Release 1.9.9.

(cherry picked from commit 1b0fcde862)

Co-authored-by: Felix Fontein <felix@fontein.de>

CHANGELOG.rst

@@ -5,6 +5,16 @@ Community Crypto Release Notes
 .. contents:: Topics
 
 
+v1.9.9
+======
+
+Bugfixes
+--------
+
+- Various modules and plugins - use vendored version of ``distutils.version`` instead of the deprecated Python standard library ``distutils`` (https://github.com/ansible-collections/community.crypto/pull/353).
+- certificate_complete_chain - do not append root twice if the chain already ends with a root certificate (https://github.com/ansible-collections/community.crypto/pull/360).
+- certificate_complete_chain - do not hang when infinite loop is found (https://github.com/ansible-collections/community.crypto/issues/355, https://github.com/ansible-collections/community.crypto/pull/360).
+
 v1.9.8
 ======
 

changelogs/changelog.yaml

@@ -628,3 +628,16 @@ releases:
     fragments:
     - 1.9.8.yml
     release_date: '2021-12-13'
+  1.9.9:
+    changes:
+      bugfixes:
+      - Various modules and plugins - use vendored version of ``distutils.version``
+        instead of the deprecated Python standard library ``distutils`` (https://github.com/ansible-collections/community.crypto/pull/353).
+      - certificate_complete_chain - do not append root twice if the chain already
+        ends with a root certificate (https://github.com/ansible-collections/community.crypto/pull/360).
+      - certificate_complete_chain - do not hang when infinite loop is found (https://github.com/ansible-collections/community.crypto/issues/355,
+        https://github.com/ansible-collections/community.crypto/pull/360).
+    fragments:
+    - 353-distutils.version.yml
+    - 360-certificate_complete_chain-loop.yml
+    release_date: '2022-01-11'

galaxy.yml

@@ -1,6 +1,6 @@
 namespace: community
 name: crypto
-version: 1.9.8
+version: 1.9.9
 readme: README.md
 authors:
   - Ansible (github.com/ansible)

plugins/doc_fragments/module_privatekey.py

@@ -100,7 +100,7 @@ options:
         description:
             - Determines which format the private key is written in. By default, PKCS1 (traditional OpenSSL format)
               is used for all keys which support it. Please note that not every key can be exported in any format.
-            - The value C(auto) selects a fromat based on the key format. The value C(auto_ignore) does the same,
+            - The value C(auto) selects a format based on the key format. The value C(auto_ignore) does the same,
               but for existing private key files, it will not force a regenerate when its format is not the automatically
               selected one for generation.
             - Note that if the format for an existing private key mismatches, the key is B(regenerated) by default.

