From 3829873df868cde0a0e24433d03fdaab167feb9f Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Tue, 28 Sep 2021 21:15:39 +0200 Subject: [PATCH 1/6] Remove deprecated redirects. --- meta/runtime.yml | 9 ++++----- plugins/modules/acme_account_facts.py | 1 - plugins/modules/openssl_certificate.py | 1 - plugins/modules/openssl_certificate_info.py | 1 - 4 files changed, 4 insertions(+), 8 deletions(-) delete mode 120000 plugins/modules/acme_account_facts.py delete mode 120000 plugins/modules/openssl_certificate.py delete mode 120000 plugins/modules/openssl_certificate_info.py diff --git a/meta/runtime.yml b/meta/runtime.yml index d31bccaef..422a9579f 100644 --- a/meta/runtime.yml +++ b/meta/runtime.yml @@ -12,20 +12,19 @@ action_groups: plugin_routing: modules: acme_account_facts: - deprecation: + tombstone: removal_version: 2.0.0 warning_text: The 'community.crypto.acme_account_facts' module has been renamed to 'community.crypto.acme_account_info'. openssl_certificate: - deprecation: + tombstone: removal_version: 2.0.0 warning_text: The 'community.crypto.openssl_certificate' module has been renamed to 'community.crypto.x509_certificate' openssl_certificate_info: - deprecation: + tombstone: removal_version: 2.0.0 warning_text: The 'community.crypto.openssl_certificate_info' module has been renamed to 'community.crypto.x509_certificate_info' module_utils: crypto.identify: - redirect: community.crypto.crypto.pem - deprecation: + tombstone: removal_version: 2.0.0 warning_text: The 'crypto/identify.py' module_utils has been renamed 'crypto/pem.py'. Please update your imports diff --git a/plugins/modules/acme_account_facts.py b/plugins/modules/acme_account_facts.py deleted file mode 120000 index ffd88bceb..000000000 --- a/plugins/modules/acme_account_facts.py +++ /dev/null @@ -1 +0,0 @@ -acme_account_info.py \ No newline at end of file diff --git a/plugins/modules/openssl_certificate.py b/plugins/modules/openssl_certificate.py deleted file mode 120000 index 24768dc31..000000000 --- a/plugins/modules/openssl_certificate.py +++ /dev/null @@ -1 +0,0 @@ -x509_certificate.py \ No newline at end of file diff --git a/plugins/modules/openssl_certificate_info.py b/plugins/modules/openssl_certificate_info.py deleted file mode 120000 index 86aa4240c..000000000 --- a/plugins/modules/openssl_certificate_info.py +++ /dev/null @@ -1 +0,0 @@ -x509_certificate_info.py \ No newline at end of file From 8ec30480bd5cea37f0419b7e8da298041f6c46e8 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Tue, 28 Sep 2021 21:26:04 +0200 Subject: [PATCH 2/6] Remove deprecations. --- plugins/doc_fragments/acme.py | 16 +- plugins/doc_fragments/module_csr.py | 2 + plugins/module_utils/acme/__init__.py | 90 ------ plugins/module_utils/acme/_compatibility.py | 267 ------------------ plugins/module_utils/acme/acme.py | 14 +- plugins/module_utils/crypto/__init__.py | 92 ------ .../crypto/module_backends/csr.py | 7 +- plugins/modules/acme_account_info.py | 22 +- plugins/modules/x509_certificate.py | 4 - plugins/modules/x509_certificate_info.py | 3 - 10 files changed, 12 insertions(+), 505 deletions(-) delete mode 100644 plugins/module_utils/acme/__init__.py delete mode 100644 plugins/module_utils/acme/_compatibility.py delete mode 100644 plugins/module_utils/crypto/__init__.py diff --git a/plugins/doc_fragments/acme.py b/plugins/doc_fragments/acme.py index d69332dcc..59cedd618 100644 --- a/plugins/doc_fragments/acme.py +++ b/plugins/doc_fragments/acme.py @@ -74,10 +74,9 @@ class ModuleDocFragment(object): - "The ACME version of the endpoint." - "Must be C(1) for the classic Let's Encrypt and Buypass ACME endpoints, or C(2) for standardized ACME v2 endpoints." - - "The default value is C(1). Note that in community.crypto 2.0.0, this - option B(will be required) and will no longer have a default." - "The value C(1) is deprecated since community.crypto 