From fbcb89f0924186286b7d5e55acc52f0dc50214f0 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Fri, 2 May 2025 21:42:06 +0200 Subject: [PATCH] Support cryptography 3.3 (#882) * Re-add Debian Bullseye to CI. * Support cryptography 3.3 as well. --- .azure-pipelines/azure-pipelines.yml | 2 ++ README.md | 2 +- changelogs/fragments/878-backend.yml | 4 +-- plugins/doc_fragments/acme.py | 3 ++- plugins/doc_fragments/cryptography_dep.py | 20 +++++++++++++++ plugins/doc_fragments/module_certificate.py | 2 +- plugins/doc_fragments/module_csr.py | 2 +- plugins/doc_fragments/module_privatekey.py | 2 +- .../module_privatekey_convert.py | 2 +- .../crypto/module_backends/certificate.py | 5 +++- .../module_backends/certificate_info.py | 5 +++- .../crypto/module_backends/crl_info.py | 5 +++- .../crypto/module_backends/csr.py | 5 +++- .../crypto/module_backends/csr_info.py | 5 +++- .../crypto/module_backends/privatekey.py | 5 +++- .../module_backends/privatekey_convert.py | 5 +++- .../crypto/module_backends/privatekey_info.py | 5 +++- .../crypto/module_backends/publickey_info.py | 5 +++- plugins/module_utils/cryptography_dep.py | 15 +++++++++++ .../openssh/backends/keypair_backend.py | 25 +++++++++---------- plugins/module_utils/openssh/cryptography.py | 16 +----------- plugins/modules/acme_challenge_cert_helper.py | 20 +++++++++++---- plugins/modules/certificate_complete_chain.py | 14 ++++++++--- plugins/modules/ecs_certificate.py | 8 +++--- plugins/modules/get_certificate.py | 7 ++++-- plugins/modules/openssh_keypair.py | 2 +- plugins/modules/openssl_csr_info.py | 5 ++-- plugins/modules/openssl_dhparam.py | 7 ++++-- plugins/modules/openssl_pkcs12.py | 8 +++--- plugins/modules/openssl_privatekey_info.py | 3 +-- plugins/modules/openssl_publickey.py | 8 +++--- plugins/modules/openssl_publickey_info.py | 3 +-- plugins/modules/openssl_signature.py | 8 +++--- plugins/modules/openssl_signature_info.py | 8 +++--- plugins/modules/x509_certificate_convert.py | 5 +++- plugins/modules/x509_certificate_info.py | 3 +-- plugins/modules/x509_crl.py | 8 +++--- plugins/modules/x509_crl_info.py | 3 +-- .../targets/acme_account/tasks/main.yml | 2 +- .../targets/acme_account_info/tasks/main.yml | 2 +- .../targets/acme_ari_info/tasks/main.yml | 2 +- .../targets/acme_certificate/tasks/main.yml | 2 +- .../tasks/main.yml | 2 +- .../acme_certificate_order/tasks/main.yml | 2 +- .../tasks/main.yml | 2 +- .../acme_certificate_revoke/tasks/main.yml | 2 +- .../acme_challenge_cert_helper/tasks/main.yml | 2 +- .../targets/acme_inspect/tasks/main.yml | 2 +- .../certificate_complete_chain/tasks/main.yml | 2 +- .../filter_openssl_csr_info/tasks/main.yml | 2 +- .../tasks/main.yml | 2 +- .../tasks/main.yml | 2 +- .../tasks/main.yml | 2 +- .../filter_x509_crl_info/tasks/main.yml | 2 +- .../targets/get_certificate/tasks/main.yml | 2 +- .../targets/openssh_keypair/tasks/main.yml | 4 +-- .../targets/openssl_csr/tasks/main.yml | 2 +- .../targets/openssl_csr_info/tasks/main.yml | 2 +- .../targets/openssl_csr_pipe/tasks/main.yml | 2 +- .../targets/openssl_dhparam/tasks/main.yml | 2 +- .../targets/openssl_pkcs12/tasks/main.yml | 13 ++++------ .../targets/openssl_privatekey/tasks/main.yml | 2 +- .../openssl_privatekey_convert/tasks/main.yml | 2 +- .../openssl_privatekey_info/tasks/main.yml | 2 +- .../openssl_privatekey_pipe/tasks/main.yml | 2 +- .../targets/openssl_publickey/tasks/main.yml | 2 +- .../openssl_publickey_info/tasks/main.yml | 2 +- .../x509_certificate-acme/tasks/main.yml | 2 +- .../targets/x509_certificate/tasks/main.yml | 2 +- .../targets/x509_certificate/tasks/ownca.yml | 2 +- .../x509_certificate/tasks/selfsigned.yml | 2 +- .../x509_certificate_info/tasks/main.yml | 2 +- .../x509_certificate_pipe/tasks/main.yml | 2 +- .../targets/x509_crl/tasks/impl.yml | 2 +- .../targets/x509_crl/tasks/main.yml | 2 +- 75 files changed, 213 insertions(+), 134 deletions(-) create mode 100644 plugins/doc_fragments/cryptography_dep.py create mode 100644 plugins/module_utils/cryptography_dep.py diff --git a/.azure-pipelines/azure-pipelines.yml b/.azure-pipelines/azure-pipelines.yml index d9bd2017..749444d7 100644 --- a/.azure-pipelines/azure-pipelines.yml +++ b/.azure-pipelines/azure-pipelines.yml @@ -147,6 +147,8 @@ stages: targets: - name: Debian Bookworm test: debian-bookworm/3.11 + - name: Debian Bullseye + test: debian-bullseye/3.9 - name: ArchLinux test: archlinux/3.13 groups: diff --git a/README.md b/README.md index 2d6ba84e..4096262f 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,7 @@ Tested with the current ansible-core-2.17, ansible-core 2.18, and ansible-core 2 The exact requirements for every module are listed in the module documentation. -Most modules require a recent enough version of [the Python cryptography library](https://pypi.org/project/cryptography/); the minimum supported version by this collection is 3.4. See the module documentations for the minimal version supported for each module. +Most modules require a recent enough version of [the Python cryptography library](https://pypi.org/project/cryptography/); the minimum supported version by this collection is 3.3. See the module documentations for the minimal version supported for each module. ## Collection Documentation diff --git a/changelogs/fragments/878-backend.yml b/changelogs/fragments/878-backend.yml index 69efb70a..3f93efb8 100644 --- a/changelogs/fragments/878-backend.yml +++ b/changelogs/fragments/878-backend.yml @@ -1,8 +1,8 @@ minor_changes: - "No longer provide cryptography's ``backend`` parameter. This will break with cryptography < 3.1 (https://github.com/ansible-collections/community.crypto/pull/878)." - - "Remove various compatibility code for cryptography < 3.4 (https://github.com/ansible-collections/community.crypto/pull/878)." + - "Remove various compatibility code for cryptography < 3.3 (https://github.com/ansible-collections/community.crypto/pull/878)." - "On cryptography 36.0.0+, always use ``public_bytes()`` for X.509 extension objects instead of using cryptography internals to obtain DER value of extension (https://github.com/ansible-collections/community.crypto/pull/878)." removed_features: - "crypto.basic module utils - remove ``CRYPTOGRAPHY_HAS_*`` flags. All tested features are supported since cryptography 3.0 (https://github.com/ansible-collections/community.crypto/pull/878)." - "crypto.cryptography_support module utils - remove ``cryptography_serial_number_of_cert()`` helper function (https://github.com/ansible-collections/community.crypto/pull/878)." - - "The collection no longer supports cryptography < 3.4 (https://github.com/ansible-collections/community.crypto/pull/878)." + - "The collection no longer supports cryptography < 3.3 (https://github.com/ansible-collections/community.crypto/pull/878, https://github.com/ansible-collections/community.crypto/pull/882)." diff --git a/plugins/doc_fragments/acme.py b/plugins/doc_fragments/acme.py index 6b278ad6..b40de1d1 100644 --- a/plugins/doc_fragments/acme.py +++ b/plugins/doc_fragments/acme.py @@ -18,7 +18,8 @@ notes: another ACME server, please L(create