Release 1.9.19.

* Only access C.STRING_CONVERSION_ACTION for old ansible-base / Ansible versions.

* Always use self.__xxx instead of xxx directly.

(cherry picked from commit b3f589df62)

Co-authored-by: Felix Fontein <felix@fontein.de>

CHANGELOG.rst

@@ -5,6 +5,32 @@ Community Crypto Release Notes
 .. contents:: Topics
 
 
+v1.9.19
+=======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- openssl_privatekey_pipe - ensure compatibility with newer versions of ansible-core (https://github.com/ansible-collections/community.crypto/pull/515).
+
+v1.9.18
+=======
+
+Release Summary
+---------------
+
+Bugfix release.
+
+Bugfixes
+--------
+
+- openssl_pkcs12 - when using the pyOpenSSL backend, do not crash when trying to read non-existing other certificates (https://github.com/ansible-collections/community.crypto/issues/486, https://github.com/ansible-collections/community.crypto/pull/487).
+
 v1.9.17
 =======
 

changelogs/changelog.yaml

@@ -649,6 +649,27 @@ releases:
     - 481-fix-excluded_subtrees-must-be-a-non-empty-list-or-None.yml
     - apache-license.yml
     release_date: '2022-06-17'
+  1.9.18:
+    changes:
+      bugfixes:
+      - openssl_pkcs12 - when using the pyOpenSSL backend, do not crash when trying
+        to read non-existing other certificates (https://github.com/ansible-collections/community.crypto/issues/486,
+        https://github.com/ansible-collections/community.crypto/pull/487).
+      release_summary: Bugfix release.
+    fragments:
+    - 1.9.18.yml
+    - 487-openssl_pkcs12-other-certs-crash.yml
+    release_date: '2022-07-09'
+  1.9.19:
+    changes:
+      bugfixes:
+      - openssl_privatekey_pipe - ensure compatibility with newer versions of ansible-core
+        (https://github.com/ansible-collections/community.crypto/pull/515).
+      release_summary: Bugfix release.
+    fragments:
+    - 1.9.19.yml
+    - 515-action-module-compat.yml
+    release_date: '2022-11-01'
   1.9.2:
     changes:
       release_summary: Bugfix release to fix the changelog. No other change compared

galaxy.yml

@@ -1,6 +1,6 @@
 namespace: community
 name: crypto
-version: 1.9.17
+version: 1.9.19
 readme: README.md
 authors:
   - Ansible (github.com/ansible)

plugins/modules/acme_account_info.py

@@ -101,7 +101,7 @@ account:
       returned: always
       type: list
       elements: str
-      sample: "['mailto:me@example.com', 'tel:00123456789']"
+      sample: ['mailto:me@example.com', 'tel:00123456789']
     status:
       description: the account's status
       returned: always

plugins/modules/acme_certificate.py

@@ -467,7 +467,20 @@ authorizations:
     - Maps an identifier to ACME authorization objects. See U(https://tools.ietf.org/html/rfc8555#section-7.1.4).
   returned: changed
   type: dict
-  sample: '{"example.com":{...}}'
+  sample:
+    example.com:
+      identifier:
+        type: dns
+        value: example.com
+      status: valid
+      expires: '2022-08-04T01:02:03.45Z'
+      challenges:
+        - url: https://example.org/acme/challenge/12345
+          type: http-01
+          status: valid
+          token: A5b1C3d2E9f8G7h6
+          validated: '2022-08-01T01:01:02.34Z'
+      wildcard: false
 order_uri:
   description: ACME order URI.
   returned: changed

plugins/modules/acme_inspect.py

@@ -183,7 +183,7 @@ directory:
   description: The ACME directory's content
   returned: always
   type: dict
-  sample: |
+  sample:
     {
       "a85k3x9f91A4": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
       "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
@@ -203,7 +203,7 @@ headers:
   description: The request's HTTP headers (with lowercase keys)
   returned: always
   type: dict
-  sample: |
+  sample:
     {
       "boulder-requester": "12345",
       "cache-control": "max-age=0, no-cache, no-store",
@@ -214,7 +214,7 @@ headers:
       "cookies_string": "",
       "date": "Wed, 07 Nov 2018 12:34:56 GMT",
       "expires": "Wed, 07 Nov 2018 12:44:56 GMT",
-      "link": "<https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>;rel=\"terms-of-service\"",
+      "link": '<https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>;rel="terms-of-service"',
       "msg": "OK (904 bytes)",
       "pragma": "no-cache",
       "replay-nonce": "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGH",

