diff --git a/changelogs/fragments/ansible-test-no-cryptograpy-downgrade.yml b/changelogs/fragments/ansible-test-no-cryptograpy-downgrade.yml new file mode 100644 index 00000000000..94929c59b77 --- /dev/null +++ b/changelogs/fragments/ansible-test-no-cryptograpy-downgrade.yml @@ -0,0 +1,2 @@ +minor_changes: + - ansible-test - Installation of ``cryptography`` no longer occurs when it is already installed. This avoids downgrading existing OS packages. diff --git a/test/lib/ansible_test/_internal/executor.py b/test/lib/ansible_test/_internal/executor.py index 52669c1886d..aeebc9749fd 100644 --- a/test/lib/ansible_test/_internal/executor.py +++ b/test/lib/ansible_test/_internal/executor.py @@ -130,6 +130,16 @@ def get_openssl_version(args, python, python_version): # type: (EnvironmentConf return None +def is_cryptography_available(python): # type: (str) -> bool + """Return True if cryptography is available for the given python.""" + try: + raw_command([python, '-c', 'import cryptography'], capture=True) + except SubprocessError: + return False + + return True + + def get_setuptools_version(args, python): # type: (EnvironmentConfig, str) -> t.Tuple[int] """Return the setuptools version for the given python.""" try: @@ -153,6 +163,11 @@ def install_cryptography(args, python, python_version, pip): # type: (Environme # the installed version of setuptools affects the version of cryptography to install run_command(args, generate_pip_install(pip, '', packages=['setuptools'])) + # skip cryptography install if it is already available + # this avoids downgrading cryptography when OS packages provide a newer version than we are able to install using pip + if is_cryptography_available(python): + return + # install the latest cryptography version that the current requirements can support # use a custom constraints file to avoid the normal constraints file overriding the chosen version of cryptography # if not installed here later install commands may try to install an unsupported version due to the presence of older setuptools