plugins/module_utils/_version.py

@@ -0,0 +1,343 @@
+# Vendored copy of distutils/version.py from CPython 3.9.5
+#
+# Implements multiple version numbering conventions for the
+# Python Module Distribution Utilities.
+#
+# PSF License (see licenses/PSF-license.txt or https://opensource.org/licenses/Python-2.0)
+#
+
+"""Provides classes to represent module version numbers (one class for
+each style of version numbering).  There are currently two such classes
+implemented: StrictVersion and LooseVersion.
+
+Every version number class implements the following interface:
+  * the 'parse' method takes a string and parses it to some internal
+    representation; if the string is an invalid version number,
+    'parse' raises a ValueError exception
+  * the class constructor takes an optional string argument which,
+    if supplied, is passed to 'parse'
+  * __str__ reconstructs the string that was passed to 'parse' (or
+    an equivalent string -- ie. one that will generate an equivalent
+    version number instance)
+  * __repr__ generates Python code to recreate the version number instance
+  * _cmp compares the current instance with either another instance
+    of the same class or a string (which will be parsed to an instance
+    of the same class, thus must follow the same rules)
+"""
+
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import re
+
+try:
+    RE_FLAGS = re.VERBOSE | re.ASCII
+except AttributeError:
+    RE_FLAGS = re.VERBOSE
+
+
+class Version:
+    """Abstract base class for version numbering classes.  Just provides
+    constructor (__init__) and reproducer (__repr__), because those
+    seem to be the same for all version numbering classes; and route
+    rich comparisons to _cmp.
+    """
+
+    def __init__(self, vstring=None):
+        if vstring:
+            self.parse(vstring)
+
+    def __repr__(self):
+        return "%s ('%s')" % (self.__class__.__name__, str(self))
+
+    def __eq__(self, other):
+        c = self._cmp(other)
+        if c is NotImplemented:
+            return c
+        return c == 0
+
+    def __lt__(self, other):
+        c = self._cmp(other)
+        if c is NotImplemented:
+            return c
+        return c < 0
+
+    def __le__(self, other):
+        c = self._cmp(other)
+        if c is NotImplemented:
+            return c
+        return c <= 0
+
+    def __gt__(self, other):
+        c = self._cmp(other)
+        if c is NotImplemented:
+            return c
+        return c > 0
+
+    def __ge__(self, other):
+        c = self._cmp(other)
+        if c is NotImplemented:
+            return c
+        return c >= 0
+
+
+# Interface for version-number classes -- must be implemented
+# by the following classes (the concrete ones -- Version should
+# be treated as an abstract class).
+#    __init__ (string) - create and take same action as 'parse'
+#                        (string parameter is optional)
+#    parse (string)    - convert a string representation to whatever
+#                        internal representation is appropriate for
+#                        this style of version numbering
+#    __str__ (self)    - convert back to a string; should be very similar
+#                        (if not identical to) the string supplied to parse
+#    __repr__ (self)   - generate Python code to recreate
+#                        the instance
+#    _cmp (self, other) - compare two version numbers ('other' may
+#                        be an unparsed version string, or another
+#                        instance of your version class)
+
+
+class StrictVersion(Version):
+    """Version numbering for anal retentives and software idealists.
+    Implements the standard interface for version number classes as
+    described above.  A version number consists of two or three
+    dot-separated numeric components, with an optional "pre-release" tag
+    on the end.  The pre-release tag consists of the letter 'a' or 'b'
+    followed by a number.  If the numeric components of two version
+    numbers are equal, then one with a pre-release tag will always
+    be deemed earlier (lesser) than one without.
+
+    The following are valid version numbers (shown in the order that
+    would be obtained by sorting according to the supplied cmp function):
+
+        0.4       0.4.0  (these two are equivalent)
+        0.4.1
+        0.5a1
+        0.5b3
+        0.5
+        0.9.6
+        1.0
+        1.0.4a3
+        1.0.4b1
+        1.0.4
+
+    The following are examples of invalid version numbers:
+
+        1
+        2.7.2.2
+        1.3.a4
+        1.3pl1
+        1.3c4
+
+    The rationale for this version numbering system will be explained
+    in the distutils documentation.
+    """
+
+    version_re = re.compile(r'^(\d+) \. (\d+) (\. (\d+))? ([ab](\d+))?$',
+                            RE_FLAGS)
+
+    def parse(self, vstring):
+        match = self.version_re.match(vstring)
+        if not match:
+            raise ValueError("invalid version number '%s'" % vstring)
+
+        (major, minor, patch, prerelease, prerelease_num) = \
+            match.group(1, 2, 4, 5, 6)
+
+        if patch:
+            self.version = tuple(map(int, [major, minor, patch]))
+        else:
+            self.version = tuple(map(int, [major, minor])) + (0,)
+
+        if prerelease:
+            self.prerelease = (prerelease[0], int(prerelease_num))
+        else:
+            self.prerelease = None
+
+    def __str__(self):
+        if self.version[2] == 0:
+            vstring = '.'.join(map(str, self.version[0:2]))
+        else:
+            vstring = '.'.join(map(str, self.version))
+
+        if self.prerelease:
+            vstring = vstring + self.prerelease[0] + str(self.prerelease[1])
+
+        return vstring
+
+    def _cmp(self, other):
+        if isinstance(other, str):
+            other = StrictVersion(other)
+        elif not isinstance(other, StrictVersion):
+            return NotImplemented
+
+        if self.version != other.version:
+            # numeric versions don't match
+            # prerelease stuff doesn't matter
+            if self.version < other.version:
+                return -1
+            else:
+                return 1
+
+        # have to compare prerelease
+        # case 1: neither has prerelease; they're equal
+        # case 2: self has prerelease, other doesn't; other is greater
+        # case 3: self doesn't have prerelease, other does: self is greater
+        # case 4: both have prerelease: must compare them!
+
+        if (not self.prerelease and not other.prerelease):