plugins/modules/openssl_csr.py

@@ -177,7 +177,7 @@ subject:
     returned: changed or success
     type: list
     elements: list
-    sample: "[('CN', 'www.ansible.com'), ('O', 'Ansible')]"
+    sample: [['CN', 'www.ansible.com'], ['O', 'Ansible']]
 subjectAltName:
     description: The alternative names this CSR is valid for
     returned: changed or success

plugins/modules/openssl_csr_info.py

@@ -85,7 +85,7 @@ basic_constraints:
     returned: success
     type: list
     elements: str
-    sample: "[CA:TRUE, pathlen:1]"
+    sample: ['CA:TRUE', 'pathlen:1']
 basic_constraints_critical:
     description: Whether the C(basic_constraints) extension is critical.
     returned: success
@@ -95,7 +95,7 @@ extended_key_usage:
     returned: success
     type: list
     elements: str
-    sample: "[Biometric Info, DVCS, Time Stamping]"
+    sample: [Biometric Info, DVCS, Time Stamping]
 extended_key_usage_critical:
     description: Whether the C(extended_key_usage) extension is critical.
     returned: success
@@ -114,12 +114,12 @@ extensions_by_oid:
             returned: success
             type: str
             sample: "MAMCAQU="
-    sample: '{"1.3.6.1.5.5.7.1.24": { "critical": false, "value": "MAMCAQU="}}'
+    sample: {"1.3.6.1.5.5.7.1.24": { "critical": false, "value": "MAMCAQU="}}
 key_usage:
     description: Entries in the C(key_usage) extension, or C(none) if extension is not present.
     returned: success
     type: str
-    sample: "[Key Agreement, Data Encipherment]"
+    sample: [Key Agreement, Data Encipherment]
 key_usage_critical:
     description: Whether the C(key_usage) extension is critical.
     returned: success
@@ -129,7 +129,7 @@ subject_alt_name:
     returned: success
     type: list
     elements: str
-    sample: "[DNS:www.ansible.com, IP:1.2.3.4]"
+    sample: ["DNS:www.ansible.com", "IP:1.2.3.4"]
 subject_alt_name_critical:
     description: Whether the C(subject_alt_name) extension is critical.
     returned: success
@@ -171,13 +171,13 @@ subject:
         - Note that for repeated values, only the last one will be returned.
     returned: success
     type: dict
-    sample: '{"commonName": "www.example.com", "emailAddress": "test@example.com"}'
+    sample: {"commonName": "www.example.com", "emailAddress": "test@example.com"}
 subject_ordered:
     description: The CSR's subject as an ordered list of tuples.
     returned: success
     type: list
     elements: list
-    sample: '[["commonName", "www.example.com"], ["emailAddress": "test@example.com"]]'
+    sample: [["commonName", "www.example.com"], ["emailAddress": "test@example.com"]]
 public_key:
     description: CSR's public key in PEM format
     returned: success
@@ -285,14 +285,14 @@ authority_cert_issuer:
     returned: success and if the pyOpenSSL backend is I(not) used
     type: list
     elements: str
-    sample: "[DNS:www.ansible.com, IP:1.2.3.4]"
+    sample: ["DNS:www.ansible.com", "IP:1.2.3.4"]
 authority_cert_serial_number:
     description:
         - The CSR's authority cert serial number.
         - Is C(none) if the C(AuthorityKeyIdentifier) extension is not present.
     returned: success and if the pyOpenSSL backend is I(not) used
     type: int
-    sample: '12345'
+    sample: 12345
 '''
 
