crypto modules: fix various errors in argument specs (#65633)

* Fix various errors in crypto module argument specs.

* Adjust PR #.

* Fix provider requirement.

* Make sure openssl binary is installed.

changelogs/fragments/65633-crypto-argspec-fixup.yml

@@ -0,0 +1,2 @@
+bugfixes:
+- "openssl_certificate - ``provider`` option was documented as required, but it was not checked whether it was provided. It is now only required when ``state`` is ``present``."

lib/ansible/modules/crypto/entrust/ecs_domain.py

@@ -383,7 +383,7 @@ def ecs_domain_argument_spec():
     return dict(
         client_id=dict(type='int', default=1),
         domain_name=dict(type='str', required=True),
-        verification_method=dict(type='str', choices=['dns', 'email', 'manual', 'web_server']),
+        verification_method=dict(type='str', required=True, choices=['dns', 'email', 'manual', 'web_server']),
         verification_email=dict(type='str'),
     )
 

lib/ansible/modules/crypto/openssh_cert.py

@@ -34,8 +34,8 @@ options:
     type:
         description:
             - Whether the module should generate a host or a user certificate.
+            - Required if I(state) is C(present).
         type: str
-        required: true
         choices: ['host', 'user']
     force:
         description:
@@ -50,29 +50,29 @@ options:
     signing_key:
         description:
             - The path to the private openssh key that is used for signing the public key in order to generate the certificate.
+            - Required if I(state) is C(present).
         type: path
-        required: true
     public_key:
         description:
             - The path to the public key that will be signed with the signing key in order to generate the certificate.
+            - Required if I(state) is C(present).
         type: path
-        required: true
     valid_from:
         description:
             - "The point in time the certificate is valid from. Time can be specified either as relative time or as absolute timestamp.
                Time will always be interpreted as UTC. Valid formats are: C([+-]timespec | YYYY-MM-DD | YYYY-MM-DDTHH:MM:SS | YYYY-MM-DD HH:MM:SS | always)
                where timespec can be an integer + C([w | d | h | m | s]) (e.g. C(+32w1d2h).
                Note that if using relative time this module is NOT idempotent."
+            - Required if I(state) is C(present).
         type: str
-        required: true
     valid_to:
         description:
             - "The point in time the certificate is valid to. Time can be specified either as relative time or as absolute timestamp.
                Time will always be interpreted as UTC. Valid formats are: C([+-]timespec | YYYY-MM-DD | YYYY-MM-DDTHH:MM:SS | YYYY-MM-DD HH:MM:SS | forever)
                where timespec can be an integer + C([w | d | h | m | s]) (e.g. C(+32w1d2h).
                Note that if using relative time this module is NOT idempotent."
+            - Required if I(state) is C(present).
         type: str
-        required: true
     valid_at:
         description:
             - "Check if the certificate is valid at a certain point in time. If it is not the certificate will be regenerated.

lib/ansible/modules/crypto/openssl_certificate.py

@@ -68,8 +68,8 @@ options:
               M(openssl_privatekey_info) and M(assert).
             - "The C(entrust) provider was added for Ansible 2.9 and requires credentials for the
                L(https://www.entrustdatacard.com/products/categories/ssl-certificates,Entrust Certificate Services) (ECS) API."
+            - Required if I(state) is C(present).
         type: str
-        required: true
         choices: [ acme, assertonly, entrust, ownca, selfsigned ]
 
     force:
@@ -2486,9 +2486,10 @@ def main():
         supports_check_mode=True,
         add_file_common_args=True,
         required_if=[
+            ['state', 'present', ['provider']],
             ['provider', 'entrust', ['entrust_requester_email', 'entrust_requester_name', 'entrust_requester_phone',
                                      'entrust_api_user', 'entrust_api_key', 'entrust_api_client_cert_path',
-                                     'entrust_api_client_cert_key_path']]
+                                     'entrust_api_client_cert_key_path']],
         ]
     )
 

lib/ansible/modules/crypto/openssl_publickey.py

@@ -58,8 +58,8 @@ options:
     privatekey_path:
         description:
             - Path to the TLS/SSL private key from which to generate the public key.
+            - Required if I(state) is C(present).
         type: path
-        required: true
     privatekey_passphrase:
         description:
             - The passphrase for the private key.