+            return 0
+        elif (self.prerelease and not other.prerelease):
+            return -1
+        elif (not self.prerelease and other.prerelease):
+            return 1
+        elif (self.prerelease and other.prerelease):
+            if self.prerelease == other.prerelease:
+                return 0
+            elif self.prerelease < other.prerelease:
+                return -1
+            else:
+                return 1
+        else:
+            raise AssertionError("never get here")
+
+# end class StrictVersion
+
+# The rules according to Greg Stein:
+# 1) a version number has 1 or more numbers separated by a period or by
+#    sequences of letters. If only periods, then these are compared
+#    left-to-right to determine an ordering.
+# 2) sequences of letters are part of the tuple for comparison and are
+#    compared lexicographically
+# 3) recognize the numeric components may have leading zeroes
+#
+# The LooseVersion class below implements these rules: a version number
+# string is split up into a tuple of integer and string components, and
+# comparison is a simple tuple comparison.  This means that version
+# numbers behave in a predictable and obvious way, but a way that might
+# not necessarily be how people *want* version numbers to behave.  There
+# wouldn't be a problem if people could stick to purely numeric version
+# numbers: just split on period and compare the numbers as tuples.
+# However, people insist on putting letters into their version numbers;
+# the most common purpose seems to be:
+#   - indicating a "pre-release" version
+#     ('alpha', 'beta', 'a', 'b', 'pre', 'p')
+#   - indicating a post-release patch ('p', 'pl', 'patch')
+# but of course this can't cover all version number schemes, and there's
+# no way to know what a programmer means without asking him.
+#
+# The problem is what to do with letters (and other non-numeric
+# characters) in a version number.  The current implementation does the
+# obvious and predictable thing: keep them as strings and compare
+# lexically within a tuple comparison.  This has the desired effect if
+# an appended letter sequence implies something "post-release":
+# eg. "0.99" < "0.99pl14" < "1.0", and "5.001" < "5.001m" < "5.002".
+#
+# However, if letters in a version number imply a pre-release version,
+# the "obvious" thing isn't correct.  Eg. you would expect that
+# "1.5.1" < "1.5.2a2" < "1.5.2", but under the tuple/lexical comparison
+# implemented here, this just isn't so.
+#
+# Two possible solutions come to mind.  The first is to tie the
+# comparison algorithm to a particular set of semantic rules, as has
+# been done in the StrictVersion class above.  This works great as long
+# as everyone can go along with bondage and discipline.  Hopefully a
+# (large) subset of Python module programmers will agree that the
+# particular flavour of bondage and discipline provided by StrictVersion
+# provides enough benefit to be worth using, and will submit their
+# version numbering scheme to its domination.  The free-thinking
+# anarchists in the lot will never give in, though, and something needs
+# to be done to accommodate them.
+#
+# Perhaps a "moderately strict" version class could be implemented that
+# lets almost anything slide (syntactically), and makes some heuristic
+# assumptions about non-digits in version number strings.  This could
+# sink into special-case-hell, though; if I was as talented and
+# idiosyncratic as Larry Wall, I'd go ahead and implement a class that
+# somehow knows that "1.2.1" < "1.2.2a2" < "1.2.2" < "1.2.2pl3", and is
+# just as happy dealing with things like "2g6" and "1.13++".  I don't
+# think I'm smart enough to do it right though.
+#
+# In any case, I've coded the test suite for this module (see
+# ../test/test_version.py) specifically to fail on things like comparing
+# "1.2a2" and "1.2".  That's not because the *code* is doing anything
+# wrong, it's because the simple, obvious design doesn't match my
+# complicated, hairy expectations for real-world version numbers.  It
+# would be a snap to fix the test suite to say, "Yep, LooseVersion does
+# the Right Thing" (ie. the code matches the conception).  But I'd rather
+# have a conception that matches common notions about version numbers.
+
+
+class LooseVersion(Version):
+    """Version numbering for anarchists and software realists.
+    Implements the standard interface for version number classes as
+    described above.  A version number consists of a series of numbers,
+    separated by either periods or strings of letters.  When comparing
+    version numbers, the numeric components will be compared
+    numerically, and the alphabetic components lexically.  The following
+    are all valid version numbers, in no particular order:
+
+        1.5.1
+        1.5.2b2
+        161
+        3.10a
+        8.02
+        3.4j
+        1996.07.12
+        3.2.pl0
+        3.1.1.6
+        2g6
+        11g
+        0.960923
+        2.2beta29
+        1.13++
+        5.5.kw
+        2.0b1pl0
+
+    In fact, there is no such thing as an invalid version number under
+    this scheme; the rules for comparison are simple and predictable,
+    but may not always give the results you want (for some definition
+    of "want").
+    """
+
+    component_re = re.compile(r'(\d+ | [a-z]+ | \.)', re.VERBOSE)
+
+    def __init__(self, vstring=None):
+        if vstring:
+            self.parse(vstring)
+
+    def parse(self, vstring):
+        # I've given up on thinking I can reconstruct the version string
+        # from the parsed tuple -- so I just store the string here for
+        # use by __str__
+        self.vstring = vstring
+        components = [x for x in self.component_re.split(vstring) if x and x != '.']
+        for i, obj in enumerate(components):
+            try:
+                components[i] = int(obj)
+            except ValueError:
+                pass
+
+        self.version = components
+
+    def __str__(self):
+        return self.vstring
+
+    def __repr__(self):
+        return "LooseVersion ('%s')" % str(self)
+
+    def _cmp(self, other):
+        if isinstance(other, str):
+            other = LooseVersion(other)
+        elif not isinstance(other, LooseVersion):
+            return NotImplemented
+
+        if self.version == other.version:
+            return 0
+        if self.version < other.version:
+            return -1
+        if self.version > other.version:
+            return 1
+
+# end class LooseVersion