 

plugins/modules/openssl_csr_pipe.py

@@ -66,7 +66,7 @@ subject:
     returned: changed or success
     type: list
     elements: list
-    sample: "[('CN', 'www.ansible.com'), ('O', 'Ansible')]"
+    sample: [['CN', 'www.ansible.com'], ['O', 'Ansible']]
 subjectAltName:
     description: The alternative names this CSR is valid for
     returned: changed or success

plugins/modules/openssl_pkcs12.py

@@ -542,6 +542,8 @@ class PkcsPyOpenSSL(Pkcs):
         return crypto.dump_certificate(crypto.FILETYPE_PEM, cert) if cert else None
 
     def _dump_other_certificates(self, pkcs12):
+        if pkcs12.get_ca_certificates() is None:
+            return []
         return [
             crypto.dump_certificate(crypto.FILETYPE_PEM, other_cert)
             for other_cert in pkcs12.get_ca_certificates()

plugins/modules/x509_certificate_info.py

@@ -129,7 +129,7 @@ basic_constraints:
     returned: success
     type: list
     elements: str
-    sample: "[CA:TRUE, pathlen:1]"
+    sample: ["CA:TRUE", "pathlen:1"]
 basic_constraints_critical:
     description: Whether the C(basic_constraints) extension is critical.
     returned: success
@@ -139,7 +139,7 @@ extended_key_usage:
     returned: success
     type: list
     elements: str
-    sample: "[Biometric Info, DVCS, Time Stamping]"
+    sample: [Biometric Info, DVCS, Time Stamping]
 extended_key_usage_critical:
     description: Whether the C(extended_key_usage) extension is critical.
     returned: success
@@ -158,12 +158,12 @@ extensions_by_oid:
             returned: success
             type: str
             sample: "MAMCAQU="
-    sample: '{"1.3.6.1.5.5.7.1.24": { "critical": false, "value": "MAMCAQU="}}'
+    sample: {"1.3.6.1.5.5.7.1.24": { "critical": false, "value": "MAMCAQU="}}
 key_usage:
     description: Entries in the C(key_usage) extension, or C(none) if extension is not present.
     returned: success
     type: str
-    sample: "[Key Agreement, Data Encipherment]"
+    sample: [Key Agreement, Data Encipherment]
 key_usage_critical:
     description: Whether the C(key_usage) extension is critical.
     returned: success
@@ -173,7 +173,7 @@ subject_alt_name:
     returned: success
     type: list
     elements: str
-    sample: "[DNS:www.ansible.com, IP:1.2.3.4]"
+    sample: ["DNS:www.ansible.com", "IP:1.2.3.4"]
 subject_alt_name_critical:
     description: Whether the C(subject_alt_name) extension is critical.
     returned: success
@@ -192,36 +192,36 @@ issuer:
         - Note that for repeated values, only the last one will be returned.
     returned: success
     type: dict
-    sample: '{"organizationName": "Ansible", "commonName": "ca.example.com"}'
+    sample: {"organizationName": "Ansible", "commonName": "ca.example.com"}
 issuer_ordered:
     description: The certificate's issuer as an ordered list of tuples.
     returned: success
     type: list
     elements: list
-    sample: '[["organizationName", "Ansible"], ["commonName": "ca.example.com"]]'
+    sample: [["organizationName", "Ansible"], ["commonName": "ca.example.com"]]
 subject:
     description:
         - The certificate's subject as a dictionary.
         - Note that for repeated values, only the last one will be returned.
     returned: success
     type: dict
-    sample: '{"commonName": "www.example.com", "emailAddress": "test@example.com"}'
+    sample: {"commonName": "www.example.com", "emailAddress": "test@example.com"}
 subject_ordered:
     description: The certificate's subject as an ordered list of tuples.
     returned: success
     type: list
     elements: list
-    sample: '[["commonName", "www.example.com"], ["emailAddress": "test@example.com"]]'
+    sample: [["commonName", "www.example.com"], ["emailAddress": "test@example.com"]]
 not_after:
     description: C(notAfter) date as ASN.1 TIME.
     returned: success
     type: str
-    sample: 20190413202428Z
+    sample: '20190413202428Z'
 not_before:
     description: C(notBefore) date as ASN.1 TIME.
     returned: success
     type: str
-    sample: 20190331202428Z
+    sample: '20190331202428Z'
 public_key:
     description: Certificate's public key in PEM format.
     returned: success
@@ -359,14 +359,14 @@ authority_cert_issuer:
     returned: success and if the pyOpenSSL backend is I(not) used
     type: list
     elements: str
-    sample: "[DNS:www.ansible.com, IP:1.2.3.4]"
+    sample: ["DNS:www.ansible.com", "IP:1.2.3.4"]
 authority_cert_serial_number:
     description:
         - The certificate's authority cert serial number.
         - Is C(none) if the C(AuthorityKeyIdentifier) extension is not present.
     returned: success and if the pyOpenSSL backend is I(not) used
     type: int
-    sample: '12345'
+    sample: 12345
 ocsp_uri:
     description: The OCSP responder URI, if included in the certificate. Will be
                  C(none) if no OCSP responder URI is included.

