules/openssl_publickey.py @@ -217,7 +217,7 @@ try: import OpenSSL from OpenSSL import crypto PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__) -except ImportError: +except (ImportError, AttributeError): PYOPENSSL_IMP_ERR = traceback.format_exc() PYOPENSSL_FOUND = False else: diff --git a/plugins/modules/openssl_signature.py b/plugins/modules/openssl_signature.py index 26db52cd..4406c484 100644 --- a/plugins/modules/openssl_signature.py +++ b/plugins/modules/openssl_signature.py @@ -108,7 +108,7 @@ try: import OpenSSL from OpenSSL import crypto PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__) -except ImportError: +except (ImportError, AttributeError): PYOPENSSL_IMP_ERR = traceback.format_exc() PYOPENSSL_FOUND = False else: diff --git a/plugins/modules/openssl_signature_info.py b/plugins/modules/openssl_signature_info.py index 28e94259..e16bae5f 100644 --- a/plugins/modules/openssl_signature_info.py +++ b/plugins/modules/openssl_signature_info.py @@ -108,7 +108,7 @@ try: import OpenSSL from OpenSSL import crypto PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__) -except ImportError: +except (ImportError, AttributeError): PYOPENSSL_IMP_ERR = traceback.format_exc() PYOPENSSL_FOUND = False else: diff --git a/tests/integration/targets/openssl_pkcs12/tests/validate.yml b/tests/integration/targets/openssl_pkcs12/tests/validate.yml index 740070e3..f03e6d24 100644 --- a/tests/integration/targets/openssl_pkcs12/tests/validate.yml +++ b/tests/integration/targets/openssl_pkcs12/tests/validate.yml @@ -83,4 +83,4 @@ - p12_empty is changed - p12_empty_idem is not changed - p12_empty_concat_idem is not changed - - empty_contents == (empty_expected_pyopenssl if select_crypto_backend == 'pyopenssl' else empty_expected_cryptography) + - (empty_contents == empty_expected_cryptography) or (empty_contents == empty_expected_pyopenssl and select_crypto_backend == 'pyopenssl') diff --git a/tests/integration/targets/setup_python_info/vars/main.yml b/tests/integration/targets/setup_python_info/vars/main.yml index 58ad6df7..8dd8091a 100644 --- a/tests/integration/targets/setup_python_info/vars/main.yml +++ b/tests/integration/targets/setup_python_info/vars/main.yml @@ -59,3 +59,6 @@ cannot_upgrade_cryptography: - '3.8' # on the VMs in CI, system packages are used for this version as well '13.0': - '3.8' # on the VMs in CI, system packages are used for this version as well + Ubuntu: + '18': + - '3.9' # this is the default container for ansible-core 2.12; upgrading cryptography wrecks pyOpenSSL diff --git a/tests/utils/constraints.txt b/tests/utils/constraints.txt index 1471d8f4..0c818ad7 100644 --- a/tests/utils/constraints.txt +++ b/tests/utils/constraints.txt @@ -1,7 +1,8 @@ coverage >= 4.2, < 5.0.0, != 4.3.2 ; python_version <= '3.7' # features in 4.2+ required, avoid known bug in 4.3.2 on python 2.6, coverage 5.0+ incompatible coverage >= 4.5.4, < 5.0.0 ; python_version > '3.7' # coverage had a bug in < 4.5.4 that would cause unit tests to hang in Python 3.8, coverage 5.0+ incompatible cryptography < 2.2 ; python_version < '2.7' # cryptography 2.2 drops support for python 2.6 -cryptography >= 3.0, < 3.4 ; python_version < '3.6' # cryptography 3.4 drops support for python 2.7 +cryptography >= 3.0, < 3.4 ; python_version < '3.5' # cryptography 3.4 drops support for python 2.7 +cryptography >= 3.0, < 3.3 ; python_version == '3.5' # cryptography 3.3 drops support for python 3.5 urllib3 < 1.24 ; python_version < '2.7' # urllib3 1.24 and later require python 2.7 or later idna < 2.6, >= 2.5 # linode requires idna < 2.9, >= 2.5, requests requires idna < 2.6, but cryptography will cause the latest version to be installed instead requests < 2.20.0 ; python_version < '2.7' # requests 2.20.0 drops support for python 2.6