plugins/module_utils/acme/backend_cryptography.py

@@ -16,6 +16,8 @@ import sys
 
 from ansible.module_utils.common.text.converters import to_bytes, to_native, to_text
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 from ansible_collections.community.crypto.plugins.module_utils.acme.backends import (
     CryptoBackend,
 )
@@ -57,7 +59,6 @@ try:
     import cryptography.hazmat.primitives.serialization
     import cryptography.x509
     import cryptography.x509.oid
-    from distutils.version import LooseVersion
     CRYPTOGRAPHY_VERSION = cryptography.__version__
     HAS_CURRENT_CRYPTOGRAPHY = (LooseVersion(CRYPTOGRAPHY_VERSION) >= LooseVersion('1.5'))
     if HAS_CURRENT_CRYPTOGRAPHY:

plugins/module_utils/crypto/basic.py

@@ -20,7 +20,7 @@ from __future__ import absolute_import, division, print_function
 __metaclass__ = type
 
 
-from distutils.version import LooseVersion
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
 
 try:
     import OpenSSL  # noqa

plugins/module_utils/crypto/cryptography_support.py

@@ -23,11 +23,11 @@ import base64
 import binascii
 import re
 
-from distutils.version import LooseVersion
-
 from ansible.module_utils.common.text.converters import to_text, to_bytes
 from ._asn1 import serialize_asn1_string_as_der
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 try:
     import cryptography
     from cryptography import x509

plugins/module_utils/crypto/module_backends/certificate.py

@@ -11,11 +11,11 @@ __metaclass__ = type
 import abc
 import traceback
 
-from distutils.version import LooseVersion
-
 from ansible.module_utils import six
 from ansible.module_utils.basic import missing_required_lib
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.common import ArgumentSpec
 
 from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (

plugins/module_utils/crypto/module_backends/certificate_info.py

@@ -15,12 +15,12 @@ import datetime
 import re
 import traceback
 
-from distutils.version import LooseVersion
-
 from ansible.module_utils import six
 from ansible.module_utils.basic import missing_required_lib
 from ansible.module_utils.common.text.converters import to_native, to_text, to_bytes
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
     load_certificate,
     get_fingerprint_of_bytes,

plugins/module_utils/crypto/module_backends/certificate_ownca.py

@@ -10,11 +10,12 @@ __metaclass__ = type
 
 import os
 
-from distutils.version import LooseVersion
 from random import randrange
 
 from ansible.module_utils.common.text.converters import to_bytes
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
     OpenSSLBadPassphraseError,
 )

plugins/module_utils/crypto/module_backends/crl_info.py

@@ -9,10 +9,10 @@ __metaclass__ = type
 
 import traceback
 
-from distutils.version import LooseVersion
-
 from ansible.module_utils.basic import missing_required_lib
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
     cryptography_oid_to_name,
 )

plugins/module_utils/crypto/module_backends/csr.py

@@ -12,12 +12,12 @@ import abc
 import binascii
 import traceback
 
-from distutils.version import LooseVersion
-
 from ansible.module_utils import six
 from ansible.module_utils.basic import missing_required_lib
 from ansible.module_utils.common.text.converters import to_bytes, to_text
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
     OpenSSLObjectError,
     OpenSSLBadPassphraseError,

plugins/module_utils/crypto/module_backends/csr_info.py

@@ -13,12 +13,12 @@ import abc
 import binascii
 import traceback
 
-from distutils.version import LooseVersion
-
 from ansible.module_utils import six
 from ansible.module_utils.basic import missing_required_lib
 from ansible.module_utils.common.text.converters import to_native, to_text, to_bytes
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
     load_certificate_request,
     get_fingerprint_of_bytes,

plugins/module_utils/crypto/module_backends/privatekey.py

@@ -12,12 +12,12 @@ import abc
 import base64
 import traceback
 
-from distutils.version import LooseVersion
-
 from ansible.module_utils import six
 from ansible.module_utils.basic import missing_required_lib
 from ansible.module_utils.common.text.converters import to_bytes
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
     CRYPTOGRAPHY_HAS_X25519,
     CRYPTOGRAPHY_HAS_X25519_FULL,

plugins/module_utils/crypto/module_backends/privatekey_info.py

@@ -12,12 +12,12 @@ __metaclass__ = type
 import abc
 import traceback
 
-from distutils.version import LooseVersion
-
 from ansible.module_utils import six
 from ansible.module_utils.basic import missing_required_lib
 from ansible.module_utils.common.text.converters import to_native, to_bytes
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
     CRYPTOGRAPHY_HAS_ED25519,
     CRYPTOGRAPHY_HAS_ED448,

plugins/module_utils/crypto/module_backends/publickey_info.py

@@ -10,12 +10,12 @@ __metaclass__ = type
 import abc
 import traceback
 
-from distutils.version import LooseVersion
-
 from ansible.module_utils import six
 from ansible.module_utils.basic import missing_required_lib
 from ansible.module_utils.common.text.converters import to_native
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
     CRYPTOGRAPHY_HAS_X25519,
     CRYPTOGRAPHY_HAS_X448,

plugins/module_utils/openssh/backends/keypair_backend.py

@@ -21,12 +21,13 @@ __metaclass__ = type
 
 import abc
 import os
-from distutils.version import LooseVersion
 
 from ansible.module_utils import six
 from ansible.module_utils.basic import missing_required_lib
 from ansible.module_utils.common.text.converters import to_native, to_text, to_bytes
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 from ansible_collections.community.crypto.plugins.module_utils.openssh.cryptography import (
     HAS_OPENSSH_SUPPORT,
     HAS_OPENSSH_PRIVATE_FORMAT,

plugins/module_utils/openssh/cryptography.py

@@ -20,10 +20,11 @@ __metaclass__ = type
 
 import os
 from base64 import b64encode, b64decode
-from distutils.version import LooseVersion
 from getpass import getuser
 from socket import gethostname
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 try:
     from cryptography import __version__ as CRYPTOGRAPHY_VERSION
     from cryptography.exceptions import InvalidSignature, UnsupportedAlgorithm

plugins/module_utils/version.py

@@ -0,0 +1,17 @@
+# -*- coding: utf-8 -*-
+
+# Copyright: (c) 2021, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+"""Provide version object to compare version numbers."""
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+
+# Once we drop support for Ansible 2.9, ansible-base 2.10, and ansible-core 2.11, we can
+# remove the _version.py file, and replace the following import by
+#
+#     from ansible.module_utils.compat.version import LooseVersion
+
+from ._version import LooseVersion

plugins/modules/acme_account_info.py

@@ -54,7 +54,7 @@ EXAMPLES = '''
 - name: Check whether an account with the given account key exists
   community.crypto.acme_account_info:
     account_key_src: /etc/pki/cert/private/account.key
-    register: account_data
+  register: account_data
 - name: Verify that account exists
   assert:
     that:
@@ -70,7 +70,7 @@ EXAMPLES = '''
   acme_account_info:
     account_key_content: "{{ acme_account_key }}"
     account_uri: "{{ acme_account_uri }}"
-    register: account_data
+  register: account_data
 - name: Verify that account exists
   assert:
     that:

