openssl_csr: deprecate version option (#63432)

* Deprecate openssl_csr's version. * Add changelog. * Change PR so that version will no longer accept values != 1 from 2.14 on. * Make sure it is a string.
2019-10-17 10:42:05 +02:00 · 2019-10-17 10:42:05 +02:00 · ba686154b9
commit ba686154b9
parent d00d0c81b3
3 changed files with 16 additions and 1 deletions
--- a/changelogs/fragments/63432-openssl_csr-version.yml
+++ b/changelogs/fragments/63432-openssl_csr-version.yml
@ -0,0 +1,4 @@
+deprecated_features:
+- "openssl_csr - all values for the ``version`` option except ``1`` are deprecated."
+bugfixes:
+- "openssl_csr - a warning is issued if an unsupported value for ``version`` is used for the ``cryptography`` backend."
--- a/docs/docsite/rst/porting_guides/porting_guide_2.10.rst
+++ b/docs/docsite/rst/porting_guides/porting_guide_2.10.rst
@ -51,7 +51,9 @@ The following modules no longer exist:
 Deprecation notices
 -------------------

-No notable changes
+The following functionality will be removed in Ansible 2.14. Please update update your playbooks accordingly.
+
+* The :ref:`openssl_csr <openssl_csr_module>` module's option ``version`` no longer supports values other than ``1`` (the current only standardized CSR version).


 Noteworthy module changes
--- a/lib/ansible/modules/crypto/openssl_csr.py
+++ b/lib/ansible/modules/crypto/openssl_csr.py
@ -58,6 +58,9 @@ options:
    version:
        description:
            - The version of the certificate signing request.
+            - "The only allowed value according to L(RFC 2986,https://tools.ietf.org/html/rfc2986#section-4.1)
+               is 1."
+            - This option will no longer accept unsupported values from Ansible 2.14 on.
        type: int
        default: 1
    force:
@ -755,6 +758,8 @@ class CertificateSigningRequestCryptography(CertificateSigningRequestBase):
    def __init__(self, module):
        super(CertificateSigningRequestCryptography, self).__init__(module)
        self.cryptography_backend = cryptography.hazmat.backends.default_backend()
+        if self.version != 1:
+            module.warn('The cryptography backend only supports version 1. (The only valid value according to RFC 2986.)')

    def _generate_csr(self):
        csr = cryptography.x509.CertificateSigningRequestBuilder()
@ -1027,6 +1032,10 @@ def main():
        supports_check_mode=True,
    )

+    if module.params['version'] != 1:
+        module.deprecate('The version option will only support allowed values from Ansible 2.14 on. '
+                         'Currently, only the value 1 is allowed by RFC 2986', version='2.14')
+
    base_dir = os.path.dirname(module.params['path']) or '.'
    if not os.path.isdir(base_dir):
        module.fail_json(name=base_dir, msg='The directory %s does not exist or the file is not a directory' % base_dir)