Add ansible-lint to CI (#886)

* Enable ansible-lint.

* Fix broken task name.

* Fix command-instead-of-shell instances.

* Clean up tasks to eliminate command-instead-of-module.

* Skip yaml errors.

* Remove .stdout from versions.

* Avoid stdin.

tests/integration/targets/acme_account/tasks/main.yml

@@ -17,7 +17,7 @@
     - import_tasks: ../tests/validate.yml
 
   # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
-  when: openssl_version.stdout is version('1.0.0', '>=')
+  when: openssl_version is version('1.0.0', '>=')
 
 - name: Remove output directory
   file:
@@ -37,4 +37,4 @@
 
     - import_tasks: ../tests/validate.yml
 
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/acme_account_info/tasks/main.yml

@@ -17,7 +17,7 @@
     - import_tasks: ../tests/validate.yml
 
   # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
-  when: openssl_version.stdout is version('1.0.0', '>=')
+  when: openssl_version is version('1.0.0', '>=')
 
 - name: Remove output directory
   file:
@@ -37,4 +37,4 @@
 
     - import_tasks: ../tests/validate.yml
 
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/acme_ari_info/tasks/main.yml

@@ -21,7 +21,7 @@
         - import_tasks: ../tests/validate.yml
 
       # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
-      when: openssl_version.stdout is version('1.0.0', '>=')
+      when: 1 is version('1.0.0', '>=')
 
     - name: Remove output directory
       file:
@@ -41,4 +41,4 @@
 
         - import_tasks: ../tests/validate.yml
 
-      when: cryptography_version.stdout is version('3.3', '>=')
+      when: cryptography_version is version('3.3', '>=')

tests/integration/targets/acme_certificate/tasks/main.yml

@@ -98,7 +98,7 @@
     - import_tasks: ../tests/validate.yml
 
   # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
-  when: openssl_version.stdout is version('1.0.0', '>=')
+  when: openssl_version is version('1.0.0', '>=')
 
 - name: Remove output directory
   file:
@@ -118,4 +118,4 @@
 
     - import_tasks: ../tests/validate.yml
 
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/acme_certificate_deactivate_authz/tasks/main.yml

@@ -17,7 +17,7 @@
     - import_tasks: ../tests/validate.yml
 
   # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
-  when: openssl_version.stdout is version('1.0.0', '>=')
+  when: openssl_version is version('1.0.0', '>=')
 
 - name: Remove output directory
   file:
@@ -37,4 +37,4 @@
 
     - import_tasks: ../tests/validate.yml
 
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/acme_certificate_order/tasks/main.yml

@@ -15,7 +15,7 @@
         select_crypto_backend: openssl
 
   # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
-  when: openssl_version.stdout is version('1.0.0', '>=')
+  when: openssl_version is version('1.0.0', '>=')
 
 - name: Remove output directory
   file:
@@ -33,4 +33,4 @@
       vars:
         select_crypto_backend: cryptography
 
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml

@@ -20,7 +20,7 @@
         - import_tasks: ../tests/validate.yml
 
       # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
-      when: openssl_version.stdout is version('1.0.0', '>=')
+      when: openssl_version is version('1.0.0', '>=')
 
     - name: Remove output directory
       file:
@@ -40,4 +40,4 @@
 
         - import_tasks: ../tests/validate.yml
 
-      when: cryptography_version.stdout is version('3.3', '>=')
+      when: cryptography_version is version('3.3', '>=')

tests/integration/targets/acme_certificate_revoke/tasks/main.yml

@@ -17,7 +17,7 @@
     - import_tasks: ../tests/validate.yml
 
   # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
-  when: openssl_version.stdout is version('1.0.0', '>=')
+  when: openssl_version is version('1.0.0', '>=')
 
 - name: Remove output directory
   file:
@@ -37,4 +37,4 @@
 
     - import_tasks: ../tests/validate.yml
 
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml

@@ -35,4 +35,4 @@
         terms_agreed: true
         account_email: "example@example.org"
 
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/acme_inspect/tasks/main.yml

@@ -17,7 +17,7 @@
     - import_tasks: ../tests/validate.yml
 
   # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
-  when: openssl_version.stdout is version('1.0.0', '>=')
+  when: openssl_version is version('1.0.0', '>=')
 
 - name: Remove output directory
   file:
@@ -37,4 +37,4 @@
 
     - import_tasks: ../tests/validate.yml
 
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/certificate_complete_chain/tasks/main.yml

@@ -24,4 +24,4 @@
     - name: Run tests with created certificates
       import_tasks: created.yml
 
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/crypto_info/tasks/main.yml

@@ -20,11 +20,15 @@
   command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
   register: local_cryptography_version
 