plugins/modules/acme_challenge_cert_helper.py

@@ -145,6 +145,8 @@ import traceback
 from ansible.module_utils.basic import AnsibleModule, missing_required_lib
 from ansible.module_utils.common.text.converters import to_bytes, to_text
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 from ansible_collections.community.crypto.plugins.module_utils.acme.errors import ModuleFailException
 
 from ansible_collections.community.crypto.plugins.module_utils.acme.io import (
@@ -164,7 +166,6 @@ try:
     import cryptography.x509
     import cryptography.x509.oid
     import ipaddress
-    from distutils.version import LooseVersion
     HAS_CRYPTOGRAPHY = (LooseVersion(cryptography.__version__) >= LooseVersion('1.3'))
     _cryptography_backend = cryptography.hazmat.backends.default_backend()
 except ImportError as dummy:

plugins/modules/certificate_complete_chain.py

@@ -124,6 +124,8 @@ import traceback
 from ansible.module_utils.basic import AnsibleModule, missing_required_lib
 from ansible.module_utils.common.text.converters import to_bytes
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import (
     split_pem_list,
 )
@@ -140,7 +142,6 @@ try:
     import cryptography.hazmat.primitives.asymmetric.utils
     import cryptography.x509
     import cryptography.x509.oid
-    from distutils.version import LooseVersion
     HAS_CRYPTOGRAPHY = (LooseVersion(cryptography.__version__) >= LooseVersion('1.5'))
     _cryptography_backend = cryptography.hazmat.backends.default_backend()
 except ImportError as dummy:
@@ -237,12 +238,14 @@ class CertificateSet(object):
         self.module = module
         self.certificates = set()
         self.certificate_by_issuer = dict()
+        self.certificate_by_cert = dict()
 
     def _load_file(self, path):
         certs = load_PEM_list(self.module, path, fail_on_error=False)
         for cert in certs:
             self.certificates.add(cert)
             self.certificate_by_issuer[cert.cert.subject] = cert
+            self.certificate_by_cert[cert.cert] = cert
 
     def load(self, path):
         '''
@@ -274,6 +277,16 @@ def format_cert(cert):
     return str(cert.cert)
 
 
+def check_cycle(module, occured_certificates, next):
+    '''
+    Make sure that next is not in occured_certificates so far, and add it.
+    '''
+    next_cert = next.cert
+    if next_cert in occured_certificates:
+        module.fail_json(msg='Found cycle while building certificate chain')
+    occured_certificates.add(next_cert)
+
+
 def main():
     module = AnsibleModule(
         argument_spec=dict(
@@ -312,13 +325,19 @@ def main():
     # Try to complete chain
     current = chain[-1]
     completed = []
+    occured_certificates = set([cert.cert for cert in chain])
+    if current.cert in roots.certificate_by_cert:
+        # Don't try to complete the chain when it's already ending with a root certificate
+        current = None
     while current:
         root = roots.find_parent(current)
         if root:
+            check_cycle(module, occured_certificates, root)
             completed.append(root)
             break
         intermediate = intermediates.find_parent(current)
         if intermediate:
+            check_cycle(module, occured_certificates, intermediate)
             completed.append(intermediate)
             current = intermediate
         else:

plugins/modules/ecs_certificate.py

@@ -519,11 +519,11 @@ import re
 import time
 import traceback
 
-from distutils.version import LooseVersion
-
 from ansible.module_utils.basic import AnsibleModule, missing_required_lib
 from ansible.module_utils.common.text.converters import to_native, to_bytes
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 from ansible_collections.community.crypto.plugins.module_utils.io import (
     write_file,
 )

plugins/modules/get_certificate.py

@@ -167,7 +167,6 @@ import base64
 import datetime
 import traceback
 
-from distutils.version import LooseVersion
 from os.path import isfile
 from socket import create_connection, setdefaulttimeout, socket
 from ssl import get_server_certificate, DER_cert_to_PEM_cert, CERT_NONE, CERT_REQUIRED
@@ -175,6 +174,8 @@ from ssl import get_server_certificate, DER_cert_to_PEM_cert, CERT_NONE, CERT_RE
 from ansible.module_utils.basic import AnsibleModule, missing_required_lib
 from ansible.module_utils.common.text.converters import to_bytes
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
     cryptography_oid_to_name,
     cryptography_get_extensions_from_cert,

plugins/modules/openssh_cert.py

@@ -258,11 +258,12 @@ info:
 '''
 
 import os
-from distutils.version import LooseVersion
 
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.common.text.converters import to_native, to_text
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 from ansible_collections.community.crypto.plugins.module_utils.openssh.backends.common import (
     KeygenCommand,
     OpensshModule,

plugins/modules/openssl_dhparam.py

@@ -128,11 +128,11 @@ import re
 import tempfile
 import traceback
 
-from distutils.version import LooseVersion
-
 from ansible.module_utils.basic import AnsibleModule, missing_required_lib
 from ansible.module_utils.common.text.converters import to_native
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 from ansible_collections.community.crypto.plugins.module_utils.io import (
     load_file_if_exists,
     write_file,