an issue,https://github.com/ansible-collections/community.crypto/issues/new/choose) to help us supporting it. Feedback that an ACME server not mentioned does work is also appreciated. requirements: - - either openssl or L(cryptography,https://cryptography.io/) >= 3.4 + - either C(openssl) + - or L(cryptography,https://cryptography.io/) >= 3.3 options: acme_version: description: diff --git a/plugins/doc_fragments/cryptography_dep.py b/plugins/doc_fragments/cryptography_dep.py new file mode 100644 index 00000000..0b8c89db --- /dev/null +++ b/plugins/doc_fragments/cryptography_dep.py @@ -0,0 +1,20 @@ +# Copyright (c) 2025 Ansible project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +from __future__ import annotations + + +class ModuleDocFragment: + """ + Doc fragments for cryptography requirements. + + Must be kept in sync with plugins/module_utils/cryptography_dep.py. + """ + + # Corresponds to the plugins.module_utils.cryptography_dep.COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION constant + MINIMUM = r""" +requirements: + - cryptography >= 3.3 +options: {} +""" diff --git a/plugins/doc_fragments/module_certificate.py b/plugins/doc_fragments/module_certificate.py index 268e68c4..21ec1f5f 100644 --- a/plugins/doc_fragments/module_certificate.py +++ b/plugins/doc_fragments/module_certificate.py @@ -22,7 +22,7 @@ attributes: - If relative timestamps are used and O(ignore_timestamps=false), the module is not idempotent. - The option O(force=true) generally disables idempotency. requirements: - - cryptography >= 3.4 (if using V(selfsigned) or V(ownca) provider) + - cryptography >= 3.3 (if using V(selfsigned) or V(ownca) provider) options: force: description: diff --git a/plugins/doc_fragments/module_csr.py b/plugins/doc_fragments/module_csr.py index b3efa358..ba3763fa 100644 --- a/plugins/doc_fragments/module_csr.py +++ b/plugins/doc_fragments/module_csr.py @@ -18,7 +18,7 @@ attributes: idempotent: support: full requirements: - - cryptography >= 3.4 + - cryptography >= 3.3 options: digest: description: diff --git a/plugins/doc_fragments/module_privatekey.py b/plugins/doc_fragments/module_privatekey.py index 1c890e99..65030271 100644 --- a/plugins/doc_fragments/module_privatekey.py +++ b/plugins/doc_fragments/module_privatekey.py @@ -22,7 +22,7 @@ attributes: details: - The option O(regenerate=always) generally disables idempotency. requirements: - - cryptography >= 3.4 + - cryptography >= 3.3 options: size: description: diff --git a/plugins/doc_fragments/module_privatekey_convert.py b/plugins/doc_fragments/module_privatekey_convert.py index 252e76bf..be77e749 100644 --- a/plugins/doc_fragments/module_privatekey_convert.py +++ b/plugins/doc_fragments/module_privatekey_convert.py @@ -10,7 +10,7 @@ class ModuleDocFragment: # Standard files documentation fragment DOCUMENTATION = r""" requirements: - - cryptography >= 3.4 + - cryptography >= 3.3 attributes: diff_mode: support: none diff --git a/plugins/module_utils/crypto/module_backends/certificate.py b/plugins/module_utils/crypto/module_backends/certificate.py index 5acfd8d4..0304de50 100644 --- a/plugins/module_utils/crypto/module_backends/certificate.py +++ b/plugins/module_utils/crypto/module_backends/certificate.py @@ -30,12 +30,15 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im load_certificate_request, load_privatekey, ) +from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import ( + COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION, +) from ansible_collections.community.crypto.plugins.module_utils.version import ( LooseVersion, ) -MINIMAL_CRYPTOGRAPHY_VERSION = "3.4" +MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION CRYPTOGRAPHY_IMP_ERR = None CRYPTOGRAPHY_VERSION = None diff --git a/plugins/module_utils/crypto/module_backends/certificate_info.py b/plugins/module_utils/crypto/module_backends/certificate_info.py index c18476a2..2734e97d 100644 --- a/plugins/module_utils/crypto/module_backends/certificate_info.py +++ b/plugins/module_utils/crypto/module_backends/certificate_info.py @@ -28,6 +28,9 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im get_fingerprint_of_bytes, load_certificate, ) +from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import ( + COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION, +) from ansible_collections.community.crypto.plugins.module_utils.time import ( get_now_datetime, ) @@ -36,7 +39,7 @@ from ansible_collections.community.crypto.plugins.module_utils.version import ( ) -MINIMAL_CRYPTOGRAPHY_VERSION = "3.4" +MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION CRYPTOGRAPHY_IMP_ERR = None try: diff --git a/plugins/module_utils/crypto/module_backends/crl_info.py b/plugins/module_utils/crypto/module_backends/crl_info.py index 942384ba..44b353ab 100644 --- a/plugins/module_utils/crypto/module_backends/crl_info.py +++ b/plugins/module_utils/crypto/module_backends/crl_info.py @@ -19,6 +19,9 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import ( identify_pem_format, ) +from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import ( + COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION, +) from ansible_collections.community.crypto.plugins.module_utils.version import ( LooseVersion, ) @@ -26,7 +29,7 @@ from ansible_collections.community.crypto.plugins.module_utils.version import ( # crypto_utils -MINIMAL_CRYPTOGRAPHY_VERSION = "3.4" +MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION CRYPTOGRAPHY_IMP_ERR = None try: diff --git a/plugins/module_utils/crypto/module_backends/csr.py b/plugins/module_utils/crypto/module_backends/csr.py index 671a2d50..99e835f4 100644 --- a/plugins/module_utils/crypto/module_backends/csr.py +++ b/plugins/module_utils/crypto/module_backends/csr.py @@ -40,12 +40,15 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im parse_ordered_name_field, select_message_digest, ) +from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import ( + COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION, +) from ansible_collections.community.crypto.plugins.module_utils.version import ( LooseVersion, ) -MINIMAL_CRYPTOGRAPHY_VERSION = "3.4" +MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION CRYPTOGRAPHY_IMP_ERR = None try: diff --git a/plugins/module_utils/crypto/module_backends/csr_info.py b/plugins/module_utils/crypto/module_backends/csr_info.py index 8779aa59..8242b01e 100644 --- a/plugins/module_utils/crypto/module_backends/csr_info.py +++ b/plugins/module_utils/crypto/module_backends/csr_info.py @@ -24,12 +24,15 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.module_bac from ansible_collections.community.crypto.plugins.module_utils.crypto.support import ( load_certificate_request, ) +from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import ( + COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION, +) from ansible_collections.community.crypto.plugins.module_utils.version import ( LooseVersion, ) -MINIMAL_CRYPTOGRAPHY_VERSION = "3.4" +MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION CRYPTOGRAPHY_IMP_ERR = None try: diff --git