plugins/modules/x509_crl.py

@@ -286,13 +286,13 @@ issuer:
         - Note that for repeated values, only the last one will be returned.
     returned: success
     type: dict
-    sample: '{"organizationName": "Ansible", "commonName": "ca.example.com"}'
+    sample: {"organizationName": "Ansible", "commonName": "ca.example.com"}
 issuer_ordered:
     description: The CRL's issuer as an ordered list of tuples.
     returned: success
     type: list
     elements: list
-    sample: '[["organizationName", "Ansible"], ["commonName": "ca.example.com"]]'
+    sample: [["organizationName", "Ansible"], ["commonName": "ca.example.com"]]
 last_update:
     description: The point in time from which this CRL can be trusted as ASN.1 TIME.
     returned: success
@@ -326,7 +326,7 @@ revoked_certificates:
             description: The certificate's issuer.
             type: list
             elements: str
-            sample: '["DNS:ca.example.org"]'
+            sample: ["DNS:ca.example.org"]
         issuer_critical:
             description: Whether the certificate issuer extension is critical.
             type: bool

plugins/modules/x509_crl_info.py

@@ -78,23 +78,23 @@ issuer:
         - Note that for repeated values, only the last one will be returned.
     returned: success
     type: dict
-    sample: '{"organizationName": "Ansible", "commonName": "ca.example.com"}'
+    sample: {"organizationName": "Ansible", "commonName": "ca.example.com"}
 issuer_ordered:
     description: The CRL's issuer as an ordered list of tuples.
     returned: success
     type: list
     elements: list
-    sample: '[["organizationName", "Ansible"], ["commonName": "ca.example.com"]]'
+    sample: [["organizationName", "Ansible"], ["commonName": "ca.example.com"]]
 last_update:
     description: The point in time from which this CRL can be trusted as ASN.1 TIME.
     returned: success
     type: str
-    sample: 20190413202428Z
+    sample: '20190413202428Z'
 next_update:
     description: The point in time from which a new CRL will be issued and the client has to check for it as ASN.1 TIME.
     returned: success
     type: str
-    sample: 20190413202428Z
+    sample: '20190413202428Z'
 digest:
     description: The signature algorithm used to sign the CRL.
     returned: success
@@ -113,12 +113,12 @@ revoked_certificates:
         revocation_date:
             description: The point in time the certificate was revoked as ASN.1 TIME.
             type: str
-            sample: 20190413202428Z
+            sample: '20190413202428Z'
         issuer:
             description: The certificate's issuer.
             type: list
             elements: str
-            sample: '["DNS:ca.example.org"]'
+            sample: ["DNS:ca.example.org"]
         issuer_critical:
             description: Whether the certificate issuer extension is critical.
             type: bool
@@ -140,7 +140,7 @@ revoked_certificates:
                 The point in time it was known/suspected that the private key was compromised
                 or that the certificate otherwise became invalid as ASN.1 TIME.
             type: str
-            sample: 20190413202428Z
+            sample: '20190413202428Z'
         invalidity_date_critical:
             description: Whether the invalidity date extension is critical.
             type: bool

plugins/plugin_utils/action_module.py

@@ -115,13 +115,12 @@ class AnsibleActionModule(object):
         self.required_by = required_by
         self._diff = self.__action_plugin._play_context.diff
         self._verbosity = self.__action_plugin._display.verbosity
-        self._string_conversion_action = C.STRING_CONVERSION_ACTION
 
         self.aliases = {}
         self._legal_inputs = []
         self._options_context = list()
 
-        self.params = copy.deepcopy(action_plugin._task.args)
+        self.params = copy.deepcopy(self.__action_plugin._task.args)
         self.no_log_values = set()
         if HAS_ARGSPEC_VALIDATOR:
             self._validator = ArgumentSpecValidator(
@@ -444,7 +443,7 @@ class AnsibleActionModule(object):
         }
 