plugins/modules/openssl_pkcs12.py

@@ -239,11 +239,11 @@ import os
 import stat
 import traceback
 
-from distutils.version import LooseVersion
-
 from ansible.module_utils.basic import AnsibleModule, missing_required_lib
 from ansible.module_utils.common.text.converters import to_bytes, to_native
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 from ansible_collections.community.crypto.plugins.module_utils.io import (
     load_file_if_exists,
     write_file,

plugins/modules/openssl_publickey.py

@@ -182,11 +182,11 @@ publickey:
 import os
 import traceback
 
-from distutils.version import LooseVersion
-
 from ansible.module_utils.basic import AnsibleModule, missing_required_lib
 from ansible.module_utils.common.text.converters import to_native
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 from ansible_collections.community.crypto.plugins.module_utils.io import (
     load_file_if_exists,
     write_file,

plugins/modules/openssl_signature.py

@@ -96,9 +96,10 @@ signature:
 
 import os
 import traceback
-from distutils.version import LooseVersion
 import base64
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 MINIMAL_PYOPENSSL_VERSION = '0.11'
 MINIMAL_CRYPTOGRAPHY_VERSION = '1.4'
 

plugins/modules/openssl_signature_info.py

@@ -96,9 +96,10 @@ valid:
 
 import os
 import traceback
-from distutils.version import LooseVersion
 import base64
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 MINIMAL_PYOPENSSL_VERSION = '0.11'
 MINIMAL_CRYPTOGRAPHY_VERSION = '1.4'
 

plugins/modules/x509_crl.py

@@ -367,11 +367,11 @@ import base64
 import os
 import traceback
 
-from distutils.version import LooseVersion
-
 from ansible.module_utils.basic import AnsibleModule, missing_required_lib
 from ansible.module_utils.common.text.converters import to_native, to_text
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
+
 from ansible_collections.community.crypto.plugins.module_utils.io import (
     write_file,
 )

tests/integration/targets/certificate_complete_chain/tasks/main.yml

@@ -4,6 +4,7 @@
 ####################################################################
 
