Fix main for new cryptography 37.0.0 release

.azure-pipelines/azure-pipelines.yml

@@ -368,7 +368,7 @@ stages:
  nameFormat: Python {0}
  testFormat: 2.9/cloud/{0}/1
  targets:
- - test: 3.5
+ - test: 2.7
 
  ## Finally
 

changelogs/fragments/445-fix.yml

@@ -0,0 +1,2 @@
+bugfixes:
+ - "Make collection more robust when PyOpenSSL is used with an incompatible cryptography version (https:/ansible-collections/community.crypto/pull/445)."

plugins/module_utils/crypto/module_backends/certificate_info.py

@@ -12,12 +12,11 @@
 import abc
 import binascii
 import datetime
-import re
 import traceback
 
 from ansible.module_utils import six
 from ansible.module_utils.basic import missing_required_lib
-from ansible.module_utils.common.text.converters import to_native, to_text, to_bytes
+from ansible.module_utils.common.text.converters import to_native
 
 from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
 

plugins/module_utils/crypto/module_backends/certificate_ownca.py

@@ -12,8 +12,6 @@
 
 from random import randrange
 
-from ansible.module_utils.common.text.converters import to_bytes
-
 from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
 
 from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
@@ -41,11 +39,6 @@
  CertificateProvider,
 )
 
-try:
- from OpenSSL import crypto
-except ImportError:
- pass
-
 try:
  import cryptography
  from cryptography import x509

plugins/module_utils/crypto/module_backends/certificate_selfsigned.py

@@ -12,8 +12,6 @@
 
 from random import randrange
 
-from ansible.module_utils.common.text.converters import to_bytes
-
 from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
  get_relative_time_option,
  select_message_digest,
@@ -31,11 +29,6 @@
  CertificateProvider,
 )
 
-try:
- from OpenSSL import crypto
-except ImportError:
- pass
-
 try:
  import cryptography
  from cryptography import x509

plugins/module_utils/crypto/module_backends/csr.py

@@ -14,7 +14,7 @@
 
 from ansible.module_utils import six
 from ansible.module_utils.basic import missing_required_lib
-from ansible.module_utils.common.text.converters import to_bytes, to_native, to_text
+from ansible.module_utils.common.text.converters import to_native, to_text
 
 from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
 

plugins/module_utils/crypto/module_backends/csr_info.py

@@ -15,13 +15,12 @@
 
 from ansible.module_utils import six
 from ansible.module_utils.basic import missing_required_lib
-from ansible.module_utils.common.text.converters import to_native, to_text, to_bytes
+from ansible.module_utils.common.text.converters import to_native
 
 from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
 
 from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
  load_certificate_request,
- get_fingerprint_of_bytes,
 )
 
 from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (

plugins/module_utils/crypto/module_backends/privatekey.py

@@ -25,11 +25,9 @@
  CRYPTOGRAPHY_HAS_ED25519,
  CRYPTOGRAPHY_HAS_ED448,
  OpenSSLObjectError,
- OpenSSLBadPassphraseError,
 )
 
 from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
- load_privatekey,
  get_fingerprint_of_privatekey,
 )
 

plugins/module_utils/crypto/support.py

@@ -32,7 +32,7 @@
 try:
  from OpenSSL import crypto
  HAS_PYOPENSSL = True
-except ImportError:
+except (ImportError, AttributeError):
  # Error handled in the calling module.
  HAS_PYOPENSSL = False
 

plugins/module_utils/ecs/api.py

@@ -34,7 +34,6 @@
 import json
 import os
 import re
-import time
 import traceback
 
 from ansible.module_utils.common.text.converters import to_text, to_native

plugins/modules/openssh_cert.py

@@ -273,7 +273,7 @@
 import os
 
 from ansible.module_utils.basic import AnsibleModule
-from ansible.module_utils.common.text.converters import to_native, to_text
+from ansible.module_utils.common.text.converters import to_native
 
 from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion
 

plugins/modules/openssl_pkcs12.py

@@ -276,7 +276,7 @@
  import OpenSSL
  from OpenSSL import crypto
  PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__)
-except ImportError:
+except (ImportError, AttributeError):
  PYOPENSSL_IMP_ERR = traceback.format_exc()
  PYOPENSSL_FOUND = False
 else:

plugins/modules/openssl_privatekey.py

@@ -142,7 +142,6 @@
 
 import os
 
-from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.common.text.converters import to_native
 
 from ansible_collections.community.crypto.plugins.module_utils.io import (

plugins/modules/openssl_signature.py

@@ -123,7 +123,7 @@
  load_privatekey,
 )
 
-from ansible.module_utils.common.text.converters import to_native, to_bytes
+from ansible.module_utils.common.text.converters import to_native
 from ansible.module_utils.basic import AnsibleModule, missing_required_lib
 
 

plugins/modules/openssl_signature_info.py

@@ -123,7 +123,7 @@
  load_certificate,
 )
 
-from ansible.module_utils.common.text.converters import to_native, to_bytes
+from ansible.module_utils.common.text.converters import to_native
 from ansible.module_utils.basic import AnsibleModule, missing_required_lib
 
 

plugins/modules/x509_certificate_pipe.py

@@ -123,8 +123,6 @@
 '''
 
 
-import os
-
 from ansible.module_utils.common.text.converters import to_native
 
 from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import (

tests/integration/targets/openssl_pkcs12/tests/validate.yml

@@ -83,4 +83,4 @@
  - p12_empty is changed
  - p12_empty_idem is not changed
  - p12_empty_concat_idem is not changed
- - empty_contents == (empty_expected_pyopenssl if select_crypto_backend == 'pyopenssl' else empty_expected_cryptography)
+ - (empty_contents == empty_expected_cryptography) or (empty_contents == empty_expected_pyopenssl and select_crypto_backend == 'pyopenssl')

tests/integration/targets/setup_python_info/vars/main.yml

@@ -70,3 +70,6 @@ cannot_upgrade_cryptography:
  - '3.8' # on the VMs in CI, system packages are used for this version as well
  '13.0':
  - '3.8' # on the VMs in CI, system packages are used for this version as well
+ Ubuntu:
+ '18':
+ - '3.9' # this is the default container for ansible-core 2.12; upgrading cryptography wrecks pyOpenSSL

tests/utils/constraints.txt

@@ -1,7 +1,8 @@
 coverage >= 4.2, < 5.0.0, != 4.3.2 ; python_version <= '3.7' # features in 4.2+ required, avoid known bug in 4.3.2 on python 2.6, coverage 5.0+ incompatible
 coverage >= 4.5.4, < 5.0.0 ; python_version > '3.7' # coverage had a bug in < 4.5.4 that would cause unit tests to hang in Python 3.8, coverage 5.0+ incompatible
 cryptography < 2.2 ; python_version < '2.7' # cryptography 2.2 drops support for python 2.6
-cryptography >= 3.0, < 3.4 ; python_version < '3.6' # cryptography 3.4 drops support for python 2.7
+cryptography >= 3.0, < 3.4 ; python_version < '3.5' # cryptography 3.4 drops support for python 2.7
+cryptography >= 3.0, < 3.3 ; python_version == '3.5' # cryptography 3.3 drops support for python 3.5
 urllib3 < 1.24 ; python_version < '2.7' # urllib3 1.24 and later require python 2.7 or later
 idna < 2.6, >= 2.5 # linode requires idna < 2.9, >= 2.5, requests requires idna < 2.6, but cryptography will cause the latest version to be installed instead
 requests < 2.20.0 ; python_version < '2.7' # requests 2.20.0 drops support for python 2.6