test/integration/targets/setup_openssl/tasks/main.yml

@@ -1,25 +1,31 @@
 ---
-- name: Incluse OS-specific variables
+- name: Include OS-specific variables
   include_vars: '{{ ansible_os_family }}.yml'
   when: not ansible_os_family == "Darwin"
 
-- name: Install pyOpenSSL
+- name: Install OpenSSL
+  become: True
+  package:
+    name: '{{ openssl_package_name }}'
+  when: not ansible_os_family == 'Darwin'
+
+- name: Install pyOpenSSL (Python 3)
   become: True
   package:
     name: '{{ pyopenssl_package_name_python3 }}'
-  when: not ansible_os_family == 'Darwin' and  ansible_python_version is version('3.0', '>=')
+  when: not ansible_os_family == 'Darwin' and ansible_python_version is version('3.0', '>=')
 
-- name: Install pyOpenSSL
+- name: Install pyOpenSSL (Python 2)
   become: True
   package:
     name: '{{ pyopenssl_package_name }}'
   when: not ansible_os_family == 'Darwin' and ansible_python_version is version('3.0', '<')
 
-- name: Install pyOpenSSL
+- name: Install pyOpenSSL (Darwin)
   become: True
   pip:
     name: pyOpenSSL
-  when:  ansible_os_family == 'Darwin'
+  when: ansible_os_family == 'Darwin'
 
 - name: register pyOpenSSL version
   command: "{{ ansible_python.executable }} -c 'import OpenSSL; print(OpenSSL.__version__)'"

test/integration/targets/setup_openssl/vars/Debian.yml

@@ -1,2 +1,3 @@
 pyopenssl_package_name: python-openssl
 pyopenssl_package_name_python3: python3-openssl
+openssl_package_name: openssl

test/integration/targets/setup_openssl/vars/FreeBSD.yml

@@ -1,2 +1,3 @@
 pyopenssl_package_name: py27-openssl
 pyopenssl_package_name_python3: py36-openssl
+openssl_package_name: openssl

test/integration/targets/setup_openssl/vars/RedHat.yml

@@ -1,2 +1,3 @@
 pyopenssl_package_name: pyOpenSSL
 pyopenssl_package_name_python3: python3-pyOpenSSL
+openssl_package_name: openssl

test/integration/targets/setup_openssl/vars/Suse.yml

@@ -1,2 +1,3 @@
 pyopenssl_package_name: python-pyOpenSSL
 pyopenssl_package_name_python3: python3-pyOpenSSL
+openssl_package_name: openssl

test/sanity/ignore.txt

@@ -1694,10 +1694,6 @@ lib/ansible/modules/commands/command.py validate-modules:nonexistent-parameter-d
 lib/ansible/modules/commands/command.py validate-modules:undocumented-parameter
 lib/ansible/modules/commands/expect.py validate-modules:doc-missing-type
 lib/ansible/modules/crypto/acme/acme_account_info.py validate-modules:return-syntax-error
-lib/ansible/modules/crypto/entrust/ecs_domain.py validate-modules:doc-required-mismatch
-lib/ansible/modules/crypto/openssh_cert.py validate-modules:doc-required-mismatch
-lib/ansible/modules/crypto/openssl_certificate.py validate-modules:doc-required-mismatch
-lib/ansible/modules/crypto/openssl_publickey.py validate-modules:doc-required-mismatch
 lib/ansible/modules/database/influxdb/influxdb_database.py validate-modules:doc-default-does-not-match-spec
 lib/ansible/modules/database/influxdb/influxdb_database.py validate-modules:parameter-type-not-in-doc
 lib/ansible/modules/database/influxdb/influxdb_query.py validate-modules:doc-default-does-not-match-spec