From ba686154b98194de04a0c37970a3b997394ab7be Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Thu, 17 Oct 2019 10:42:05 +0200 Subject: [PATCH] openssl_csr: deprecate version option (#63432) * Deprecate openssl_csr's version. * Add changelog. * Change PR so that version will no longer accept values != 1 from 2.14 on. * Make sure it is a string. --- changelogs/fragments/63432-openssl_csr-version.yml | 4 ++++ docs/docsite/rst/porting_guides/porting_guide_2.10.rst | 4 +++- lib/ansible/modules/crypto/openssl_csr.py | 9 +++++++++ 3 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 changelogs/fragments/63432-openssl_csr-version.yml diff --git a/changelogs/fragments/63432-openssl_csr-version.yml b/changelogs/fragments/63432-openssl_csr-version.yml new file mode 100644 index 00000000000..c080a31fda1 --- /dev/null +++ b/changelogs/fragments/63432-openssl_csr-version.yml @@ -0,0 +1,4 @@ +deprecated_features: +- "openssl_csr - all values for the ``version`` option except ``1`` are deprecated." +bugfixes: +- "openssl_csr - a warning is issued if an unsupported value for ``version`` is used for the ``cryptography`` backend." diff --git a/docs/docsite/rst/porting_guides/porting_guide_2.10.rst b/docs/docsite/rst/porting_guides/porting_guide_2.10.rst index 716dcfc5651..1f5143aa413 100644 --- a/docs/docsite/rst/porting_guides/porting_guide_2.10.rst +++ b/docs/docsite/rst/porting_guides/porting_guide_2.10.rst @@ -51,7 +51,9 @@ The following modules no longer exist: Deprecation notices ------------------- -No notable changes +The following functionality will be removed in Ansible 2.14. Please update update your playbooks accordingly. + +* The :ref:`openssl_csr ` module's option ``version`` no longer supports values other than ``1`` (the current only standardized CSR version). Noteworthy module changes diff --git a/lib/ansible/modules/crypto/openssl_csr.py b/lib/ansible/modules/crypto/openssl_csr.py index 84fbaa9cac2..07488117cab 100644 --- a/lib/ansible/modules/crypto/openssl_csr.py +++ b/lib/ansible/modules/crypto/openssl_csr.py @@ -58,6 +58,9 @@ options: version: description: - The version of the certificate signing request. + - "The only allowed value according to L(RFC 2986,https://tools.ietf.org/html/rfc2986#section-4.1) + is 1." + - This option will no longer accept unsupported values from Ansible 2.14 on. type: int default: 1 force: @@ -755,6 +758,8 @@ class CertificateSigningRequestCryptography(CertificateSigningRequestBase): def __init__(self, module): super(CertificateSigningRequestCryptography, self).__init__(module) self.cryptography_backend = cryptography.hazmat.backends.default_backend() + if self.version != 1: + module.warn('The cryptography backend only supports version 1. (The only valid value according to RFC 2986.)') def _generate_csr(self): csr = cryptography.x509.CertificateSigningRequestBuilder() @@ -1027,6 +1032,10 @@ def main(): supports_check_mode=True, ) + if module.params['version'] != 1: + module.deprecate('The version option will only support allowed values from Ansible 2.14 on. ' + 'Currently, only the value 1 is allowed by RFC 2986', version='2.14') + base_dir = os.path.dirname(module.params['path']) or '.' if not os.path.isdir(base_dir): module.fail_json(name=base_dir, msg='The directory %s does not exist or the file is not a directory' % base_dir)