+- name: Set cryptography version
+  set_fact:
+    local_cryptography_version: "{{ local_cryptography_version.stdout }}"
+
 - name: Determine complex version-based capabilities
   set_fact:
     supports_ed25519: >-
       {{
-        local_cryptography_version.stdout is version("2.6", ">=")
+        local_cryptography_version is version("2.6", ">=")
         and not (
           ansible_os_family == "FreeBSD" and
           ansible_facts.distribution_version is version("12.1", ">=") and
@@ -33,7 +37,7 @@
       }}
     supports_ed448: >-
       {{
-        local_cryptography_version.stdout is version("2.6", ">=")
+        local_cryptography_version is version("2.6", ">=")
         and not (
           ansible_os_family == "FreeBSD" and
           ansible_facts.distribution_version is version("12.1", ">=") and
@@ -46,21 +50,21 @@
     that:
       - result.python_cryptography_installed
       - "'python_cryptography_import_error' not in result"
-      - result.python_cryptography_capabilities.version == local_cryptography_version.stdout
+      - result.python_cryptography_capabilities.version == local_cryptography_version
       - "'secp256r1' in result.python_cryptography_capabilities.curves"
-      - result.python_cryptography_capabilities.has_ec == (local_cryptography_version.stdout is version('0.5', '>='))
-      - result.python_cryptography_capabilities.has_ec_sign == (local_cryptography_version.stdout is version('1.5', '>='))
+      - result.python_cryptography_capabilities.has_ec == (local_cryptography_version is version('0.5', '>='))
+      - result.python_cryptography_capabilities.has_ec_sign == (local_cryptography_version is version('1.5', '>='))
       - result.python_cryptography_capabilities.has_ed25519 == supports_ed25519
       - result.python_cryptography_capabilities.has_ed25519_sign == supports_ed25519
       - result.python_cryptography_capabilities.has_ed448 == supports_ed448
       - result.python_cryptography_capabilities.has_ed448_sign == supports_ed448
-      - result.python_cryptography_capabilities.has_dsa == (local_cryptography_version.stdout is version('0.5', '>='))
-      - result.python_cryptography_capabilities.has_dsa_sign == (local_cryptography_version.stdout is version('1.5', '>='))
-      - result.python_cryptography_capabilities.has_rsa == (local_cryptography_version.stdout is version('0.5', '>='))
-      - result.python_cryptography_capabilities.has_rsa_sign == (local_cryptography_version.stdout is version('1.4', '>='))
-      - result.python_cryptography_capabilities.has_x25519 == (local_cryptography_version.stdout is version('2.0', '>='))
-      - result.python_cryptography_capabilities.has_x25519_serialization == (local_cryptography_version.stdout is version('2.5', '>='))
-      - result.python_cryptography_capabilities.has_x448 == (local_cryptography_version.stdout is version('2.5', '>='))
+      - result.python_cryptography_capabilities.has_dsa == (local_cryptography_version is version('0.5', '>='))
+      - result.python_cryptography_capabilities.has_dsa_sign == (local_cryptography_version is version('1.5', '>='))
+      - result.python_cryptography_capabilities.has_rsa == (local_cryptography_version is version('0.5', '>='))
+      - result.python_cryptography_capabilities.has_rsa_sign == (local_cryptography_version is version('1.4', '>='))
+      - result.python_cryptography_capabilities.has_x25519 == (local_cryptography_version is version('2.0', '>='))
+      - result.python_cryptography_capabilities.has_x25519_serialization == (local_cryptography_version is version('2.5', '>='))
+      - result.python_cryptography_capabilities.has_x448 == (local_cryptography_version is version('2.5', '>='))
 
 - name: Find OpenSSL binary
   command: which openssl

tests/integration/targets/filter_openssl_csr_info/tasks/main.yml

@@ -129,4 +129,4 @@
 
 - name: Running tests
   include_tasks: impl.yml
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/filter_openssl_privatekey_info/tasks/main.yml

@@ -39,4 +39,4 @@
 
 - name: Running tests
   include_tasks: impl.yml
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/filter_openssl_publickey_info/tasks/main.yml

@@ -44,4 +44,4 @@
 
 - name: Running tests
   include_tasks: impl.yml
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/filter_x509_certificate_info/tasks/main.yml

@@ -146,4 +146,4 @@
 
 - name: Running tests
   include_tasks: impl.yml
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/filter_x509_crl_info/tasks/main.yml

@@ -88,4 +88,4 @@
     - name: Running tests
       include_tasks: impl.yml
 
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/get_certificate/tasks/main.yml

@@ -37,7 +37,7 @@
         that:
           - result is success or skip_tests
 
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')
 
 - block:
 
@@ -48,4 +48,4 @@
   # The module doesn't work with CentOS 6. Since the pyOpenSSL installed there is too old,
   # we never noticed before. This becomes a problem with the new cryptography backend,
   # since there is a new enough cryptography version...
-  when: cryptography_version.stdout is version('1.6', '>=') and not skip_tests
+  when: cryptography_version is version('1.6', '>=') and not skip_tests

tests/integration/targets/openssh_keypair/tasks/main.yml

@@ -19,7 +19,7 @@
 
 - set_fact:
     backends: "{{ backends + ['cryptography'] }}"
-  when: cryptography_version.stdout is version('3.3', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
+  when: cryptography_version is version('3.3', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
 
 - include_tasks: ../tests/core.yml
   loop: "{{ backends }}"
@@ -47,4 +47,4 @@
     loop_var: backend
 
 - include_tasks: ../tests/cryptography_backend.yml
-  when: cryptography_version.stdout is version('3.3', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
+  when: cryptography_version is version('3.3', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')

tests/integration/targets/openssl_csr/tasks/main.yml

@@ -29,4 +29,4 @@
       vars:
         select_crypto_backend: cryptography
 
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/openssl_csr/tests/validate.yml

@@ -4,15 +4,15 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 - name: "({{ select_crypto_backend }}) Validate CSR (test - privatekey modulus)"
-  shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem'
+  command: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem'
   register: privatekey_modulus
 
 - name: "({{ select_crypto_backend }}) Validate CSR (test - Common Name)"
-  shell: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr.csr -nameopt oneline,-space_eq"
+  command: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr.csr -nameopt oneline,-space_eq"
   register: csr_cn
 
 - name: "({{ select_crypto_backend }}) Validate CSR (test - csr modulus)"
-  shell: '{{ openssl_binary }} req -noout -modulus -in {{ remote_tmp_dir }}/csr.csr'
+  command: '{{ openssl_binary }} req -noout -modulus -in {{ remote_tmp_dir }}/csr.csr'
   register: csr_modulus
 
 - name: "({{ select_crypto_backend }}) Validate CSR (assert)"
@@ -58,11 +58,11 @@
       - csr_ku_xku_change_2 is changed
 
 - name: "({{ select_crypto_backend }}) Validate old_API CSR (test - Common Name)"
-  shell: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq"
+  command: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq"
   register: csr_oldapi_cn
 
 - name: "({{ select_crypto_backend }}) Validate old_API CSR (test - csr modulus)"
-  shell: '{{ openssl_binary }} req -noout -modulus -in {{ remote_tmp_dir }}/csr_oldapi.csr'
+  command: '{{ openssl_binary }} req -noout -modulus -in {{ remote_tmp_dir }}/csr_oldapi.csr'
   register: csr_oldapi_modulus
 
 - name: "({{ select_crypto_backend }}) Validate old_API CSR (assert)"
@@ -78,7 +78,7 @@
       - "'Subject Alternative Name' in generate_csr_invalid_san.msg"
 
 - name: "({{ select_crypto_backend }}) Validate OCSP Must Staple CSR (test - everything)"
-  shell: "{{ openssl_binary }} req -noout -in {{ remote_tmp_dir }}/csr_ocsp.csr -text"
+  command: "{{ openssl_binary }} req -noout -in {{ remote_tmp_dir }}/csr_ocsp.csr -text"
   register: csr_ocsp
 
 - name: "({{ select_crypto_backend }}) Validate OCSP Must Staple CSR (assert)"
@@ -93,15 +93,15 @@
       - csr_ocsp_idempotency is not changed
 
 - name: "({{ select_crypto_backend }}) Validate ECC CSR (test - privatekey's public key)"
-  shell: '{{ openssl_binary }} ec -pubout -in {{ remote_tmp_dir }}/privatekey2.pem'
+  command: '{{ openssl_binary }} ec -pubout -in {{ remote_tmp_dir }}/privatekey2.pem'
   register: privatekey_ecc_key
 
 - name: "({{ select_crypto_backend }}) Validate ECC CSR (test - Common Name)"
-  shell: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr2.csr -nameopt oneline,-space_eq"
+  command: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr2.csr -nameopt oneline,-space_eq"
   register: csr_ecc_cn
 
 - name: "({{ select_crypto_backend }}) Validate ECC CSR (test - CSR pubkey)"
-  shell: '{{ openssl_binary }} req -noout -pubkey -in {{ remote_tmp_dir }}/csr2.csr'
+  command: '{{ openssl_binary }} req -noout -pubkey -in {{ remote_tmp_dir }}/csr2.csr'
   register: csr_ecc_pubkey
 
 - name: "({{ select_crypto_backend }}) Validate ECC CSR (assert)"
@@ -111,7 +111,7 @@
       - csr_ecc_pubkey.stdout == privatekey_ecc_key.stdout
 
 - name: "({{ select_crypto_backend }}) Validate CSR (text common name - Common Name)"
-  shell: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr3.csr -nameopt oneline,-space_eq"
+  command: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr3.csr -nameopt oneline,-space_eq"
   register: csr3_cn
 
 - name: "({{ select_crypto_backend }}) Validate CSR (assert)"

tests/integration/targets/openssl_csr_info/tasks/main.yml

@@ -132,4 +132,4 @@
   include_tasks: impl.yml
   vars:
     select_crypto_backend: cryptography
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/openssl_csr_pipe/tasks/impl.yml

@@ -64,17 +64,17 @@
   register: generate_csr_changed_check
 
 - name: "({{ select_crypto_backend }}) Validate CSR (test - privatekey modulus)"
-  shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem'
+  command: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem'
   register: privatekey_modulus
 
 - name: "({{ select_crypto_backend }}) Validate CSR (test - Common Name)"
-  shell: "{{ openssl_binary }} req -noout -subject -in /dev/stdin -nameopt oneline,-space_eq"
+  command: "{{ openssl_binary }} req -noout -subject -in /dev/stdin -nameopt oneline,-space_eq"
   args:
     stdin: "{{ generate_csr.csr }}"
   register: csr_cn
 
 - name: "({{ select_crypto_backend }}) Validate CSR (test - csr modulus)"
-  shell: '{{ openssl_binary }} req -noout -modulus -in /dev/stdin'
+  command: '{{ openssl_binary }} req -noout -modulus -in /dev/stdin'
   args:
     stdin: "{{ generate_csr.csr }}"
   register: csr_modulus

tests/integration/targets/openssl_csr_pipe/tasks/main.yml

@@ -24,4 +24,4 @@
       vars:
         select_crypto_backend: cryptography
 
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/openssl_dhparam/tasks/main.yml

@@ -24,7 +24,7 @@
 
   vars:
     select_crypto_backend: openssl
-  # when: openssl_version.stdout is version('1.0.0', '>=')
+  # when: openssl_version is version('1.0.0', '>=')
 
 - name: Remove output directory
   file:
@@ -44,4 +44,4 @@
 
   vars:
     select_crypto_backend: cryptography
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/openssl_dhparam/tests/validate.yml

@@ -4,7 +4,7 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 - name: "[{{ select_crypto_backend }}] Validate generated params"
-  shell: '{{ openssl_binary }} dhparam -in {{ remote_tmp_dir }}/{{ item }}.pem -noout -check'
+  command: '{{ openssl_binary }} dhparam -in {{ remote_tmp_dir }}/{{ item }}.pem -noout -check'
   with_items:
     - dh768
     - dh512

tests/integration/targets/openssl_pkcs12/tasks/impl.yml

@@ -376,7 +376,7 @@
       register: p12_compatibility2022
       when:
         - select_crypto_backend == 'cryptography'
-        - cryptography_version.stdout is version('38.0.0', '>=')
+        - cryptography_version is version('38.0.0', '>=')
 
     - import_tasks: ../tests/validate.yml
 

tests/integration/targets/openssl_pkcs12/tasks/main.yml

@@ -68,4 +68,4 @@
         select_crypto_backend: cryptography
 
   when: >-
-    cryptography_version.stdout is version('3.3', '>=')
+    cryptography_version is version('3.3', '>=')

tests/integration/targets/openssl_pkcs12/tests/validate.yml

@@ -95,10 +95,10 @@
 - name: '({{ select_crypto_backend }}) PKCS#12 with compatibility2022 settings'
   when:
     - select_crypto_backend == 'cryptography'
-    - cryptography_version.stdout is version('38.0.0', '>=')
+    - cryptography_version is version('38.0.0', '>=')
   block:
     - name: '({{ select_crypto_backend }}) Validate PKCS#12 with compatibility2022 settings'
-      shell: "{{ openssl_binary }} pkcs12 -info -in {{ remote_tmp_dir }}/ansible_compatibility2022.p12 -nodes -passin pass:'magicpassword'"
+      command: "{{ openssl_binary }} pkcs12 -info -in {{ remote_tmp_dir }}/ansible_compatibility2022.p12 -nodes -passin pass:'magicpassword'"
       register: p12_validate_compatibility2022
 
     - name: '({{ select_crypto_backend }}) Check PKCS#12 with compatibility2022 settings'

tests/integration/targets/openssl_privatekey/tasks/impl.yml

@@ -158,7 +158,7 @@
     curve: "{{ item.curve }}"
     select_crypto_backend: '{{ select_crypto_backend }}'
   when: |
-    cryptography_version.stdout is version(item.min_cryptography_version, '>=') and
+    cryptography_version is version(item.min_cryptography_version, '>=') and
     item.openssl_name in openssl_ecc_list
   loop: "{{ ecc_types }}"
   loop_control:
@@ -172,7 +172,7 @@
     curve: "{{ item.curve }}"
     select_crypto_backend: '{{ select_crypto_backend }}'
   when: |
-    cryptography_version.stdout is version(item.min_cryptography_version, '>=') and
+    cryptography_version is version(item.min_cryptography_version, '>=') and
     item.openssl_name in openssl_ecc_list
   loop: "{{ ecc_types }}"
   loop_control:
@@ -185,7 +185,7 @@
         path: '{{ remote_tmp_dir }}/privatekey-{{ item.type }}.pem'
         type: "{{ item.type }}"
         select_crypto_backend: '{{ select_crypto_backend }}'
-      when: cryptography_version.stdout is version(item.min_version, '>=')
+      when: cryptography_version is version(item.min_version, '>=')
       loop: "{{ types }}"
       loop_control:
         label: "{{ item.type }}"
@@ -197,7 +197,7 @@
         path: '{{ remote_tmp_dir }}/privatekey-{{ item.type }}.pem'
         type: "{{ item.type }}"
         select_crypto_backend: '{{ select_crypto_backend }}'
-      when: cryptography_version.stdout is version(item.min_version, '>=')
+      when: cryptography_version is version(item.min_version, '>=')
       loop: "{{ types }}"
       loop_control:
         label: "{{ item.type }}"

tests/integration/targets/openssl_privatekey/tasks/main.yml

@@ -50,4 +50,4 @@
       vars:
         select_crypto_backend: cryptography
 
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/openssl_privatekey/tests/validate.yml

@@ -75,13 +75,13 @@
   register: privatekey5
   # Current version of OS/X that runs in the CI (10.11) does not have an up to date version of the OpenSSL library
   # leading to this test to fail when run in the CI. However, this test has been run for 10.12 and has returned successfully.
-  when: openssl_version.stdout is version('0.9.8zh', '>=')
+  when: openssl_version is version('0.9.8zh', '>=')
 
 - name: "({{ select_crypto_backend }}) Validate privatekey5 (assert - Passphrase protected key + idempotence)"
   assert:
     that:
       - privatekey5.stdout == (default_rsa_key_size | string)
-  when: openssl_version.stdout is version('0.9.8zh', '>=')
+  when: openssl_version is version('0.9.8zh', '>=')
 
 - name: "({{ select_crypto_backend }}) Validate privatekey5 idempotence (assert - Passphrase protected key + idempotence)"
   assert:
@@ -92,19 +92,19 @@
 - name: "({{ select_crypto_backend }}) Validate privatekey6 (test - Passphrase protected key with non ascii character)"
   shell: "{{ openssl_binary }} rsa -noout -text -in {{ remote_tmp_dir }}/privatekey6.pem -passin pass:ànsïblé | grep Private | sed 's/\\(RSA *\\)*Private-Key: (\\(.*\\) bit.*)/\\2/'"
   register: privatekey6
-  when: openssl_version.stdout is version('0.9.8zh', '>=')
+  when: openssl_version is version('0.9.8zh', '>=')
 
 - name: "({{ select_crypto_backend }}) Validate privatekey6 (assert - Passphrase protected key with non ascii character)"
   assert:
     that:
       - privatekey6.stdout == (default_rsa_key_size | string)
-  when: openssl_version.stdout is version('0.9.8zh', '>=')
+  when: openssl_version is version('0.9.8zh', '>=')
 
 - name: "({{ select_crypto_backend }}) Validate ECC generation (dump with OpenSSL)"
   shell: "{{ openssl_binary }} ec -in {{ remote_tmp_dir }}/privatekey-{{ item.item.curve }}.pem -noout -text | grep 'ASN1 OID: ' | sed 's/ASN1 OID: \\([^ ]*\\)/\\1/'"
   loop: "{{ privatekey_ecc_generate.results }}"
   register: privatekey_ecc_dump
-  when: openssl_version.stdout is version('0.9.8zh', '>=') and 'skip_reason' not in item
+  when: openssl_version is version('0.9.8zh', '>=') and 'skip_reason' not in item
   loop_control:
     label: "{{ item.item.curve }}"
 

tests/integration/targets/openssl_privatekey_convert/tasks/main.yml

@@ -58,4 +58,4 @@
       vars:
         select_crypto_backend: cryptography
 
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/openssl_privatekey_info/tasks/main.yml

@@ -43,4 +43,4 @@
   include_tasks: impl.yml
   vars:
     select_crypto_backend: cryptography
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/openssl_privatekey_pipe/tasks/main.yml

@@ -18,4 +18,4 @@
       vars:
         select_crypto_backend: cryptography
 
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/openssl_publickey/tasks/main.yml

@@ -28,4 +28,4 @@
       vars:
         select_crypto_backend: cryptography
 
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/openssl_publickey/tests/validate.yml

@@ -17,11 +17,18 @@
       - publickey.publickey == publickey_idempotence.publickey
 
 - name: "({{ select_crypto_backend }}) Validate public key (test - privatekey modulus)"
-  shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem'
+  command: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem'
   register: privatekey_modulus
 
+- name: "({{ select_crypto_backend }}) Fetch public key"
+  ansible.builtin.slurp:
+    src: '{{ remote_tmp_dir }}/publickey.pub'
+  register: slurp
+
 - name: "({{ select_crypto_backend }}) Validate public key (test - publickey modulus)"
-  shell: '{{ openssl_binary }} rsa -pubin -noout -modulus < {{ remote_tmp_dir }}/publickey.pub'
+  command:
+    cmd: '{{ openssl_binary }} rsa -pubin -noout -modulus'
+    stdin: '{{ slurp.content | b64decode }}'
   register: publickey_modulus
 