         # Ignore, warn, or error when converting to a string.
-        allow_conversion = opts.get(self._string_conversion_action, True)
+        allow_conversion = opts.get(C.STRING_CONVERSION_ACTION, True)
         try:
             return check_type_str(value, allow_conversion)
         except TypeError:
@@ -459,10 +458,10 @@ class AnsibleActionModule(object):
                 from_msg = '{0}: {1!r}'.format(param, value)
                 to_msg = '{0}: {1!r}'.format(param, to_text(value))
 
-            if self._string_conversion_action == 'error':
+            if C.STRING_CONVERSION_ACTION == 'error':
                 msg = common_msg.capitalize()
                 raise TypeError(to_native(msg))
-            elif self._string_conversion_action == 'warn':
+            elif C.STRING_CONVERSION_ACTION == 'warn':
                 msg = ('The value "{0}" (type {1.__class__.__name__}) was converted to "{2}" (type string). '
                        'If this does not look like what you expect, {3}').format(from_msg, value, to_msg, common_msg)
                 self.warn(to_native(msg))

tests/integration/targets/openssl_pkcs12/tasks/impl.yml

@@ -45,6 +45,18 @@
       return_content: true
     register: p12_standard_idempotency
 
+  - name: "({{ select_crypto_backend }}) Generate PKCS#12 file again, idempotency (empty other_certificates)"
+    openssl_pkcs12:
+      select_crypto_backend: '{{ select_crypto_backend }}'
+      path: '{{ remote_tmp_dir }}/ansible.p12'
+      friendly_name: abracadabra
+      privatekey_path: '{{ remote_tmp_dir }}/ansible_pkey1.pem'
+      certificate_path: '{{ remote_tmp_dir }}/ansible1.crt'
+      state: present
+      return_content: true
+      other_certificates: []
+    register: p12_standard_idempotency_no_certs
+
   - name: "({{ select_crypto_backend }}) Read ansible.p12"
     slurp:
       src: '{{ remote_tmp_dir }}/ansible.p12'

tests/integration/targets/openssl_pkcs12/tests/validate.yml

@@ -25,6 +25,7 @@
       - p12_dumped is changed
       - p12_standard_idempotency is not changed
       - p12_standard_idempotency_check is not changed
+      - p12_standard_idempotency_no_certs is not changed
       - p12_multiple_certs_idempotency is not changed
       - p12_dumped_idempotency is not changed
       - p12_dumped_check_mode is not changed

tests/integration/targets/setup_ssh_agent/meta/main.yml

@@ -1,2 +1,3 @@
 dependencies:
   - setup_ssh_keygen
+  - prepare_jinja2_compat

tests/integration/targets/setup_ssh_agent/tasks/main.yml

@@ -5,13 +5,22 @@
 ####################################################################
 
 - name: Start an ssh agent to use for tests
-  shell: eval $(ssh-agent)>/dev/null&&echo "${SSH_AGENT_PID};${SSH_AUTH_SOCK}"
-  register: openssh_agent_env_vars
+  shell: ssh-agent -c | grep "^setenv"
+  register: openssh_agent_stdout
+
+- name: Convert output to dictionary
+  set_fact:
+    openssh_agent_env: >-
+      {{
+        openssh_agent_stdout.stdout_lines | map('regex_replace', '^setenv ([^ ]+) ([^ ]+);', '\1')
+          | zip(openssh_agent_stdout.stdout_lines | map('regex_replace', '^setenv ([^ ]+) ([^ ]+);', '\2'))
+          | list | items2dict(key_name=0, value_name=1)
+      }}
 
 - name: Register ssh agent facts
   set_fact:
-    openssh_agent_pid: "{{ openssh_agent_env_vars.stdout.split(';')[0] }}"
-    openssh_agent_sock: "{{ openssh_agent_env_vars.stdout.split(';')[1] }}"
+    openssh_agent_pid: "{{ openssh_agent_env.SSH_AGENT_PID }}"
+    openssh_agent_sock: "{{ openssh_agent_env.SSH_AUTH_SOCK }}"
 
 - name: stat agent socket
   stat: