crypto modules: Improve requirements / error messages (#57868)

* Reformat requirements. * Include Python lib versions in lib required error messages, if available. * Update lib/ansible/modules/crypto/openssl_publickey.py Co-Authored-By: MarkusTeufelberger <mteufelberger@mgit.at> * Add changelog.
5 years ago · 4188cd299b
parent 4ae99ab34f
commit 4188cd299b
9 changed files with 42 additions and 18 deletions
--- a/changelogs/fragments/57868-crypto-improve-req-errors.yml
+++ b/changelogs/fragments/57868-crypto-improve-req-errors.yml
@ -0,0 +1,2 @@
+bugfixes:
+- "crypto modules - improve error messages when required Python library is missing."
--- a/lib/ansible/modules/crypto/get_certificate.py
+++ b/lib/ansible/modules/crypto/get_certificate.py
@ -44,8 +44,7 @@ notes:
  - When using ca_cert on OS X it has been reported that in some conditions the validate will always succeed.

 requirements:
-  - "python >= 2.6"
-  - "python-pyOpenSSL >= 0.15"
+  - "pyOpenSSL >= 0.15"
 '''

 RETURN = '''
@ -153,7 +152,7 @@ def main():
    )

    if not pyopenssl_found:
-        module.fail_json(msg=missing_required_lib('pyOpenSSL'), exception=PYOPENSSL_IMP_ERR)
+        module.fail_json(msg=missing_required_lib('pyOpenSSL >= 0.15'), exception=PYOPENSSL_IMP_ERR)

    if timeout:
        setdefaulttimeout(timeout)
--- a/lib/ansible/modules/crypto/openssl_certificate.py
+++ b/lib/ansible/modules/crypto/openssl_certificate.py
@ -1859,7 +1859,8 @@ def main():

            if backend == 'pyopenssl':
                if not PYOPENSSL_FOUND:
-                    module.fail_json(msg=missing_required_lib('pyOpenSSL'), exception=PYOPENSSL_IMP_ERR)
+                    module.fail_json(msg=missing_required_lib('pyOpenSSL >= {0}'.format(MINIMAL_PYOPENSSL_VERSION)),
+                                     exception=PYOPENSSL_IMP_ERR)
                if module.params['provider'] in ['selfsigned', 'ownca', 'assertonly']:
                    try:
                        getattr(crypto.X509Req, 'get_extensions')
@ -1876,7 +1877,8 @@ def main():
                    certificate = AssertOnlyCertificate(module)
            elif backend == 'cryptography':
                if not CRYPTOGRAPHY_FOUND:
-                    module.fail_json(msg=missing_required_lib('cryptography'), exception=CRYPTOGRAPHY_IMP_ERR)
+                    module.fail_json(msg=missing_required_lib('cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)),
+                                     exception=CRYPTOGRAPHY_IMP_ERR)
                if module.params['selfsigned_version'] == 2 or module.params['ownca_version'] == 2:
                    module.fail_json(msg='The cryptography backend does not support v2 certificates, '
                                         'use select_crypto_backend=pyopenssl for v2 certificates')
--- a/lib/ansible/modules/crypto/openssl_certificate_info.py
+++ b/lib/ansible/modules/crypto/openssl_certificate_info.py
@ -697,7 +697,8 @@ def main():

        if backend == 'pyopenssl':
            if not PYOPENSSL_FOUND:
-                module.fail_json(msg=missing_required_lib('pyOpenSSL'), exception=PYOPENSSL_IMP_ERR)
+                module.fail_json(msg=missing_required_lib('pyOpenSSL >= {0}'.format(MINIMAL_PYOPENSSL_VERSION)),
+                                 exception=PYOPENSSL_IMP_ERR)
            try:
                getattr(crypto.X509Req, 'get_extensions')
            except AttributeError:
@ -706,7 +707,8 @@ def main():
            certificate = CertificateInfoPyOpenSSL(module)
        elif backend == 'cryptography':
            if not CRYPTOGRAPHY_FOUND:
-                module.fail_json(msg=missing_required_lib('cryptography'), exception=CRYPTOGRAPHY_IMP_ERR)
+                module.fail_json(msg=missing_required_lib('cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)),
+                                 exception=CRYPTOGRAPHY_IMP_ERR)
            certificate = CertificateInfoCryptography(module)

        result = certificate.get_info()
--- a/lib/ansible/modules/crypto/openssl_csr.py
+++ b/lib/ansible/modules/crypto/openssl_csr.py
@ -896,7 +896,8 @@ def main():
    try:
        if backend == 'pyopenssl':
            if not PYOPENSSL_FOUND:
-                module.fail_json(msg=missing_required_lib('pyOpenSSL'), exception=PYOPENSSL_IMP_ERR)
+                module.fail_json(msg=missing_required_lib('pyOpenSSL >= {0}'.format(MINIMAL_PYOPENSSL_VERSION)),
+                                 exception=PYOPENSSL_IMP_ERR)
            try:
                getattr(crypto.X509Req, 'get_extensions')
            except AttributeError:
@ -904,7 +905,8 @@ def main():
            csr = CertificateSigningRequestPyOpenSSL(module)
        elif backend == 'cryptography':
            if not CRYPTOGRAPHY_FOUND:
-                module.fail_json(msg=missing_required_lib('cryptography'), exception=CRYPTOGRAPHY_IMP_ERR)
+                module.fail_json(msg=missing_required_lib('cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)),
+                                 exception=CRYPTOGRAPHY_IMP_ERR)
            csr = CertificateSigningRequestCryptography(module)

        if module.params['state'] == 'present':
--- a/lib/ansible/modules/crypto/openssl_csr_info.py
+++ b/lib/ansible/modules/crypto/openssl_csr_info.py
@ -525,7 +525,8 @@ def main():

        if backend == 'pyopenssl':
            if not PYOPENSSL_FOUND:
-                module.fail_json(msg=missing_required_lib('pyOpenSSL'), exception=PYOPENSSL_IMP_ERR)
+                module.fail_json(msg=missing_required_lib('pyOpenSSL >= {0}'.format(MINIMAL_PYOPENSSL_VERSION)),
+                                 exception=PYOPENSSL_IMP_ERR)
            try:
                getattr(crypto.X509Req, 'get_extensions')
            except AttributeError:
@ -534,7 +535,8 @@ def main():
            certificate = CertificateSigningRequestInfoPyOpenSSL(module)
        elif backend == 'cryptography':
            if not CRYPTOGRAPHY_FOUND:
-                module.fail_json(msg=missing_required_lib('cryptography'), exception=CRYPTOGRAPHY_IMP_ERR)
+                module.fail_json(msg=missing_required_lib('cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)),
+                                 exception=CRYPTOGRAPHY_IMP_ERR)
            certificate = CertificateSigningRequestInfoCryptography(module)

        result = certificate.get_info()
--- a/lib/ansible/modules/crypto/openssl_privatekey.py
+++ b/lib/ansible/modules/crypto/openssl_privatekey.py
@ -671,11 +671,13 @@ def main():
    try:
        if backend == 'pyopenssl':
            if not PYOPENSSL_FOUND:
-                module.fail_json(msg=missing_required_lib('pyOpenSSL'), exception=PYOPENSSL_IMP_ERR)
+                module.fail_json(msg=missing_required_lib('pyOpenSSL >= {0}'.format(MINIMAL_PYOPENSSL_VERSION)),
+                                 exception=PYOPENSSL_IMP_ERR)
            private_key = PrivateKeyPyOpenSSL(module)
        elif backend == 'cryptography':
            if not CRYPTOGRAPHY_FOUND:
-                module.fail_json(msg=missing_required_lib('cryptography'), exception=CRYPTOGRAPHY_IMP_ERR)
+                module.fail_json(msg=missing_required_lib('cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)),
+                                 exception=CRYPTOGRAPHY_IMP_ERR)
            private_key = PrivateKeyCryptography(module)

        if private_key.state == 'present':
--- a/lib/ansible/modules/crypto/openssl_privatekey_info.py
+++ b/lib/ansible/modules/crypto/openssl_privatekey_info.py
@ -610,11 +610,13 @@ def main():

        if backend == 'pyopenssl':
            if not PYOPENSSL_FOUND:
-                module.fail_json(msg=missing_required_lib('pyOpenSSL'), exception=PYOPENSSL_IMP_ERR)
+                module.fail_json(msg=missing_required_lib('pyOpenSSL >= {0}'.format(MINIMAL_PYOPENSSL_VERSION)),
+                                 exception=PYOPENSSL_IMP_ERR)
            privatekey = PrivateKeyInfoPyOpenSSL(module)
        elif backend == 'cryptography':
            if not CRYPTOGRAPHY_FOUND:
-                module.fail_json(msg=missing_required_lib('cryptography'), exception=CRYPTOGRAPHY_IMP_ERR)
+                module.fail_json(msg=missing_required_lib('cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)),
+                                 exception=CRYPTOGRAPHY_IMP_ERR)
            privatekey = PrivateKeyInfoCryptography(module)

        result = privatekey.get_info()
--- a/lib/ansible/modules/crypto/openssl_publickey.py
+++ b/lib/ansible/modules/crypto/openssl_publickey.py
@ -22,7 +22,8 @@ description:
    - Keys are generated in PEM format.
    - This module works only if the version of PyOpenSSL is recent enough (> 16.0.0).
 requirements:
-    - python-pyOpenSSL
+    - pyOpenSSL
+    - cryptography (if I(format) is C(OpenSSH))
 author:
 - Yanis Guenane (@Spredzy)
 options:
@ -149,14 +150,22 @@ import traceback
 PYOPENSSL_IMP_ERR = None
 try:
    from OpenSSL import crypto
-    from cryptography.hazmat.backends import default_backend
-    from cryptography.hazmat.primitives import serialization as crypto_serialization
 except ImportError:
    PYOPENSSL_IMP_ERR = traceback.format_exc()
    pyopenssl_found = False
 else:
    pyopenssl_found = True

+CRYPTOGRAPHY_IMP_ERR = None
+try:
+    from cryptography.hazmat.backends import default_backend
+    from cryptography.hazmat.primitives import serialization as crypto_serialization
+except ImportError:
+    CRYPTOGRAPHY_IMP_ERR = traceback.format_exc()
+    cryptography_found = False
+else:
+    cryptography_found = True
+
 from ansible.module_utils import crypto as crypto_utils
 from ansible.module_utils._text import to_native, to_bytes
 from ansible.module_utils.basic import AnsibleModule, missing_required_lib
@ -310,6 +319,8 @@ def main():

    if not pyopenssl_found:
        module.fail_json(msg=missing_required_lib('pyOpenSSL'), exception=PYOPENSSL_IMP_ERR)
+    if module.params['format'] == 'OpenSSH' and not cryptography_found:
+        module.fail_json(msg=missing_required_lib('cryptography'), exception=CRYPTOGRAPHY_IMP_ERR)

    base_dir = os.path.dirname(module.params['path']) or '.'
    if not os.path.isdir(base_dir):