 - name: "({{ select_crypto_backend }}) Validate public key (assert)"
@@ -30,7 +37,7 @@
       - publickey_modulus.stdout == privatekey_modulus.stdout
 
 - name: "({{ select_crypto_backend }}) Validate public key - OpenSSH format (test - privatekey's publickey)"
-  shell: 'ssh-keygen -y -f {{ remote_tmp_dir }}/privatekey.pem'
+  command: 'ssh-keygen -y -f {{ remote_tmp_dir }}/privatekey.pem'
   register: privatekey_publickey
   when: select_crypto_backend == 'cryptography'
 
@@ -71,20 +78,27 @@
 
 
 - name: "({{ select_crypto_backend }}) Validate publickey3 (test - privatekey modulus)"
-  shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey3.pem -passin pass:ansible'
+  command: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey3.pem -passin pass:ansible'
   register: privatekey3_modulus
-  when: openssl_version.stdout is version('0.9.8zh', '>=')
+  when: openssl_version is version('0.9.8zh', '>=')
+
+- name: "({{ select_crypto_backend }}) Fetch publickey3"
+  ansible.builtin.slurp:
+    src: '{{ remote_tmp_dir }}/publickey3.pub'
+  register: slurp
 
 - name: "({{ select_crypto_backend }}) Validate publickey3 (test - publickey modulus)"
-  shell: '{{ openssl_binary }} rsa -pubin -noout -modulus < {{ remote_tmp_dir }}/publickey3.pub'
+  command:
+    cmd: '{{ openssl_binary }} rsa -pubin -noout -modulus'
+    stdin: '{{ slurp.content | b64decode }}'
   register: publickey3_modulus
-  when: openssl_version.stdout is version('0.9.8zh', '>=')
+  when: openssl_version is version('0.9.8zh', '>=')
 
 - name: "({{ select_crypto_backend }}) Validate publickey3 (assert)"
   assert:
     that:
       - publickey3_modulus.stdout == privatekey3_modulus.stdout
-  when: openssl_version.stdout is version('0.9.8zh', '>=')
+  when: openssl_version is version('0.9.8zh', '>=')
 
 - name: "({{ select_crypto_backend }}) Validate publickey3 idempotence (assert)"
   assert:
@@ -92,20 +106,27 @@
       - publickey3_idempotence is not changed
 
 - name: "({{ select_crypto_backend }}) Validate publickey4 (test - privatekey modulus)"
-  shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem'
+  command: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem'
   register: privatekey4_modulus
-  when: openssl_version.stdout is version('0.9.8zh', '>=')
+  when: openssl_version is version('0.9.8zh', '>=')
+
+- name: "({{ select_crypto_backend }}) Fetch publickey4"
+  ansible.builtin.slurp:
+    src: '{{ remote_tmp_dir }}/publickey4.pub'
+  register: slurp
 
 - name: "({{ select_crypto_backend }}) Validate publickey4 (test - publickey modulus)"
-  shell: '{{ openssl_binary }} rsa -pubin -noout -modulus < {{ remote_tmp_dir }}/publickey4.pub'
+  command:
+    cmd: '{{ openssl_binary }} rsa -pubin -noout -modulus'
+    stdin: '{{ slurp.content | b64decode }}'
   register: publickey4_modulus
-  when: openssl_version.stdout is version('0.9.8zh', '>=')
+  when: openssl_version is version('0.9.8zh', '>=')
 
 - name: "({{ select_crypto_backend }}) Validate publickey4 (assert)"
   assert:
     that:
       - publickey4_modulus.stdout == privatekey4_modulus.stdout
-  when: openssl_version.stdout is version('0.9.8zh', '>=')
+  when: openssl_version is version('0.9.8zh', '>=')
 
 - name: "({{ select_crypto_backend }}) Validate idempotency and backup"
   assert:
@@ -131,7 +152,7 @@
     that:
       - publickey5_pubkey.stdout == privatekey5_pubkey.stdout
 
-- name:
+- name: "({{ select_crypto_backend }}) Verify bad passphrase errors"
   assert:
     that:
       - passphrase_error_1 is failed

tests/integration/targets/openssl_publickey_info/tasks/main.yml

@@ -46,4 +46,4 @@
   include_tasks: impl.yml
   vars:
     select_crypto_backend: cryptography
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/setup_acme/tasks/main.yml

@@ -23,5 +23,5 @@
       ACME directory: {{ acme_directory_url }}
       ACME server supports ARI: {{ acme_supports_ari }}
       ACME server supports profiles: {{ acme_supports_profiles }}
-      OpenSSL version is {{ openssl_version.stdout }}
-      cryptography version is {{ cryptography_version.stdout }}
+      OpenSSL version is {{ openssl_version }}
+      cryptography version is {{ cryptography_version }}

tests/integration/targets/setup_openssl/tasks/main.yml

@@ -85,6 +85,10 @@
   shell: "{{ openssl_binary }} version | cut -d' ' -f2"
   register: openssl_version
 
+- name: Make openssl version a string
+  set_fact:
+    openssl_version: "{{ openssl_version.stdout }}"
+
 - when: ansible_facts.distribution ~ ansible_facts.distribution_major_version not in  ['CentOS6', 'RedHat6']
   block:
 
@@ -115,9 +119,13 @@
             state: "{{ 'latest' if not target_system_python_cannot_upgrade_cryptography else omit }}"
             extra_args: "-c {{ remote_constraints }}"
 
+- name: Obtain cryptography information
+  community.crypto.crypto_info:
+  register: crypto_info
+
 - name: Register cryptography version
-  command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
-  register: cryptography_version
+  set_fact:
+    cryptography_version: "{{ crypto_info.python_cryptography_capabilities.version }}"
 
 - name: Print default key sizes
   debug:

tests/integration/targets/x509_certificate-acme/tasks/main.yml

@@ -71,17 +71,6 @@
   get_url:
     url: https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py
     dest: "{{ remote_tmp_dir }}/acme-tiny"
-  when: ansible_python_version is version('2.7', '>=')
-
-- name: Get hold of acme-tiny executable (Python 2.6)
-  command:
-    cmd: >-
-      curl https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py --output "{{ remote_tmp_dir }}/acme-tiny"
-  when: ansible_python_version is version('2.7', '<')
-
-- name: Make sure acme-tiny is executable
-  file:
-    path: "{{ remote_tmp_dir }}/acme-tiny"
     mode: "0755"
 
 - name: "Monkey-patch acme-tiny: Disable certificate validation"
@@ -141,4 +130,4 @@
 - name: Running tests
   include_tasks: impl.yml
   # Make x509_certificate module happy
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/x509_certificate/tasks/main.yml

@@ -12,4 +12,4 @@
   include_tasks: impl.yml
   vars:
     select_crypto_backend: cryptography
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/x509_certificate/tasks/ownca.yml

@@ -658,6 +658,6 @@
           register: ownca_certificate_ed25519_ed448_2_idempotence
           ignore_errors: true
 
-  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('3.3', '>=')
+  when: select_crypto_backend == 'cryptography' and cryptography_version is version('3.3', '>=')
 
 - import_tasks: ../tests/validate_ownca.yml

tests/integration/targets/x509_certificate/tasks/selfsigned.yml

@@ -480,6 +480,6 @@
           register: selfsigned_certificate_ed25519_ed448_idempotence
           ignore_errors: true
 
-  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('3.3', '>=')
+  when: select_crypto_backend == 'cryptography' and cryptography_version is version('3.3', '>=')
 
 - import_tasks: ../tests/validate_selfsigned.yml

tests/integration/targets/x509_certificate/tests/validate_ownca.yml

@@ -8,7 +8,7 @@
   register: ownca_verify_ca
 
 - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - ownca certificate modulus)
-  shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ remote_tmp_dir }}/ownca_cert.pem'
+  command: '{{ openssl_binary }} x509 -noout -modulus -in {{ remote_tmp_dir }}/ownca_cert.pem'
   register: ownca_cert_modulus
 
 - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate (test - ownca issuer value)
@@ -72,7 +72,7 @@
 
 
 - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate2 (test - ownca certificate modulus)
-  shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ remote_tmp_dir }}/ownca_cert2.pem'
+  command: '{{ openssl_binary }} x509 -noout -modulus -in {{ remote_tmp_dir }}/ownca_cert2.pem'
   register: ownca_cert2_modulus
 
 - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca certificate2 (assert)
@@ -104,7 +104,7 @@
       - ownca_cert3_idem is not changed
 
 - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca ECC certificate (test - ownca certificate pubkey)
-  shell: '{{ openssl_binary }} x509 -noout -pubkey -in {{ remote_tmp_dir }}/ownca_cert_ecc.pem'
+  command: '{{ openssl_binary }} x509 -noout -pubkey -in {{ remote_tmp_dir }}/ownca_cert_ecc.pem'
   register: ownca_cert_ecc_pubkey
 
 - name: (OwnCA validation, {{select_crypto_backend}}) Validate ownca ECC certificate (test - ownca issuer value)

tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml

@@ -4,7 +4,7 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - privatekey modulus)
-  shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem'
+  command: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem'
   register: privatekey_modulus
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate behavior for no CSR
@@ -15,7 +15,7 @@
       - selfsigned_certificate_no_csr_idempotence_check is not changed
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate with no CSR (test - certificate modulus)
-  shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ remote_tmp_dir }}/cert_no_csr.pem'
+  command: '{{ openssl_binary }} x509 -noout -modulus -in {{ remote_tmp_dir }}/cert_no_csr.pem'
   register: cert_modulus
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate with no CSR (test - certificate version == default == 3)
@@ -47,7 +47,7 @@
       - selfsigned_certificate_no_csr.certificate == selfsigned_certificate_no_csr_idempotence.certificate
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - certificate modulus)
-  shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ remote_tmp_dir }}/cert.pem'
+  command: '{{ openssl_binary }} x509 -noout -modulus -in {{ remote_tmp_dir }}/cert.pem'
   register: cert_modulus
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate (test - issuer value)
@@ -109,11 +109,11 @@
   when: select_crypto_backend == 'cryptography'
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate2 (test - privatekey modulus)
-  shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey2.pem'
+  command: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey2.pem'
   register: privatekey2_modulus
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate2 (test - certificate modulus)
-  shell: '{{ openssl_binary }} x509 -noout -modulus -in {{ remote_tmp_dir }}/cert2.pem'
+  command: '{{ openssl_binary }} x509 -noout -modulus -in {{ remote_tmp_dir }}/cert2.pem'
   register: cert2_modulus
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate certificate2 (assert)
@@ -145,11 +145,11 @@
       - cert3_selfsigned_idem is not changed
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate ECC certificate (test - privatekey's pubkey)
-  shell: '{{ openssl_binary }} ec -pubout -in {{ remote_tmp_dir }}/privatekey_ecc.pem'
+  command: '{{ openssl_binary }} ec -pubout -in {{ remote_tmp_dir }}/privatekey_ecc.pem'
   register: privatekey_ecc_pubkey
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate ECC certificate (test - certificate pubkey)
-  shell: '{{ openssl_binary }} x509 -noout -pubkey -in {{ remote_tmp_dir }}/cert_ecc.pem'
+  command: '{{ openssl_binary }} x509 -noout -pubkey -in {{ remote_tmp_dir }}/cert_ecc.pem'
   register: cert_ecc_pubkey
 
 - name: (Selfsigned validation, {{select_crypto_backend}}) Validate ECC certificate (assert)

tests/integration/targets/x509_certificate_info/tasks/main.yml

@@ -149,4 +149,4 @@
   include_tasks: impl.yml
   vars:
     select_crypto_backend: cryptography
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/x509_certificate_pipe/tasks/impl.yml

@@ -102,17 +102,17 @@
   register: generate_certificate_changed_check
 
 - name: "({{ select_crypto_backend }}) Validate certificate (test - privatekey modulus)"
-  shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem'
+  command: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem'
   register: privatekey_modulus
 
 - name: "({{ select_crypto_backend }}) Validate certificate (test - Common Name)"
-  shell: "{{ openssl_binary }} x509 -noout -subject -in /dev/stdin -nameopt oneline,-space_eq"
+  command: "{{ openssl_binary }} x509 -noout -subject -in /dev/stdin -nameopt oneline,-space_eq"
   args:
     stdin: "{{ generate_certificate.certificate }}"
   register: certificate_cn
 
 - name: "({{ select_crypto_backend }}) Validate certificate (test - certificate modulus)"
-  shell: '{{ openssl_binary }} x509 -noout -modulus -in /dev/stdin'
+  command: '{{ openssl_binary }} x509 -noout -modulus -in /dev/stdin'
   args:
     stdin: "{{ generate_certificate.certificate }}"
   register: certificate_modulus
@@ -209,17 +209,17 @@
   register: ownca_generate_certificate_changed_check
 
 - name: "({{ select_crypto_backend }}) Validate certificate (test - privatekey modulus)"
-  shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey2.pem'
+  command: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey2.pem'
   register: privatekey_modulus
 
 - name: "({{ select_crypto_backend }}) Validate certificate (test - Common Name)"
-  shell: "{{ openssl_binary }} x509 -noout -subject -in /dev/stdin -nameopt oneline,-space_eq"
+  command: "{{ openssl_binary }} x509 -noout -subject -in /dev/stdin -nameopt oneline,-space_eq"
   args:
     stdin: "{{ ownca_generate_certificate.certificate }}"
   register: certificate_cn
 
 - name: "({{ select_crypto_backend }}) Validate certificate (test - certificate modulus)"
-  shell: '{{ openssl_binary }} x509 -noout -modulus -in /dev/stdin'
+  command: '{{ openssl_binary }} x509 -noout -modulus -in /dev/stdin'
   args:
     stdin: "{{ ownca_generate_certificate.certificate }}"
   register: certificate_modulus

tests/integration/targets/x509_certificate_pipe/tasks/main.yml

@@ -23,4 +23,4 @@
       vars:
         select_crypto_backend: cryptography
 
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/x509_crl/tasks/impl.yml

@@ -694,4 +694,4 @@
             - Ed448
           ignore_errors: true
 
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')

tests/integration/targets/x509_crl/tasks/main.yml

@@ -90,4 +90,4 @@
 
     - import_tasks: ../tests/validate.yml
 
-  when: cryptography_version.stdout is version('3.3', '>=')
+  when: cryptography_version is version('3.3', '>=')