a/plugins/module_utils/crypto/module_backends/privatekey.py b/plugins/module_utils/crypto/module_backends/privatekey.py index ca070e74..07316119 100644 --- a/plugins/module_utils/crypto/module_backends/privatekey.py +++ b/plugins/module_utils/crypto/module_backends/privatekey.py @@ -29,12 +29,15 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import from ansible_collections.community.crypto.plugins.module_utils.crypto.support import ( get_fingerprint_of_privatekey, ) +from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import ( + COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION, +) from ansible_collections.community.crypto.plugins.module_utils.version import ( LooseVersion, ) -MINIMAL_CRYPTOGRAPHY_VERSION = "3.4" +MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION CRYPTOGRAPHY_IMP_ERR = None try: diff --git a/plugins/module_utils/crypto/module_backends/privatekey_convert.py b/plugins/module_utils/crypto/module_backends/privatekey_convert.py index 91aa703c..78e1760b 100644 --- a/plugins/module_utils/crypto/module_backends/privatekey_convert.py +++ b/plugins/module_utils/crypto/module_backends/privatekey_convert.py @@ -22,13 +22,16 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import ( identify_private_key_format, ) +from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import ( + COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION, +) from ansible_collections.community.crypto.plugins.module_utils.io import load_file from ansible_collections.community.crypto.plugins.module_utils.version import ( LooseVersion, ) -MINIMAL_CRYPTOGRAPHY_VERSION = "3.4" +MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION CRYPTOGRAPHY_IMP_ERR = None try: diff --git a/plugins/module_utils/crypto/module_backends/privatekey_info.py b/plugins/module_utils/crypto/module_backends/privatekey_info.py index d67be31c..9a0399cd 100644 --- a/plugins/module_utils/crypto/module_backends/privatekey_info.py +++ b/plugins/module_utils/crypto/module_backends/privatekey_info.py @@ -26,12 +26,15 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im get_fingerprint_of_bytes, load_privatekey, ) +from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import ( + COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION, +) from ansible_collections.community.crypto.plugins.module_utils.version import ( LooseVersion, ) -MINIMAL_CRYPTOGRAPHY_VERSION = "3.4" +MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION CRYPTOGRAPHY_IMP_ERR = None try: diff --git a/plugins/module_utils/crypto/module_backends/publickey_info.py b/plugins/module_utils/crypto/module_backends/publickey_info.py index f3f7c5e2..886ef8b2 100644 --- a/plugins/module_utils/crypto/module_backends/publickey_info.py +++ b/plugins/module_utils/crypto/module_backends/publickey_info.py @@ -16,12 +16,15 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im get_fingerprint_of_bytes, load_publickey, ) +from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import ( + COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION, +) from ansible_collections.community.crypto.plugins.module_utils.version import ( LooseVersion, ) -MINIMAL_CRYPTOGRAPHY_VERSION = "3.4" +MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION CRYPTOGRAPHY_IMP_ERR = None try: diff --git a/plugins/module_utils/cryptography_dep.py b/plugins/module_utils/cryptography_dep.py new file mode 100644 index 00000000..6f6bf582 --- /dev/null +++ b/plugins/module_utils/cryptography_dep.py @@ -0,0 +1,15 @@ +# Copyright (c) 2025 Ansible project +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +""" +Module utils for cryptography requirements. + +Must be kept in sync with plugins/doc_fragments/cryptography_dep.py. +""" + +from __future__ import annotations + + +# Corresponds to the community.crypto.cryptography_dep.minimum doc fragment +COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION = "3.3" diff --git a/plugins/module_utils/openssh/backends/keypair_backend.py b/plugins/module_utils/openssh/backends/keypair_backend.py index 9979ec1f..1aa41dd2 100644 --- a/plugins/module_utils/openssh/backends/keypair_backend.py +++ b/plugins/module_utils/openssh/backends/keypair_backend.py @@ -11,6 +11,9 @@ import os from ansible.module_utils import six from ansible.module_utils.basic import missing_required_lib from ansible.module_utils.common.text.converters import to_bytes, to_text +from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import ( + COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION, +) from ansible_collections.community.crypto.plugins.module_utils.openssh.backends.common import ( KeygenCommand, OpensshModule, @@ -19,7 +22,6 @@ from ansible_collections.community.crypto.plugins.module_utils.openssh.backends. parse_private_key_format, ) from ansible_collections.community.crypto.plugins.module_utils.openssh.cryptography import ( - HAS_OPENSSH_PRIVATE_FORMAT, HAS_OPENSSH_SUPPORT, InvalidCommentError, InvalidPassphraseError, @@ -434,15 +436,6 @@ class KeypairBackendCryptography(KeypairBackend): # OpenSSH made SSH formatted private keys available in version 6.5, # but still defaulted to PKCS1 format with the exception of ed25519 keys result = "PKCS1" - - if result == "SSH" and not HAS_OPENSSH_PRIVATE_FORMAT: - self.module.fail_json( - msg=missing_required_lib( - "cryptography >= 3.4", - reason="to load/dump private keys in the default OpenSSH format for OpenSSH >= 7.8 " - + "or for ed25519 keys", - ) - ) else: result = key_format.upper() @@ -548,8 +541,10 @@ def select_backend(module, backend): backend = "cryptography" else: module.fail_json( - msg="Cannot find either the OpenSSH binary in the PATH " - + "or cryptography >= 3.4 installed on this system" + msg=( + "Cannot find either the OpenSSH binary in the PATH " + f"or cryptography >= {COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION} installed on this system" + ) ) if backend == "opensshbin": @@ -558,7 +553,11 @@ def select_backend(module, backend): return backend, KeypairBackendOpensshBin(module) elif backend == "cryptography": if not can_use_cryptography: - module.fail_json(msg=missing_required_lib("cryptography >= 3.4")) + module.fail_json( + msg=missing_required_lib( + f"cryptography >= {COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION}" + ) + ) return backend, KeypairBackendCryptography(module) else: raise ValueError(f"Unsupported value for backend: {backend}") diff --git a/plugins/module_utils/openssh/cryptography.py b/plugins/module_utils/openssh/cryptography.py index db180ed7..53dc6064 100644 --- a/plugins/module_utils/openssh/cryptography.py +++ b/plugins/module_utils/openssh/cryptography.py @@ -9,10 +9,6 @@ from base64 import b64decode, b64encode from getpass import getuser from socket import gethostname -from ansible_collections.community.crypto.plugins.module_utils.version import ( - LooseVersion, -) - try: from cryptography import __version__ as CRYPTOGRAPHY_VERSION @@ -25,11 +21,6 @@ try: Ed25519PublicKey, ) - if LooseVersion(CRYPTOGRAPHY_VERSION) >= LooseVersion("3.4"): - HAS_OPENSSH_PRIVATE_FORMAT = True - else: - HAS_OPENSSH_PRIVATE_FORMAT = False - HAS_OPENSSH_SUPPORT = True _ALGORITHM_PARAMETERS = { @@ -70,7 +61,6 @@ try: }, } except ImportError: - HAS_OPENSSH_PRIVATE_FORMAT = False HAS_OPENSSH_SUPPORT = False CRYPTOGRAPHY_VERSION = "0.0" _ALGORITHM_PARAMETERS = {} @@ -413,11 +403,7 @@ class OpensshKeypair: """ if key_format == "SSH": - # Default to PEM format if SSH not available - if not HAS_OPENSSH_PRIVATE_FORMAT: - privatekey_format = serialization.PrivateFormat.PKCS8 - else: - privatekey_format = serialization.PrivateFormat.OpenSSH + privatekey_format = serialization.PrivateFormat.OpenSSH elif key_format == "PKCS8": privatekey_format = serialization.PrivateFormat.PKCS8 elif key_format == "PKCS1": diff --git a/plugins/modules/acme_challenge_cert_helper.py b/plugins/modules/acme_challenge_cert_helper.py index fa8ca466..482f1c39 100644 --- a/plugins/modules/acme_challenge_cert_helper.py +++ b/plugins/modules/acme_challenge_cert_helper.py @@ -21,10 +21,9 @@ seealso: - name: ACME TLS ALPN Challenge Extension description: The specification of the C(tls-alpn-01) challenge (RFC 8737). link: https://www.rfc-editor.org/rfc/rfc8737.html -requirements: - - "cryptography >= 3.4" extends_documentation_fragment: - community.crypto.attributes + - community.crypto.cryptography_dep.minimum attributes: check_mode: support: none @@ -163,6 +162,9 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp set_not_valid_after, set_not_valid_before, ) +from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import ( + COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION, +) from ansible_collections.community.crypto.plugins.module_utils.time import ( get_now_datetime, ) @@ -184,7 +186,9 @@ try: import cryptography.x509 import cryptography.x509.oid - HAS_CRYPTOGRAPHY = LooseVersion(cryptography.__version__) >= LooseVersion("3.4") + HAS_CRYPTOGRAPHY = LooseVersion(cryptography.__version__) >= LooseVersion( + COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION + ) except ImportError: CRYPTOGRAPHY_IMP_ERR = traceback.format_exc() HAS_CRYPTOGRAPHY = False @@ -215,10 +219,16 @@ def main(): # Some callbacks die when exception is provided with value None if CRYPTOGRAPHY_IMP_ERR: module.fail_json( - msg=missing_required_lib("cryptography >= 3.4"), + msg=missing_required_lib( + f"cryptography >= {COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION}" + ), exception=CRYPTOGRAPHY_IMP_ERR, ) - module.fail_json(msg=missing_required_lib("cryptography >= 3.4")) + module.fail_json( + msg=missing_required_lib( + f"cryptography >= {COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION}" + ) + ) try: # Get parameters diff --git a/plugins/modules/certificate_complete_chain.py b/plugins/modules/certificate_complete_chain.py index 0dd83c5d..159a9b75 100644 --- a/plugins/modules/certificate_complete_chain.py +++ b/plugins/modules/certificate_complete_chain.py @@ -17,11 +17,10 @@ description: - Note that this module does I(not) check for validity of the chains. It only checks that issuer and subject match, and that the signature is correct. It ignores validity dates and key usage completely. If you need to verify that a generated chain is valid, please use C(openssl verify ...). -requirements: - - "cryptography >= 3.4" extends_documentation_fragment: - community.crypto.attributes - community.crypto.attributes.idempotent_not_modify_state + - community.crypto.cryptography_dep.minimum attributes: check_mode: support: full @@ -129,6 +128,9 @@ from ansible.module_utils.common.text.converters import to_bytes from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import ( split_pem_list, ) +from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import ( + COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION, +) from ansible_collections.community.crypto.plugins.module_utils.version import ( LooseVersion, ) @@ -148,7 +150,9 @@ try: import cryptography.x509 import cryptography.x509.oid - HAS_CRYPTOGRAPHY = LooseVersion(cryptography.__version__) >= LooseVersion("3.4") + HAS_CRYPTOGRAPHY = LooseVersion(cryptography.__version__) >= LooseVersion( + COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION + ) except ImportError: CRYPTOGRAPHY_IMP_ERR = traceback.format_exc() HAS_CRYPTOGRAPHY = False @@ -331,7 +335,9 @@ def main(): if not HAS_CRYPTOGRAPHY: module.fail_json( - msg=missing_required_lib("cryptography >= 3.4"), + msg=missing_required_lib( + f"cryptography >= {COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION}" + ), exception=CRYPTOGRAPHY_IMP_ERR, ) diff --git a/plugins/modules/ecs_certificate.py b/plugins/modules/ecs_certificate.py index 06721b07..f3a8b9ae 100644 --- a/plugins/modules/ecs_certificate.py +++ b/plugins/modules/ecs_certificate.py @@ -19,11 +19,10 @@ description: validated in the ECS system. It is I(not) the responsibility of this module to perform those steps. notes: - O(path) must be specified as the output location of the certificate. -requirements: - - cryptography >= 3.4 extends_documentation_fragment: - community.crypto.attributes - community.crypto.attributes.files + - community.crypto.cryptography_dep.minimum - community.crypto.ecs_credential attributes: check_mode: @@ -558,6 +557,9 @@ from ansible.module_utils.common.text.converters import to_bytes from ansible_collections.community.crypto.plugins.module_utils.crypto.support import ( load_certificate, ) +from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import ( + COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION, +) from ansible_collections.community.crypto.plugins.module_utils.ecs.api import ( ECSClient, RestOperationException, @@ -581,7 +583,7 @@ except ImportError: else: CRYPTOGRAPHY_FOUND = True -MINIMAL_CRYPTOGRAPHY_VERSION = "3.4" +MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION def validate_cert_expiry(cert_expiry): diff --git a/plugins/modules/get_certificate.py b/plugins/modules/get_certificate.py index b52fef57..5010e673 100644 --- a/plugins/modules/get_certificate.py +++ b/plugins/modules/get_certificate.py @@ -16,6 +16,7 @@ description: extends_documentation_fragment: - community.crypto.attributes - community.crypto.attributes.idempotent_not_modify_state + - community.crypto.cryptography_dep.minimum attributes: check_mode: support: none @@ -121,7 +122,6 @@ notes: - When using ca_cert on OS X it has been reported that in some conditions the validate will always succeed. requirements: - "Python >= 3.10 when O(get_certificate_chain=true)" - - "cryptography >= 3.4" seealso: - plugin: community.crypto.to_serial @@ -284,6 +284,9 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp get_not_valid_after, get_not_valid_before, ) +from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import ( + COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION, +) from ansible_collections.community.crypto.plugins.module_utils.time import ( get_now_datetime, ) @@ -292,7 +295,7 @@ from ansible_collections.community.crypto.plugins.module_utils.version import ( ) -MINIMAL_CRYPTOGRAPHY_VERSION = "3.4" +MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION CRYPTOGRAPHY_IMP_ERR = None try: diff --git a/plugins/modules/openssh_keypair.py b/plugins/modules/openssh_keypair.py index e5a48b9c..b2181e29 100644 --- a/plugins/modules/openssh_keypair.py +++ b/plugins/modules/openssh_keypair.py @@ -15,7 +15,7 @@ description: V(rsa), V(dsa), V(rsa1), V(ed25519) or V(ecdsa) private keys. requirements: - ssh-keygen (if O(backend=openssh)) - - cryptography >= 3.4 (if O(backend=cryptography)) + - cryptography >= 3.3 (if O(backend=cryptography)) extends_documentation_fragment: - ansible.builtin.files - community.crypto.attributes diff --git a/plugins/modules/openssl_csr_info.py b/plugins/modules/openssl_csr_info.py index cf180746..2f0cfda0 100644 --- a/plugins/modules/openssl_csr_info.py +++ b/plugins/modules/openssl_csr_info.py @@ -14,16 +14,15 @@ description: - This module allows one to query information on OpenSSL Certificate Signing Requests (CSR). - In case the CSR signature cannot be validated, the module will fail. In this case, all return variables are still returned. - It uses the cryptography python library to interact with OpenSSL. -requirements: - - cryptography >= 3.4 author: - Felix Fontein (@felixfontein) - Yanis Guenane (@Spredzy) extends_documentation_fragment: - community.crypto.attributes - community.crypto.attributes.info_module - - community.crypto.name_encoding - community.crypto.attributes.idempotent_not_modify_state + - community.crypto.cryptography_dep.minimum + - community.crypto.name_encoding options: path: description: diff --git a/plugins/modules/openssl_dhparam.py b/plugins/modules/openssl_dhparam.py index 6245397e..1c8eff3b 100644 --- a/plugins/modules/openssl_dhparam.py +++ b/plugins/modules/openssl_dhparam.py @@ -17,7 +17,7 @@ description: - The module can use the cryptography Python library, or the C(openssl) executable. By default, it tries to detect which one is available. This can be overridden with the O(select_crypto_backend) option. requirements: - - Either cryptography >= 3.4 + - Either cryptography >= 3.3 - Or OpenSSL binary C(openssl) author: - Thom Wiggers (@thomwiggers) @@ -139,6 +139,9 @@ from ansible.module_utils.common.text.converters import to_native from ansible_collections.community.crypto.plugins.module_utils.crypto.math import ( count_bits, ) +from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import ( + COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION, +) from ansible_collections.community.crypto.plugins.module_utils.io import ( load_file_if_exists, write_file, @@ -148,7 +151,7 @@ from ansible_collections.community.crypto.plugins.module_utils.version import ( ) -MINIMAL_CRYPTOGRAPHY_VERSION = "3.4" +MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION CRYPTOGRAPHY_IMP_ERR = None try: diff --git a/plugins/modules/openssl_pkcs12.py b/plugins/modules/openssl_pkcs12.py index 347ded46..d3bb2d23 100644 --- a/plugins/modules/openssl_pkcs12.py +++ b/plugins/modules/openssl_pkcs12.py @@ -14,12 +14,11 @@ short_description: Generate OpenSSL PKCS#12 archive description: - This module allows one to (re-)generate PKCS#12. - The module uses the cryptography Python library. -requirements: - - cryptography >= 3.4 extends_documentation_fragment: - ansible.builtin.files - community.crypto.attributes - community.crypto.attributes.files + - community.crypto.cryptography_dep.minimum attributes: check_mode: support: full @@ -296,6 +295,9 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im load_certificate, load_privatekey, ) +from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import ( + COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION, +) from ansible_collections.community.crypto.plugins.module_utils.io import ( load_file_if_exists, write_file, @@ -305,7 +307,7 @@ from ansible_collections.community.crypto.plugins.module_utils.version import ( ) -MINIMAL_CRYPTOGRAPHY_VERSION = "3.4" +MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION CRYPTOGRAPHY_IMP_ERR = None try: diff --git a/plugins/modules/openssl_privatekey_info.py b/plugins/modules/openssl_privatekey_info.py index 87ad4c7e..9bb152df 100644 --- a/plugins/modules/openssl_privatekey_info.py +++ b/plugins/modules/openssl_privatekey_info.py @@ -16,8 +16,6 @@ description: return variables are still returned. Note that key consistency checks are not available all key types; if none is available, V(none) is returned for RV(key_is_consistent). - It uses the cryptography python library to interact with OpenSSL. -requirements: - - cryptography >= 3.4 author: - Felix Fontein (@felixfontein) - Yanis Guenane (@Spredzy) @@ -25,6 +23,7 @@ extends_documentation_fragment: - community.crypto.attributes - community.crypto.attributes.info_module - community.crypto.attributes.idempotent_not_modify_state + - community.crypto.cryptography_dep.minimum options: path: description: diff --git a/plugins/modules/openssl_publickey.py b/plugins/modules/openssl_publickey.py index e5af9b86..511bb85d 100644 --- a/plugins/modules/openssl_publickey.py +++ b/plugins/modules/openssl_publickey.py @@ -14,8 +14,6 @@ description: - Public keys are generated in PEM or OpenSSH format. Private keys must be OpenSSL PEM keys. B(OpenSSH private keys are not supported), use the M(community.crypto.openssh_keypair) module to manage these. - The module uses the cryptography Python library. -requirements: - - cryptography >= 3.4 author: - Yanis Guenane (@Spredzy) - Felix Fontein (@felixfontein) @@ -23,6 +21,7 @@ extends_documentation_fragment: - ansible.builtin.files - community.crypto.attributes - community.crypto.attributes.files + - community.crypto.cryptography_dep.minimum attributes: check_mode: support: full @@ -200,6 +199,9 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im get_fingerprint, load_privatekey, ) +from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import ( + COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION, +) from ansible_collections.community.crypto.plugins.module_utils.io import ( load_file_if_exists, write_file, @@ -209,7 +211,7 @@ from ansible_collections.community.crypto.plugins.module_utils.version import ( ) -MINIMAL_CRYPTOGRAPHY_VERSION = "3.4" +MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION CRYPTOGRAPHY_IMP_ERR = None try: diff --git a/plugins/modules/openssl_publickey_info.py b/plugins/modules/openssl_publickey_info.py index de4bc070..19fcf186 100644 --- a/plugins/modules/openssl_publickey_info.py +++ b/plugins/modules/openssl_publickey_info.py @@ -13,14 +13,13 @@ description: - This module allows one to query information on OpenSSL public keys. - It uses the cryptography python library to interact with OpenSSL. version_added: 1.7.0 -requirements: - - cryptography >= 3.4 author: - Felix Fontein (@felixfontein) extends_documentation_fragment: - community.crypto.attributes - community.crypto.attributes.info_module - community.crypto.attributes.idempotent_not_modify_state + - community.crypto.cryptography_dep.minimum options: path: description: diff --git a/plugins/modules/openssl_signature.py b/plugins/modules/openssl_signature.py index 347903de..3b503691 100644 --- a/plugins/modules/openssl_signature.py +++ b/plugins/modules/openssl_signature.py @@ -13,13 +13,12 @@ short_description: Sign data with openssl description: - This module allows one to sign data using a private key. - The module uses the cryptography Python library. -requirements: - - cryptography >= 3.4 author: - Patrick Pichler (@aveexy) - Markus Teufelberger (@MarkusTeufelberger) extends_documentation_fragment: - community.crypto.attributes + - community.crypto.cryptography_dep.minimum attributes: check_mode: support: full @@ -99,12 +98,15 @@ import base64 import os import traceback +from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import ( + COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION, +) from ansible_collections.community.crypto.plugins.module_utils.version import ( LooseVersion, ) -MINIMAL_CRYPTOGRAPHY_VERSION = "3.4" +MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION CRYPTOGRAPHY_IMP_ERR = None try: diff --git a/plugins/modules/openssl_signature_info.py b/plugins/modules/openssl_signature_info.py index f266e812..5eb0b64d 100644 --- a/plugins/modules/openssl_signature_info.py +++ b/plugins/modules/openssl_signature_info.py @@ -13,8 +13,6 @@ short_description: Verify signatures with openssl description: - This module allows one to verify a signature for a file by a certificate. - The module uses the cryptography Python library. -requirements: - - cryptography >= 3.4 author: - Patrick Pichler (@aveexy) - Markus Teufelberger (@MarkusTeufelberger) @@ -22,6 +20,7 @@ extends_documentation_fragment: - community.crypto.attributes - community.crypto.attributes.info_module - community.crypto.attributes.idempotent_not_modify_state + - community.crypto.cryptography_dep.minimum options: path: description: @@ -88,12 +87,15 @@ import base64 import os import traceback +from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import ( + COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION, +) from ansible_collections.community.crypto.plugins.module_utils.version import ( LooseVersion, ) -MINIMAL_CRYPTOGRAPHY_VERSION = "3.4" +MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION CRYPTOGRAPHY_IMP_ERR = None try: diff --git a/plugins/modules/x509_certificate_convert.py b/plugins/modules/x509_certificate_convert.py index db6727d7..c2a707bd 100644 --- a/plugins/modules/x509_certificate_convert.py +++ b/plugins/modules/x509_certificate_convert.py @@ -124,13 +124,16 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import from ansible_collections.community.crypto.plugins.module_utils.crypto.support import ( OpenSSLObject, ) +from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import ( + COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION, +) from ansible_collections.community.crypto.plugins.module_utils.io import ( load_file_if_exists, write_file, ) -MINIMAL_CRYPTOGRAPHY_VERSION = "3.4" +MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION CRYPTOGRAPHY_IMP_ERR = None try: diff --git a/plugins/modules/x509_certificate_info.py b/plugins/modules/x509_certificate_info.py index 325d66a0..957c56f8 100644 --- a/plugins/modules/x509_certificate_info.py +++ b/plugins/modules/x509_certificate_info.py @@ -19,8 +19,6 @@ description: to M(community.crypto.x509_certificate_info). When using FQCNs or when using the L(collections,https://docs.ansible.com/ansible/latest/user_guide/collections_using.html#using-collections-in-a-playbook) keyword, the new name M(community.crypto.x509_certificate_info) should be used to avoid a deprecation warning. -requirements: - - cryptography >= 3.4 author: - Felix Fontein (@felixfontein) - Yanis Guenane (@Spredzy) @@ -29,6 +27,7 @@ extends_documentation_fragment: - community.crypto.attributes - community.crypto.attributes.info_module - community.crypto.attributes.idempotent_not_modify_state + - community.crypto.cryptography_dep.minimum - community.crypto.name_encoding options: path: diff --git a/plugins/modules/x509_crl.py b/plugins/modules/x509_crl.py index ded0a055..426d9ba1 100644 --- a/plugins/modules/x509_crl.py +++ b/plugins/modules/x509_crl.py @@ -14,14 +14,13 @@ description: - This module allows one to (re)generate or update Certificate Revocation Lists (CRLs). - Certificates on the revocation list can be either specified by serial number and (optionally) their issuer, or as a path to a certificate file in PEM format. -requirements: - - cryptography >= 3.4 author: - Felix Fontein (@felixfontein) extends_documentation_fragment: - ansible.builtin.files - community.crypto.attributes - community.crypto.attributes.files + - community.crypto.cryptography_dep.minimum - community.crypto.name_encoding attributes: check_mode: @@ -470,6 +469,9 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im parse_ordered_name_field, select_message_digest, ) +from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import ( + COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION, +) from ansible_collections.community.crypto.plugins.module_utils.io import write_file from ansible_collections.community.crypto.plugins.module_utils.serial import ( parse_serial, @@ -482,7 +484,7 @@ from ansible_collections.community.crypto.plugins.module_utils.version import ( ) -MINIMAL_CRYPTOGRAPHY_VERSION = "3.4" +MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION CRYPTOGRAPHY_IMP_ERR = None try: diff --git a/plugins/modules/x509_crl_info.py b/plugins/modules/x509_crl_info.py index d44271dc..a9a43fde 100644 --- a/plugins/modules/x509_crl_info.py +++ b/plugins/modules/x509_crl_info.py @@ -12,14 +12,13 @@ version_added: '1.0.0' short_description: Retrieve information on Certificate Revocation Lists (CRLs) description: - This module allows one to retrieve information on Certificate Revocation Lists (CRLs). -requirements: - - cryptography >= 3.4 author: - Felix Fontein (@felixfontein) extends_documentation_fragment: - community.crypto.attributes - community.crypto.attributes.info_module - community.crypto.attributes.idempotent_not_modify_state + - community.crypto.cryptography_dep.minimum - community.crypto.name_encoding options: path: diff --git a/tests/integration/targets/acme_account/tasks/main.yml b/tests/integration/targets/acme_account/tasks/main.yml index ce7abf3a..e69a374c 100644 --- a/tests/integration/targets/acme_account/tasks/main.yml +++ b/tests/integration/targets/acme_account/tasks/main.yml @@ -37,4 +37,4 @@ - import_tasks: ../tests/validate.yml - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/acme_account_info/tasks/main.yml b/tests/integration/targets/acme_account_info/tasks/main.yml index ce7abf3a..e69a374c 100644 --- a/tests/integration/targets/acme_account_info/tasks/main.yml +++ b/tests/integration/targets/acme_account_info/tasks/main.yml @@ -37,4 +37,4 @@ - import_tasks: ../tests/validate.yml - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/acme_ari_info/tasks/main.yml b/tests/integration/targets/acme_ari_info/tasks/main.yml index fa0aaca7..200fb0c7 100644 --- a/tests/integration/targets/acme_ari_info/tasks/main.yml +++ b/tests/integration/targets/acme_ari_info/tasks/main.yml @@ -41,4 +41,4 @@ - import_tasks: ../tests/validate.yml - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/acme_certificate/tasks/main.yml b/tests/integration/targets/acme_certificate/tasks/main.yml index 2c043907..26876a35 100644 --- a/tests/integration/targets/acme_certificate/tasks/main.yml +++ b/tests/integration/targets/acme_certificate/tasks/main.yml @@ -118,4 +118,4 @@ - import_tasks: ../tests/validate.yml - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/acme_certificate_deactivate_authz/tasks/main.yml b/tests/integration/targets/acme_certificate_deactivate_authz/tasks/main.yml index ce7abf3a..e69a374c 100644 --- a/tests/integration/targets/acme_certificate_deactivate_authz/tasks/main.yml +++ b/tests/integration/targets/acme_certificate_deactivate_authz/tasks/main.yml @@ -37,4 +37,4 @@ - import_tasks: ../tests/validate.yml - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/acme_certificate_order/tasks/main.yml b/tests/integration/targets/acme_certificate_order/tasks/main.yml index bbf95f02..32fd8429 100644 --- a/tests/integration/targets/acme_certificate_order/tasks/main.yml +++ b/tests/integration/targets/acme_certificate_order/tasks/main.yml @@ -33,4 +33,4 @@ vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml b/tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml index 1f3af236..40df2563 100644 --- a/tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml +++ b/tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml @@ -40,4 +40,4 @@ - import_tasks: ../tests/validate.yml - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/acme_certificate_revoke/tasks/main.yml b/tests/integration/targets/acme_certificate_revoke/tasks/main.yml index ce7abf3a..e69a374c 100644 --- a/tests/integration/targets/acme_certificate_revoke/tasks/main.yml +++ b/tests/integration/targets/acme_certificate_revoke/tasks/main.yml @@ -37,4 +37,4 @@ - import_tasks: ../tests/validate.yml - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml b/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml index 99b81406..d3fdc8ae 100644 --- a/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml +++ b/tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml @@ -35,4 +35,4 @@ terms_agreed: true account_email: "example@example.org" - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/acme_inspect/tasks/main.yml b/tests/integration/targets/acme_inspect/tasks/main.yml index ce7abf3a..e69a374c 100644 --- a/tests/integration/targets/acme_inspect/tasks/main.yml +++ b/tests/integration/targets/acme_inspect/tasks/main.yml @@ -37,4 +37,4 @@ - import_tasks: ../tests/validate.yml - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/certificate_complete_chain/tasks/main.yml b/tests/integration/targets/certificate_complete_chain/tasks/main.yml index 799842e3..3dddcee6 100644 --- a/tests/integration/targets/certificate_complete_chain/tasks/main.yml +++ b/tests/integration/targets/certificate_complete_chain/tasks/main.yml @@ -24,4 +24,4 @@ - name: Run tests with created certificates import_tasks: created.yml - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/filter_openssl_csr_info/tasks/main.yml b/tests/integration/targets/filter_openssl_csr_info/tasks/main.yml index f59d6d31..39990abd 100644 --- a/tests/integration/targets/filter_openssl_csr_info/tasks/main.yml +++ b/tests/integration/targets/filter_openssl_csr_info/tasks/main.yml @@ -129,4 +129,4 @@ - name: Running tests include_tasks: impl.yml - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/filter_openssl_privatekey_info/tasks/main.yml b/tests/integration/targets/filter_openssl_privatekey_info/tasks/main.yml index 77b1d26f..223fd8f0 100644 --- a/tests/integration/targets/filter_openssl_privatekey_info/tasks/main.yml +++ b/tests/integration/targets/filter_openssl_privatekey_info/tasks/main.yml @@ -39,4 +39,4 @@ - name: Running tests include_tasks: impl.yml - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/filter_openssl_publickey_info/tasks/main.yml b/tests/integration/targets/filter_openssl_publickey_info/tasks/main.yml index 1949e884..2029f4c7 100644 --- a/tests/integration/targets/filter_openssl_publickey_info/tasks/main.yml +++ b/tests/integration/targets/filter_openssl_publickey_info/tasks/main.yml @@ -44,4 +44,4 @@ - name: Running tests include_tasks: impl.yml - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/filter_x509_certificate_info/tasks/main.yml b/tests/integration/targets/filter_x509_certificate_info/tasks/main.yml index 8a7da796..ae013c36 100644 --- a/tests/integration/targets/filter_x509_certificate_info/tasks/main.yml +++ b/tests/integration/targets/filter_x509_certificate_info/tasks/main.yml @@ -146,4 +146,4 @@ - name: Running tests include_tasks: impl.yml - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/filter_x509_crl_info/tasks/main.yml b/tests/integration/targets/filter_x509_crl_info/tasks/main.yml index 7d00b37d..27c68e35 100644 --- a/tests/integration/targets/filter_x509_crl_info/tasks/main.yml +++ b/tests/integration/targets/filter_x509_crl_info/tasks/main.yml @@ -88,4 +88,4 @@ - name: Running tests include_tasks: impl.yml - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/get_certificate/tasks/main.yml b/tests/integration/targets/get_certificate/tasks/main.yml index 7ae2ad0d..a0f832bb 100644 --- a/tests/integration/targets/get_certificate/tasks/main.yml +++ b/tests/integration/targets/get_certificate/tasks/main.yml @@ -37,7 +37,7 @@ that: - result is success or skip_tests - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') - block: diff --git a/tests/integration/targets/openssh_keypair/tasks/main.yml b/tests/integration/targets/openssh_keypair/tasks/main.yml index f36a765b..3c372ff3 100644 --- a/tests/integration/targets/openssh_keypair/tasks/main.yml +++ b/tests/integration/targets/openssh_keypair/tasks/main.yml @@ -19,7 +19,7 @@ - set_fact: backends: "{{ backends + ['cryptography'] }}" - when: cryptography_version.stdout is version('3.4', '>=') and bcrypt_version.stdout is version('3.1.5', '>=') + when: cryptography_version.stdout is version('3.3', '>=') and bcrypt_version.stdout is version('3.1.5', '>=') - include_tasks: ../tests/core.yml loop: "{{ backends }}" @@ -47,4 +47,4 @@ loop_var: backend - include_tasks: ../tests/cryptography_backend.yml - when: cryptography_version.stdout is version('3.4', '>=') and bcrypt_version.stdout is version('3.1.5', '>=') + when: cryptography_version.stdout is version('3.3', '>=') and bcrypt_version.stdout is version('3.1.5', '>=') diff --git a/tests/integration/targets/openssl_csr/tasks/main.yml b/tests/integration/targets/openssl_csr/tasks/main.yml index 29aef53b..556c6608 100644 --- a/tests/integration/targets/openssl_csr/tasks/main.yml +++ b/tests/integration/targets/openssl_csr/tasks/main.yml @@ -29,4 +29,4 @@ vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/openssl_csr_info/tasks/main.yml b/tests/integration/targets/openssl_csr_info/tasks/main.yml index d496934a..2c696fbb 100644 --- a/tests/integration/targets/openssl_csr_info/tasks/main.yml +++ b/tests/integration/targets/openssl_csr_info/tasks/main.yml @@ -132,4 +132,4 @@ include_tasks: impl.yml vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/openssl_csr_pipe/tasks/main.yml b/tests/integration/targets/openssl_csr_pipe/tasks/main.yml index 80161e61..01869852 100644 --- a/tests/integration/targets/openssl_csr_pipe/tasks/main.yml +++ b/tests/integration/targets/openssl_csr_pipe/tasks/main.yml @@ -24,4 +24,4 @@ vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/openssl_dhparam/tasks/main.yml b/tests/integration/targets/openssl_dhparam/tasks/main.yml index 27f12034..248f2afe 100644 --- a/tests/integration/targets/openssl_dhparam/tasks/main.yml +++ b/tests/integration/targets/openssl_dhparam/tasks/main.yml @@ -44,4 +44,4 @@ vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/openssl_pkcs12/tasks/main.yml b/tests/integration/targets/openssl_pkcs12/tasks/main.yml index 9688fa06..9ea1402e 100644 --- a/tests/integration/targets/openssl_pkcs12/tasks/main.yml +++ b/tests/integration/targets/openssl_pkcs12/tasks/main.yml @@ -62,13 +62,10 @@ path: '{{ remote_tmp_dir }}/ansible.p12' state: absent - - block: - - name: Running tests with cryptography backend - include_tasks: impl.yml - vars: - select_crypto_backend: cryptography - - when: cryptography_version.stdout is version('3.4', '>=') + - name: Running tests with cryptography backend + include_tasks: impl.yml + vars: + select_crypto_backend: cryptography when: >- - cryptography_version.stdout is version('3.4', '>=') + cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/openssl_privatekey/tasks/main.yml b/tests/integration/targets/openssl_privatekey/tasks/main.yml index c1ada831..5e9ec16b 100644 --- a/tests/integration/targets/openssl_privatekey/tasks/main.yml +++ b/tests/integration/targets/openssl_privatekey/tasks/main.yml @@ -50,4 +50,4 @@ vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/openssl_privatekey_convert/tasks/main.yml b/tests/integration/targets/openssl_privatekey_convert/tasks/main.yml index 00b38cff..64a24f9a 100644 --- a/tests/integration/targets/openssl_privatekey_convert/tasks/main.yml +++ b/tests/integration/targets/openssl_privatekey_convert/tasks/main.yml @@ -58,4 +58,4 @@ vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/openssl_privatekey_info/tasks/main.yml b/tests/integration/targets/openssl_privatekey_info/tasks/main.yml index d4211fa7..ebe9dd27 100644 --- a/tests/integration/targets/openssl_privatekey_info/tasks/main.yml +++ b/tests/integration/targets/openssl_privatekey_info/tasks/main.yml @@ -43,4 +43,4 @@ include_tasks: impl.yml vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/openssl_privatekey_pipe/tasks/main.yml b/tests/integration/targets/openssl_privatekey_pipe/tasks/main.yml index c4b83873..511895cc 100644 --- a/tests/integration/targets/openssl_privatekey_pipe/tasks/main.yml +++ b/tests/integration/targets/openssl_privatekey_pipe/tasks/main.yml @@ -18,4 +18,4 @@ vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/openssl_publickey/tasks/main.yml b/tests/integration/targets/openssl_publickey/tasks/main.yml index 415b2263..e2623ded 100644 --- a/tests/integration/targets/openssl_publickey/tasks/main.yml +++ b/tests/integration/targets/openssl_publickey/tasks/main.yml @@ -28,4 +28,4 @@ vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/openssl_publickey_info/tasks/main.yml b/tests/integration/targets/openssl_publickey_info/tasks/main.yml index 5760089e..a0e8e35a 100644 --- a/tests/integration/targets/openssl_publickey_info/tasks/main.yml +++ b/tests/integration/targets/openssl_publickey_info/tasks/main.yml @@ -46,4 +46,4 @@ include_tasks: impl.yml vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/x509_certificate-acme/tasks/main.yml b/tests/integration/targets/x509_certificate-acme/tasks/main.yml index d1b1c9a1..c61b93b0 100644 --- a/tests/integration/targets/x509_certificate-acme/tasks/main.yml +++ b/tests/integration/targets/x509_certificate-acme/tasks/main.yml @@ -141,4 +141,4 @@ - name: Running tests include_tasks: impl.yml # Make x509_certificate module happy - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/x509_certificate/tasks/main.yml b/tests/integration/targets/x509_certificate/tasks/main.yml index 936c991d..238ccc1b 100644 --- a/tests/integration/targets/x509_certificate/tasks/main.yml +++ b/tests/integration/targets/x509_certificate/tasks/main.yml @@ -12,4 +12,4 @@ include_tasks: impl.yml vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/x509_certificate/tasks/ownca.yml b/tests/integration/targets/x509_certificate/tasks/ownca.yml index 0b574ea1..e260afef 100644 --- a/tests/integration/targets/x509_certificate/tasks/ownca.yml +++ b/tests/integration/targets/x509_certificate/tasks/ownca.yml @@ -658,6 +658,6 @@ register: ownca_certificate_ed25519_ed448_2_idempotence ignore_errors: true - when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('3.4', '>=') + when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('3.3', '>=') - import_tasks: ../tests/validate_ownca.yml diff --git a/tests/integration/targets/x509_certificate/tasks/selfsigned.yml b/tests/integration/targets/x509_certificate/tasks/selfsigned.yml index 8dbbf6c4..9d512ea4 100644 --- a/tests/integration/targets/x509_certificate/tasks/selfsigned.yml +++ b/tests/integration/targets/x509_certificate/tasks/selfsigned.yml @@ -480,6 +480,6 @@ register: selfsigned_certificate_ed25519_ed448_idempotence ignore_errors: true - when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('3.4', '>=') + when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('3.3', '>=') - import_tasks: ../tests/validate_selfsigned.yml diff --git a/tests/integration/targets/x509_certificate_info/tasks/main.yml b/tests/integration/targets/x509_certificate_info/tasks/main.yml index 69766ebd..cdaa5e20 100644 --- a/tests/integration/targets/x509_certificate_info/tasks/main.yml +++ b/tests/integration/targets/x509_certificate_info/tasks/main.yml @@ -149,4 +149,4 @@ include_tasks: impl.yml vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/x509_certificate_pipe/tasks/main.yml b/tests/integration/targets/x509_certificate_pipe/tasks/main.yml index afefc95c..0f93c771 100644 --- a/tests/integration/targets/x509_certificate_pipe/tasks/main.yml +++ b/tests/integration/targets/x509_certificate_pipe/tasks/main.yml @@ -23,4 +23,4 @@ vars: select_crypto_backend: cryptography - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/x509_crl/tasks/impl.yml b/tests/integration/targets/x509_crl/tasks/impl.yml index f19df899..02517852 100644 --- a/tests/integration/targets/x509_crl/tasks/impl.yml +++ b/tests/integration/targets/x509_crl/tasks/impl.yml @@ -694,4 +694,4 @@ - Ed448 ignore_errors: true - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=') diff --git a/tests/integration/targets/x509_crl/tasks/main.yml b/tests/integration/targets/x509_crl/tasks/main.yml index dba2f167..df9775ae 100644 --- a/tests/integration/targets/x509_crl/tasks/main.yml +++ b/tests/integration/targets/x509_crl/tasks/main.yml @@ -90,4 +90,4 @@ - import_tasks: ../tests/validate.yml - when: cryptography_version.stdout is version('3.4', '>=') + when: cryptography_version.stdout is version('3.3', '>=')