openssl_csr: deprecate version option (#63432)

* Deprecate openssl_csr's version.

* Add changelog.

* Change PR so that version will no longer accept values != 1 from 2.14 on.

* Make sure it is a string.
This commit is contained in:
Felix Fontein 2019-10-17 10:42:05 +02:00 committed by GitHub
parent d00d0c81b3
commit ba686154b9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 16 additions and 1 deletions

View file

@ -0,0 +1,4 @@
deprecated_features:
- "openssl_csr - all values for the ``version`` option except ``1`` are deprecated."
bugfixes:
- "openssl_csr - a warning is issued if an unsupported value for ``version`` is used for the ``cryptography`` backend."

View file

@ -51,7 +51,9 @@ The following modules no longer exist:
Deprecation notices Deprecation notices
------------------- -------------------
No notable changes The following functionality will be removed in Ansible 2.14. Please update update your playbooks accordingly.
* The :ref:`openssl_csr <openssl_csr_module>` module's option ``version`` no longer supports values other than ``1`` (the current only standardized CSR version).
Noteworthy module changes Noteworthy module changes

View file

@ -58,6 +58,9 @@ options:
version: version:
description: description:
- The version of the certificate signing request. - The version of the certificate signing request.
- "The only allowed value according to L(RFC 2986,https://tools.ietf.org/html/rfc2986#section-4.1)
is 1."
- This option will no longer accept unsupported values from Ansible 2.14 on.
type: int type: int
default: 1 default: 1
force: force:
@ -755,6 +758,8 @@ class CertificateSigningRequestCryptography(CertificateSigningRequestBase):
def __init__(self, module): def __init__(self, module):
super(CertificateSigningRequestCryptography, self).__init__(module) super(CertificateSigningRequestCryptography, self).__init__(module)
self.cryptography_backend = cryptography.hazmat.backends.default_backend() self.cryptography_backend = cryptography.hazmat.backends.default_backend()
if self.version != 1:
module.warn('The cryptography backend only supports version 1. (The only valid value according to RFC 2986.)')
def _generate_csr(self): def _generate_csr(self):
csr = cryptography.x509.CertificateSigningRequestBuilder() csr = cryptography.x509.CertificateSigningRequestBuilder()
@ -1027,6 +1032,10 @@ def main():
supports_check_mode=True, supports_check_mode=True,
) )
if module.params['version'] != 1:
module.deprecate('The version option will only support allowed values from Ansible 2.14 on. '
'Currently, only the value 1 is allowed by RFC 2986', version='2.14')
base_dir = os.path.dirname(module.params['path']) or '.' base_dir = os.path.dirname(module.params['path']) or '.'
if not os.path.isdir(base_dir): if not os.path.isdir(base_dir):
module.fail_json(name=base_dir, msg='The directory %s does not exist or the file is not a directory' % base_dir) module.fail_json(name=base_dir, msg='The directory %s does not exist or the file is not a directory' % base_dir)