 - block:
+
   - name: Make sure testhost directory exists
     file:
       path: '{{ remote_tmp_dir }}/files/'
@@ -13,68 +14,145 @@
     copy:
       src: '{{ role_path }}/files/'
       dest: '{{ remote_tmp_dir }}/files/'
-  - name: Find root for cert 1
+
+  - block:
+    - name: Find root for cert 1 using directory
+      certificate_complete_chain:
+        input_chain: '{{ fullchain | trim }}'
+        root_certificates:
+        - '{{ remote_tmp_dir }}/files/roots/'
+      register: cert1_root
+    - name: Verify root for cert 1
+      assert:
+        that:
+        - cert1_root.complete_chain | join('') == (fullchain ~ root)
+        - cert1_root.root == root
+    vars:
+      fullchain: "{{ lookup('file', 'cert1-fullchain.pem', rstrip=False) }}"
+      root: "{{ lookup('file', 'cert1-root.pem', rstrip=False) }}"
+
+  - block:
+    - name: Find rootchain for cert 1 using intermediate and root PEM
+      certificate_complete_chain:
+        input_chain: '{{ cert }}'
+        intermediate_certificates:
+        - '{{ remote_tmp_dir }}/files/cert1-chain.pem'
+        root_certificates:
+        - '{{ remote_tmp_dir }}/files/roots.pem'
+      register: cert1_rootchain
+    - name: Verify rootchain for cert 1
+      assert:
+        that:
+        - cert1_rootchain.complete_chain | join('') == (cert ~ chain ~ root)
+        - cert1_rootchain.chain[:-1] | join('') == chain
+        - cert1_rootchain.root == root
+    vars:
+      cert: "{{ lookup('file', 'cert1.pem', rstrip=False) }}"
+      chain: "{{ lookup('file', 'cert1-chain.pem', rstrip=False) }}"
+      root: "{{ lookup('file', 'cert1-root.pem', rstrip=False) }}"
+
+  - block:
+    - name: Find root for cert 2 using directory
+      certificate_complete_chain:
+        input_chain: "{{ fullchain | trim }}"
+        root_certificates:
+        - '{{ remote_tmp_dir }}/files/roots/'
+      register: cert2_root
+    - name: Verify root for cert 2
+      assert:
+        that:
+        - cert2_root.complete_chain | join('') == (fullchain ~ root)
+        - cert2_root.root == root
+    vars:
+      fullchain: "{{ lookup('file', 'cert2-fullchain.pem', rstrip=False) }}"
+      root: "{{ lookup('file', 'cert2-root.pem', rstrip=False) }}"
+
+  - block:
+    - name: Find rootchain for cert 2 using intermediate and root PEM
+      certificate_complete_chain:
+        input_chain: '{{ cert }}'
+        intermediate_certificates:
+        - '{{ remote_tmp_dir }}/files/cert2-chain.pem'
+        root_certificates:
+        - '{{ remote_tmp_dir }}/files/roots.pem'
+      register: cert2_rootchain
+    - name: Verify rootchain for cert 2
+      assert:
+        that:
+        - cert2_rootchain.complete_chain | join('') == (cert ~ chain ~ root)
+        - cert2_rootchain.chain[:-1] | join('') == chain
+        - cert2_rootchain.root == root
+    vars:
+      cert: "{{ lookup('file', 'cert2.pem', rstrip=False) }}"
+      chain: "{{ lookup('file', 'cert2-chain.pem', rstrip=False) }}"
+      root: "{{ lookup('file', 'cert2-root.pem', rstrip=False) }}"
+
+  - block:
+    - name: Find alternate rootchain for cert 2 using intermediate and root PEM
+      certificate_complete_chain:
+        input_chain: '{{ cert }}'
+        intermediate_certificates:
+        - '{{ remote_tmp_dir }}/files/cert2-altchain.pem'
+        root_certificates:
+        - '{{ remote_tmp_dir }}/files/roots.pem'
+      register: cert2_rootchain_alt
+    - name: Verify rootchain for cert 2
+      assert:
+        that:
+        - cert2_rootchain_alt.complete_chain | join('') == (cert ~ chain ~ root)
+        - cert2_rootchain_alt.chain[:-1] | join('') == chain
+        - cert2_rootchain_alt.root == root
+    vars:
+      cert: "{{ lookup('file', 'cert2.pem', rstrip=False) }}"
+      chain: "{{ lookup('file', 'cert2-altchain.pem', rstrip=False) }}"
+      root: "{{ lookup('file', 'cert2-altroot.pem', rstrip=False) }}"
+
+  - block:
+    - name: Find alternate rootchain for cert 2 when complete chain is already presented to the module
+      certificate_complete_chain:
+        input_chain: '{{ cert ~ chain ~ root }}'
+        root_certificates:
+        - '{{ remote_tmp_dir }}/files/roots.pem'
+      register: cert2_complete_chain
+    - name: Verify rootchain for cert 2
+      assert:
+        that:
+        - cert2_complete_chain.complete_chain | join('') == (cert ~ chain ~ root)
+        - cert2_complete_chain.chain == []
+        - cert2_complete_chain.root == root
+    vars:
+      cert: "{{ lookup('file', 'cert2.pem', rstrip=False) }}"
+      chain: "{{ lookup('file', 'cert2-altchain.pem', rstrip=False) }}"
+      root: "{{ lookup('file', 'cert2-altroot.pem', rstrip=False) }}"
+
+  - name: Check failure when no intermediate certificate can be found
     certificate_complete_chain:
-      input_chain: '{{ lookup("file", "cert1-fullchain.pem", rstrip=False) }}'
-      root_certificates:
-      - '{{ remote_tmp_dir }}/files/roots/'
-    register: cert1_root
-  - name: Verify root for cert 1
-    assert:
-      that:
-      - cert1_root.complete_chain | join('') == (lookup('file', 'cert1.pem', rstrip=False) ~ lookup('file', 'cert1-chain.pem', rstrip=False) ~ lookup('file', 'cert1-root.pem', rstrip=False))
-      - cert1_root.root == lookup('file', 'cert1-root.pem', rstrip=False)
-  - name: Find rootchain for cert 1
-    certificate_complete_chain:
-      input_chain: '{{ lookup("file", "cert1.pem", rstrip=False) }}'
+      input_chain: '{{ lookup("file", "cert2.pem", rstrip=True) }}'
       intermediate_certificates:
       - '{{ remote_tmp_dir }}/files/cert1-chain.pem'
       root_certificates:
       - '{{ remote_tmp_dir }}/files/roots.pem'
-    register: cert1_rootchain
-  - name: Verify rootchain for cert 1
+    register: cert2_no_intermediate
+    ignore_errors: true
+  - name: Verify failure
     assert:
       that:
-      - cert1_rootchain.complete_chain | join('') == (lookup('file', 'cert1.pem', rstrip=False) ~ lookup('file', 'cert1-chain.pem', rstrip=False) ~ lookup('file', 'cert1-root.pem', rstrip=False))
-      - cert1_rootchain.chain[:-1] | join('') == lookup('file', 'cert1-chain.pem', rstrip=False)
-      - cert1_rootchain.root == lookup('file', 'cert1-root.pem', rstrip=False)
-  - name: Find root for cert 2
+      - cert2_no_intermediate is failed
+      - "cert2_no_intermediate.msg.startswith('Cannot complete chain. Stuck at certificate ')"
+
+  - name: Check failure when infinite loop is found
     certificate_complete_chain:
-      input_chain: '{{ lookup("file", "cert2-fullchain.pem", rstrip=False) }}'
-      root_certificates:
-      - '{{ remote_tmp_dir }}/files/roots/'
-    register: cert2_root
-  - name: Verify root for cert 2
-    assert:
-      that:
-      - cert2_root.complete_chain | join('') == (lookup('file', 'cert2.pem', rstrip=False) ~ lookup('file', 'cert2-chain.pem', rstrip=False) ~ lookup('file', 'cert2-root.pem', rstrip=False))
-      - cert2_root.root == lookup('file', 'cert2-root.pem', rstrip=False)
-  - name: Find rootchain for cert 2
-    certificate_complete_chain:
-      input_chain: '{{ lookup("file", "cert2.pem", rstrip=False) }}'
+      input_chain: '{{ lookup("file", "cert2-fullchain.pem", rstrip=True) }}'
       intermediate_certificates:
-      - '{{ remote_tmp_dir }}/files/cert2-chain.pem'
-      root_certificates:
       - '{{ remote_tmp_dir }}/files/roots.pem'
-    register: cert2_rootchain
-  - name: Verify rootchain for cert 2
+      root_certificates:
+      - '{{ remote_tmp_dir }}/files/cert1-chain.pem'
+    register: cert2_infinite_loop
+    ignore_errors: true
+  - name: Verify failure
     assert:
       that:
-      - cert2_rootchain.complete_chain | join('') == (lookup('file', 'cert2.pem', rstrip=False) ~ lookup('file', 'cert2-chain.pem', rstrip=False) ~ lookup('file', 'cert2-root.pem', rstrip=False))
-      - cert2_rootchain.chain[:-1] | join('') == lookup('file', 'cert2-chain.pem', rstrip=False)
-      - cert2_rootchain.root == lookup('file', 'cert2-root.pem', rstrip=False)
-  - name: Find alternate rootchain for cert 2
-    certificate_complete_chain:
-      input_chain: '{{ lookup("file", "cert2.pem", rstrip=True) }}'
-      intermediate_certificates:
-      - '{{ remote_tmp_dir }}/files/cert2-altchain.pem'
-      root_certificates:
-      - '{{ remote_tmp_dir }}/files/roots.pem'
-    register: cert2_rootchain_alt
-  - name: Verify rootchain for cert 2
-    assert:
-      that:
-      - cert2_rootchain_alt.complete_chain | join('') == (lookup('file', 'cert2.pem', rstrip=False) ~ lookup('file', 'cert2-altchain.pem', rstrip=False) ~ lookup('file', 'cert2-altroot.pem', rstrip=False))
-      - cert2_rootchain_alt.chain[:-1] | join('') == lookup('file', 'cert2-altchain.pem', rstrip=False)
-      - cert2_rootchain_alt.root == lookup('file', 'cert2-altroot.pem', rstrip=False)
+      - cert2_infinite_loop is failed
+      - "cert2_infinite_loop.msg == 'Found cycle while building certificate chain'"
+
   when: cryptography_version.stdout is version('1.5', '>=')

tests/integration/targets/openssl_privatekey/tasks/impl.yml

@@ -303,11 +303,18 @@
     size: '{{ default_rsa_key_size }}'
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: privatekey_mode_1
+
 - name: "({{ select_crypto_backend }}) Stat for privatekey_mode"
   stat:
     path: '{{ remote_tmp_dir }}/privatekey_mode.pem'
   register: privatekey_mode_1_stat
 
+- name: "({{ select_crypto_backend }}) Collect file information"
+  community.internal_test_tools.files_collect:
+    files:
+      - path: '{{ remote_tmp_dir }}/privatekey_mode.pem'
+  register: privatekey_mode_1_fileinfo
+
 - name: "({{ select_crypto_backend }}) Generate privatekey_mode (mode 0400, idempotency)"
   openssl_privatekey:
     path: '{{ remote_tmp_dir }}/privatekey_mode.pem'
@@ -316,13 +323,6 @@
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: privatekey_mode_2
 
-- name: Make sure that mtime actually changes.
-  # The "privatekey_mode_1_stat.stat.mtime != privatekey_mode_3_stat.stat.mtime" test should be
-  # changed to compare content instead of mtime. On macOS 10.15, mtime resolution is one second,
-  # and the machine (VM) is fast enough that both modifications can happen in the same second.
-  pause:
-    seconds: 1
-
 - name: "({{ select_crypto_backend }}) Generate privatekey_mode (mode 0400, force)"
   openssl_privatekey:
     path: '{{ remote_tmp_dir }}/privatekey_mode.pem'
@@ -331,11 +331,17 @@
     size: '{{ default_rsa_key_size }}'
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: privatekey_mode_3
+
 - name: "({{ select_crypto_backend }}) Stat for privatekey_mode"
   stat:
     path: '{{ remote_tmp_dir }}/privatekey_mode.pem'
   register: privatekey_mode_3_stat
 
+- name: "({{ select_crypto_backend }}) Make sure that file changed"
+  community.internal_test_tools.files_diff:
+    state: '{{ privatekey_mode_1_fileinfo }}'
+  register: privatekey_mode_3_file_change
+
 - block:
   - name: "({{ select_crypto_backend }}) Generate privatekey_fmt_1 - auto format"
     openssl_privatekey:

tests/integration/targets/openssl_privatekey/tests/validate.yml

@@ -186,7 +186,7 @@
       - privatekey_mode_2 is not changed
       - privatekey_mode_3 is changed
       - privatekey_mode_3_stat.stat.mode == '0400'
-      - privatekey_mode_1_stat.stat.mtime != privatekey_mode_3_stat.stat.mtime
+      - privatekey_mode_3_file_change is changed
 
 - name: "({{ select_crypto_backend }}) Validate format 1"
   assert:

tests/requirements.yml

@@ -1,3 +1,4 @@
 integration_tests_dependencies:
 - community.general
+- community.internal_test_tools
 unit_tests_dependencies: []

tests/utils/shippable/shippable.sh

@@ -89,7 +89,7 @@ if [ "${test}" == "sanity/extra" ]; then
 fi
 
 # START: HACK install integration test dependencies
-if [ "${test}" == "sanity/extra" ]; then
+if [ "${script}" != "units" ] && [ "${script}" != "sanity" ] || [ "${test}" == "sanity/extra" ]; then
     # Nothing further should be added to this list.
     # This is to prevent modules or plugins in this collection having a runtime dependency on other collections.
     retry git clone --depth=1 --single-branch https://github.com/ansible-collections/community.internal_test_tools.git "${ANSIBLE_COLLECTIONS_PATHS}/ansible_collections/community/internal_test_tools"