2.0.0 and will be removed from community.crypto 3.0.0." + required: true type: int choices: [ 1, 2 ] acme_directory: @@ -87,22 +86,12 @@ class ModuleDocFragment(object): - "For safety reasons the default is set to the Let's Encrypt staging server (for the ACME v1 protocol). This will create technically correct, but untrusted certificates." - - "The default value is C(https://acme-staging.api.letsencrypt.org/directory). - Note that in community.crypto 2.0.0, this option B(will be required) and - will no longer have a default. Note that the default is the Let's Encrypt - staging server for the ACME v1 protocol, which is deprecated and will - be disabled in May 2021 (see - L(here,https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430/7) - for details)." - "For Let's Encrypt, all staging endpoints can be found here: U(https://letsencrypt.org/docs/staging-environment/). For Buypass, all endpoints can be found here: U(https://community.buypass.com/t/63d4ay/buypass-go-ssl-endpoints)" - "For B(Let's Encrypt), the production directory URL for ACME v2 is - U(https://acme-v02.api.letsencrypt.org/directory). - (The production directory URL for ACME v1 is - U(https://acme-v01.api.letsencrypt.org/directory) and will be - disabled in July 2021.)" + U(https://acme-v02.api.letsencrypt.org/directory)." - "For B(Buypass), the production directory URL for ACME v2 and v1 is U(https://api.buypass.com/acme/directory)." - "For B(ZeroSSL), the production directory URL for ACME v2 is @@ -114,6 +103,7 @@ class ModuleDocFragment(object): L(create an issue,https://github.com/ansible-collections/community.crypto/issues/new/choose) to help us supporting it. Feedback that an ACME server not mentioned does work is also appreciated." + required: true type: str validate_certs: description: diff --git a/plugins/doc_fragments/module_csr.py b/plugins/doc_fragments/module_csr.py index 881240310..e9a025ace 100644 --- a/plugins/doc_fragments/module_csr.py +++ b/plugins/doc_fragments/module_csr.py @@ -46,6 +46,8 @@ class ModuleDocFragment(object): - This option will no longer accept unsupported values from community.crypto 2.0.0 on. type: int default: 1 + choices: + - 1 subject: description: - Key/value pairs that will be present in the subject name field of the certificate signing request. diff --git a/plugins/module_utils/acme/__init__.py b/plugins/module_utils/acme/__init__.py deleted file mode 100644 index b5d3d8243..000000000 --- a/plugins/module_utils/acme/__init__.py +++ /dev/null @@ -1,90 +0,0 @@ -# -*- coding: utf-8 -*- - -# Copyright: (c) 2016 Michael Gruener -# Copyright: (c) 2021 Felix Fontein -# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) - -from __future__ import absolute_import, division, print_function -__metaclass__ = type - - -import base64 -import binascii -import copy -import datetime -import hashlib -import json -import locale -import os -import re -import shutil -import sys -import tempfile -import traceback - -from ansible.module_utils.basic import missing_required_lib -from ansible.module_utils.urls import fetch_url -from ansible.module_utils.six.moves.urllib.parse import unquote -from ansible.module_utils.common.text.converters import to_native, to_text, to_bytes - -from ansible_collections.community.crypto.plugins.module_utils.acme.acme import ( - get_default_argspec, - ACMEDirectory, -) - -from ansible_collections.community.crypto.plugins.module_utils.acme.backend_cryptography import ( - CryptographyBackend, - CRYPTOGRAPHY_VERSION, -) - -from ansible_collections.community.crypto.plugins.module_utils.acme.backend_openssl_cli import ( - OpenSSLCLIBackend, -) - -from ansible_collections.community.crypto.plugins.module_utils.acme._compatibility import ( - handle_standard_module_arguments, - set_crypto_backend, - HAS_CURRENT_CRYPTOGRAPHY, -) - -from ansible_collections.community.crypto.plugins.module_utils.acme._compatibility import ACMELegacyAccount as ACMEAccount - -from ansible_collections.community.crypto.plugins.module_utils.acme.errors import ModuleFailException - -from ansible_collections.community.crypto.plugins.module_utils.acme.io import ( - read_file, - write_file, -) - -from ansible_collections.community.crypto.plugins.module_utils.acme.utils import ( - nopad_b64, - pem_to_der, - process_links, -) - - -def openssl_get_csr_identifiers(openssl_binary, module, csr_filename, csr_content=None): - module.deprecate( - 'Please adjust your custom module/plugin to the ACME module_utils refactor ' - '(https://github.com/ansible-collections/community.crypto/pull/184). The ' - 'compatibility layer will be removed in community.crypto 2.0.0, thus breaking ' - 'your code', version='2.0.0', collection_name='community.crypto') - return OpenSSLCLIBackend(module, openssl_binary=openssl_binary).get_csr_identifiers(csr_filename=csr_filename, csr_content=csr_content) - - -def cryptography_get_csr_identifiers(module, csr_filename, csr_content=None): - module.deprecate( - 'Please adjust your custom module/plugin to the ACME module_utils refactor ' - '(https://github.com/ansible-collections/community.crypto/pull/184). The ' - 'compatibility layer will be removed in community.crypto 2.0.0, thus breaking ' - 'your code', version='2.0.0', collection_name='community.crypto') - return CryptographyBackend(module).get_csr_identifiers(csr_filename=csr_filename, csr_content=csr_content) - - -def cryptography_get_cert_days(module, cert_file, now=None): - module.deprecate( - 'Please adjust your custom module/plugin to the ACME module_utils refactor ' - '(https://github.com/ansible-collections/community.crypto/pull/184). The ' - 'compatibility layer will be removed in community.crypto 2.0.0, thus breaking ' - 'your code', version='2.0.0', collection_name='community.crypto') - return CryptographyBackend(module).get_cert_days(cert_filename=cert_file, now=now) diff --git a/plugins/module_utils/acme/_compatibility.py b/plugins/module_utils/acme/_compatibility.py deleted file mode 100644 index aab5e4afa..000000000 --- a/plugins/module_utils/acme/_compatibility.py +++ /dev/null @@ -1,267 +0,0 @@ -# -*- coding: utf-8 -*- - -# Copyright: (c) 2016 Michael Gruener -# Copyright: (c) 2021 Felix Fontein -# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) - -from __future__ import absolute_import, division, print_function -__metaclass__ = type - - -import locale - -from ansible.module_utils.basic import missing_required_lib - -from ansible_collections.community.crypto.plugins.module_utils.acme.backend_cryptography import HAS_CURRENT_CRYPTOGRAPHY as _ORIGINAL_HAS_CURRENT_CRYPTOGRAPHY - -from ansible_collections.community.crypto.plugins.module_utils.acme.backend_cryptography import ( - CryptographyBackend, - CRYPTOGRAPHY_VERSION, -) - -from ansible_collections.community.crypto.plugins.module_utils.acme.backend_openssl_cli import ( - OpenSSLCLIBackend, -) - -from ansible_collections.community.crypto.plugins.module_utils.acme.acme import ( - ACMEClient, -) - -from ansible_collections.community.crypto.plugins.module_utils.acme.account import ( - ACMEAccount, -) - -from ansible_collections.community.crypto.plugins.module_utils.acme.challenges import ( - create_key_authorization, -) - -from ansible_collections.community.crypto.plugins.module_utils.acme.errors import ( - KeyParsingError, -) - - -HAS_CURRENT_CRYPTOGRAPHY = _ORIGINAL_HAS_CURRENT_CRYPTOGRAPHY - - -def set_crypto_backend(module): - ''' - Sets which crypto backend to use (default: auto detection). - - Does not care whether a new enough cryptoraphy is available or not. Must - be called before any real stuff is done which might evaluate - ``HAS_CURRENT_CRYPTOGRAPHY``. - ''' - global HAS_CURRENT_CRYPTOGRAPHY - - module.deprecate( - 'Please adjust your custom module/plugin to the ACME module_utils refactor ' - '(https://github.com/ansible-collections/community.crypto/pull/184). The ' - 'compatibility layer will be removed in community.crypto 2.0.0, thus breaking ' - 'your code', version='2.0.0', collection_name='community.crypto') - - # Choose backend - backend = module.params['select_crypto_backend'] - if backend == 'auto': - pass - elif backend == 'openssl': - HAS_CURRENT_CRYPTOGRAPHY = False - elif backend == 'cryptography': - if not _ORIGINAL_HAS_CURRENT_CRYPTOGRAPHY: - module.fail_json(msg=missing_required_lib('cryptography')) - HAS_CURRENT_CRYPTOGRAPHY = True - else: - module.fail_json(msg='Unknown crypto backend "{0}"!'.format(backend)) - # Inform about choices - if HAS_CURRENT_CRYPTOGRAPHY: - module.debug('Using cryptography backend (library version {0})'.format(CRYPTOGRAPHY_VERSION)) - return 'cryptography' - else: - module.debug('Using OpenSSL binary backend') - return 'openssl' - - -def handle_standard_module_arguments(module, needs_acme_v2=False): - ''' - Do standard module setup, argument handling and warning emitting. - ''' - backend = set_crypto_backend(module) - - if not module.params['validate_certs']: - module.warn( - 'Disabling certificate validation for communications with ACME endpoint. ' - 'This should only be done for testing against a local ACME server for ' - 'development purposes, but *never* for production purposes.' - ) - - if module.params['acme_version'] is None: - module.params['acme_version'] = 1 - module.deprecate("The option 'acme_version' will be required from community.crypto 2.0.0 on", - version='2.0.0', collection_name='community.crypto') - - if module.params['acme_directory'] is None: - module.params['acme_directory'] = 'https://acme-staging.api.letsencrypt.org/directory' - module.deprecate("The option 'acme_directory' will be required from community.crypto 2.0.0 on", - version='2.0.0', collection_name='community.crypto') - - if needs_acme_v2 and module.params['acme_version'] < 2: - module.fail_json(msg='The {0} module requires the ACME v2 protocol!'.format(module._name)) - - # AnsibleModule() changes the locale, so change it back to C because we rely on time.strptime() when parsing certificate dates. - module.run_command_environ_update = dict(LANG='C', LC_ALL='C', LC_MESSAGES='C', LC_CTYPE='C') - locale.setlocale(locale.LC_ALL, 'C') - - return backend - - -def get_compatibility_backend(module): - if HAS_CURRENT_CRYPTOGRAPHY: - return CryptographyBackend(module) - else: - return OpenSSLCLIBackend(module) - - -class ACMELegacyAccount(object): - ''' - ACME account object. Handles the authorized communication with the - ACME server. Provides access to account bound information like - the currently active authorizations and valid certificates - ''' - - def __init__(self, module): - module.deprecate( - 'Please adjust your custom module/plugin to the ACME module_utils refactor ' - '(https://github.com/ansible-collections/community.crypto/pull/184). The ' - 'compatibility layer will be removed in community.crypto 2.0.0, thus breaking ' - 'your code', version='2.0.0', collection_name='community.crypto') - backend = get_compatibility_backend(module) - self.client = ACMEClient(module, backend) - self.account = ACMEAccount(self.client) - self.key = self.client.account_key_file - self.key_content = self.client.account_key_content - self.uri = self.client.account_uri - self.key_data = self.client.account_key_data - self.jwk = self.client.account_jwk - self.jws_header = self.client.account_jws_header - self.directory = self.client.directory - - def get_keyauthorization(self, token): - ''' - Returns the key authorization for the given token - https://tools.ietf.org/html/rfc8555#section-8.1 - ''' - return create_key_authorization(self.client, token) - - def parse_key(self, key_file=None, key_content=None): - ''' - Parses an RSA or Elliptic Curve key file in PEM format and returns a pair - (error, key_data). - ''' - try: - return None, self.client.parse_key(key_file=key_file, key_content=key_content) - except KeyParsingError as e: - return e.msg, {} - - def sign_request(self, protected, payload, key_data, encode_payload=True): - return self.client.sign_request(protected, payload, key_data, encode_payload=encode_payload) - - def send_signed_request(self, url, payload, key_data=None, jws_header=None, parse_json_result=True, encode_payload=True): - ''' - Sends a JWS signed HTTP POST request to the ACME server and returns - the response as dictionary - https://tools.ietf.org/html/rfc8555#section-6.2 - - If payload is None, a POST-as-GET is performed. - (https://tools.ietf.org/html/rfc8555#section-6.3) - ''' - return self.client.send_signed_request( - url, - payload, - key_data=key_data, - jws_header=jws_header, - parse_json_result=parse_json_result, - encode_payload=encode_payload, - fail_on_error=False, - ) - - def get_request(self, uri, parse_json_result=True, headers=None, get_only=False, fail_on_error=True): - ''' - Perform a GET-like request. Will try POST-as-GET for ACMEv2, with fallback - to GET if server replies with a status code of 405. - ''' - return self.client.get_request( - uri, - parse_json_result=parse_json_result, - headers=headers, - get_only=get_only, - fail_on_error=fail_on_error, - ) - - def set_account_uri(self, uri): - ''' - Set account URI. For ACME v2, it needs to be used to sending signed - requests. - ''' - self.client.set_account_uri(uri) - self.uri = self.client.account_uri - - def get_account_data(self): - ''' - Retrieve account information. Can only be called when the account - URI is already known (such as after calling setup_account). - Return None if the account was deactivated, or a dict otherwise. - ''' - return self.account.get_account_data() - - def setup_account(self, contact=None, agreement=None, terms_agreed=False, - allow_creation=True, remove_account_uri_if_not_exists=False, - external_account_binding=None): - ''' - Detect or create an account on the ACME server. For ACME v1, - as the only way (without knowing an account URI) to test if an - account exists is to try and create one with the provided account - key, this method will always result in an account being present - (except on error situations). For ACME v2, a new account will - only be created if ``allow_creation`` is set to True. - - For ACME v2, ``check_mode`` is fully respected. For ACME v1, the - account might be created if it does not yet exist. - - Return a pair ``(created, account_data)``. Here, ``created`` will - be ``True`` in case the account was created or would be created - (check mode). ``account_data`` will be the current account data, - or ``None`` if the account does not exist. - - The account URI will be stored in ``self.uri``; if it is ``None``, - the account does not exist. - - If specified, ``external_account_binding`` should be a dictionary - with keys ``kid``, ``alg`` and ``key`` - (https://tools.ietf.org/html/rfc8555#section-7.3.4). - - https://tools.ietf.org/html/rfc8555#section-7.3 - ''' - result = self.account.setup_account( - contact=contact, - agreement=agreement, - terms_agreed=terms_agreed, - allow_creation=allow_creation, - remove_account_uri_if_not_exists=remove_account_uri_if_not_exists, - external_account_binding=external_account_binding, - ) - self.uri = self.client.account_uri - return result - - def update_account(self, account_data, contact=None): - ''' - Update an account on the ACME server. Check mode is fully respected. - - The current account data must be provided as ``account_data``. - - Return a pair ``(updated, account_data)``, where ``updated`` is - ``True`` in case something changed (contact info updated) or - would be changed (check mode), and ``account_data`` the updated - account data. - - https://tools.ietf.org/html/rfc8555#section-7.3.2 - ''' - return self.account.update_account(account_data, contact=contact) diff --git a/plugins/module_utils/acme/acme.py b/plugins/module_utils/acme/acme.py index fa3baf991..384fb705b 100644 --- a/plugins/module_utils/acme/acme.py +++ b/plugins/module_utils/acme/acme.py @@ -328,8 +328,8 @@ def get_default_argspec(): account_key_content=dict(type='str', no_log=True), account_key_passphrase=dict(type='str', no_log=True), account_uri=dict(type='str'), - acme_directory=dict(type='str'), - acme_version=dict(type='int', choices=[1, 2]), + acme_directory=dict(type='str', required=True), + acme_version=dict(type='int', required=True, choices=[1, 2]), validate_certs=dict(type='bool', default=True), select_crypto_backend=dict(type='str', default='auto', choices=['auto', 'openssl', 'cryptography']), ) @@ -365,16 +365,6 @@ def create_backend(module, needs_acme_v2): 'development purposes, but *never* for production purposes.' ) - if module.params['acme_version'] is None: - module.params['acme_version'] = 1 - module.deprecate("The option 'acme_version' will be required from community.crypto 2.0.0 on", - version='2.0.0', collection_name='community.crypto') - - if module.params['acme_directory'] is None: - module.params['acme_directory'] = 'https://acme-staging.api.letsencrypt.org/directory' - module.deprecate("The option 'acme_directory' will be required from community.crypto 2.0.0 on", - version='2.0.0', collection_name='community.crypto') - if needs_acme_v2 and module.params['acme_version'] < 2: module.fail_json(msg='The {0} module requires the ACME v2 protocol!'.format(module._name)) diff --git a/plugins/module_utils/crypto/__init__.py b/plugins/module_utils/crypto/__init__.py deleted file mode 100644 index d25f955f3..000000000 --- a/plugins/module_utils/crypto/__init__.py +++ /dev/null @@ -1,92 +0,0 @@ -# -*- coding: utf-8 -*- -# -# (c) 2016, Yanis Guenane -# -# Ansible is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# Ansible is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with Ansible. If not, see . - -from __future__ import absolute_import, division, print_function -__metaclass__ = type - - -# THIS FILE IS FOR COMPATIBILITY ONLY! YOU SHALL NOT IMPORT IT! -# -# This fill will be removed eventually, so if you're using it, -# please stop doing so. - -from .basic import ( - CRYPTOGRAPHY_HAS_X25519, - CRYPTOGRAPHY_HAS_X25519_FULL, - CRYPTOGRAPHY_HAS_X448, - CRYPTOGRAPHY_HAS_ED25519, - CRYPTOGRAPHY_HAS_ED448, - HAS_CRYPTOGRAPHY, - OpenSSLObjectError, - OpenSSLBadPassphraseError, -) - -from .cryptography_crl import ( - REVOCATION_REASON_MAP, - REVOCATION_REASON_MAP_INVERSE, - cryptography_decode_revoked_certificate, -) - -from .cryptography_support import ( - cryptography_get_extensions_from_cert, - cryptography_get_extensions_from_csr, - cryptography_name_to_oid, - cryptography_oid_to_name, - cryptography_get_name, - cryptography_decode_name, - cryptography_parse_key_usage_params, - cryptography_get_basic_constraints, - cryptography_key_needs_digest_for_signing, - cryptography_compare_public_keys, -) - -from .pem import ( - identify_private_key_format, -) - -from .math import ( - binary_exp_mod, - simple_gcd, - quick_is_not_prime, - count_bits, -) - -from ._obj2txt import obj2txt as _obj2txt - -from ._objects_data import OID_MAP as _OID_MAP - -from ._objects import OID_LOOKUP as _OID_LOOKUP -from ._objects import NORMALIZE_NAMES as _NORMALIZE_NAMES -from ._objects import NORMALIZE_NAMES_SHORT as _NORMALIZE_NAMES_SHORT - -from .support import ( - get_fingerprint_of_bytes, - get_fingerprint, - load_privatekey, - load_certificate, - load_certificate_request, - parse_name_field, - convert_relative_to_datetime, - get_relative_time_option, - select_message_digest, - OpenSSLObject, -) - -from ..io import ( - load_file_if_exists, - write_file, -) diff --git a/plugins/module_utils/crypto/module_backends/csr.py b/plugins/module_utils/crypto/module_backends/csr.py index 17a7244ec..aae7193ec 100644 --- a/plugins/module_utils/crypto/module_backends/csr.py +++ b/plugins/module_utils/crypto/module_backends/csr.py @@ -561,11 +561,6 @@ def _check_signature(csr): def select_backend(module, backend): - if module.params['version'] != 1: - module.deprecate('The version option will only support allowed values from community.crypto 2.0.0 on. ' - 'Currently, only the value 1 is allowed by RFC 2986', - version='2.0.0', collection_name='community.crypto') - if backend == 'auto': # Detection what is possible can_use_cryptography = CRYPTOGRAPHY_FOUND and CRYPTOGRAPHY_VERSION >= LooseVersion(MINIMAL_CRYPTOGRAPHY_VERSION) @@ -595,7 +590,7 @@ def get_csr_argument_spec(): privatekey_path=dict(type='path'), privatekey_content=dict(type='str', no_log=True), privatekey_passphrase=dict(type='str', no_log=True), - version=dict(type='int', default=1), + version=dict(type='int', default=1, choices=[1]), subject=dict(type='dict'), country_name=dict(type='str', aliases=['C', 'countryName']), state_or_province_name=dict(type='str', aliases=['ST', 'stateOrProvinceName']), diff --git a/plugins/modules/acme_account_info.py b/plugins/modules/acme_account_info.py index c24aae8d4..e30dbcbb2 100644 --- a/plugins/modules/acme_account_info.py +++ b/plugins/modules/acme_account_info.py @@ -31,9 +31,8 @@ by the ACME server." - "A value of C(ignore) will not fetch the list of orders." - "If the value is not C(ignore) and the ACME server supports orders, the C(order_uris) - return value is always populated. The C(orders) return value currently depends on - whether this option is set to C(url_list) or C(object_list). In community.crypto 2.0.0, - it will only be returned if this option is set to C(object_list)." + return value is always populated. The C(orders) return value is only returned + if this option is set to C(object_list)." - "Currently, Let's Encrypt does not return orders, so the C(orders) result will always be empty." type: str @@ -125,12 +124,9 @@ orders: description: - "The list of orders." - - "If I(retrieve_orders) is C(url_list), this will be a list of URLs. In community.crypto 2.0.0, - this return value will no longer be returned for C(url_list)." - - "If I(retrieve_orders) is C(object_list), this will be a list of objects." type: list - #elements: ... depends on retrieve_orders - returned: if account exists, I(retrieve_orders) is not C(ignore), and server supports order listing + elements: dict + returned: if account exists, I(retrieve_orders) is C(object_list), and server supports order listing contains: status: description: The order's status. @@ -282,9 +278,6 @@ def main(): ), supports_check_mode=True, ) - if module._name in ('acme_account_facts', 'community.crypto.acme_account_facts'): - module.deprecate("The 'acme_account_facts' module has been renamed to 'acme_account_info'", - version='2.0.0', collection_name='community.crypto') backend = create_backend(module, True) try: @@ -313,13 +306,6 @@ def main(): if account_data.get('orders') and module.params['retrieve_orders'] != 'ignore': orders = get_orders_list(module, client, account_data['orders']) result['order_uris'] = orders - if module.params['retrieve_orders'] == 'url_list': - module.deprecate( - 'retrieve_orders=url_list now returns the order URI list as `order_uris`.' - ' Right now it also returns this list as `orders` for backwards compatibility,' - ' but this will stop in community.crypto 2.0.0', - version='2.0.0', collection_name='community.crypto') - result['orders'] = orders if module.params['retrieve_orders'] == 'object_list': result['orders'] = [get_order(client, order) for order in orders] module.exit_json(**result) diff --git a/plugins/modules/x509_certificate.py b/plugins/modules/x509_certificate.py index 9baee9195..ac6d3222b 100644 --- a/plugins/modules/x509_certificate.py +++ b/plugins/modules/x509_certificate.py @@ -371,10 +371,6 @@ def main(): supports_check_mode=True, ) - if module._name == 'community.crypto.openssl_certificate': - module.deprecate("The 'community.crypto.openssl_certificate' module has been renamed to 'community.crypto.x509_certificate'", - version='2.0.0', collection_name='community.crypto') - try: if module.params['state'] == 'absent': certificate = CertificateAbsent(module) diff --git a/plugins/modules/x509_certificate_info.py b/plugins/modules/x509_certificate_info.py index aca76960b..ae252df39 100644 --- a/plugins/modules/x509_certificate_info.py +++ b/plugins/modules/x509_certificate_info.py @@ -401,9 +401,6 @@ def main(): ), supports_check_mode=True, ) - if module._name == 'community.crypto.openssl_certificate_info': - module.deprecate("The 'community.crypto.openssl_certificate_info' module has been renamed to 'community.crypto.x509_certificate_info'", - version='2.0.0', collection_name='community.crypto') if module.params['content'] is not None: data = module.params['content'].encode('utf-8') From 97fec98028b156ec5da50e221db89249c0c0698f Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Tue, 28 Sep 2021 21:31:25 +0200 Subject: [PATCH 3/6] Add changelog fragment. --- changelogs/fragments/290-remove-deprecations.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 changelogs/fragments/290-remove-deprecations.yml diff --git a/changelogs/fragments/290-remove-deprecations.yml b/changelogs/fragments/290-remove-deprecations.yml new file mode 100644 index 000000000..d31f1dcd2 --- /dev/null +++ b/changelogs/fragments/290-remove-deprecations.yml @@ -0,0 +1,12 @@ +removed_features: + - "acme_* modules - the ``acme_version`` option is now required (https://github.com/ansible-collections/community.crypto/pull/290)." + - "acme_* modules - the ``acme_directory`` option is now required (https://github.com/ansible-collections/community.crypto/pull/290)." + - "openssl_csr and openssl_csr_pipe - ``version`` now only accepts the (default) value 1 (https://github.com/ansible-collections/community.crypto/pull/290)." + - "acme_account_info - ``retrieve_orders=url_list`` no longer returns the return value ``orders``. Use the ``order_uris`` return value instead (https://github.com/ansible-collections/community.crypto/pull/290)." + - "acme_account_facts - the deprecated redirect has been removed. Use community.crypto.acme_account_info instead (https://github.com/ansible-collections/community.crypto/pull/290)." + - "openssl_certificate - the deprecated redirect has been removed. Use community.crypto.x509_certificate instead (https://github.com/ansible-collections/community.crypto/pull/290)." + - "openssl_certificate_info - the deprecated redirect has been removed. Use community.crypto.x509_certificate_info instead (https://github.com/ansible-collections/community.crypto/pull/290)." + - "crypto.info module utils - the deprecated redirect has been removed. Use ``crypto.pem`` instead (https://github.com/ansible-collections/community.crypto/pull/290)." +breaking_changes: + - "acme module utils - removing compatibility code (https://github.com/ansible-collections/community.crypto/pull/290)." + - "crypto module utils - removing compatibility code (https://github.com/ansible-collections/community.crypto/pull/290)." From 1f1d568fed25c5dd06ea0ed879f78d625a24790a Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Tue, 28 Sep 2021 21:47:47 +0200 Subject: [PATCH 4/6] Add some forgotten pieces. --- .../targets/acme_certificate/tests/validate.yml | 8 ++------ tests/sanity/ignore-2.10.txt | 2 -- tests/sanity/ignore-2.11.txt | 2 -- tests/sanity/ignore-2.12.txt | 2 -- tests/sanity/ignore-2.13.txt | 2 -- tests/sanity/ignore-2.9.txt | 2 -- 6 files changed, 2 insertions(+), 16 deletions(-) delete mode 100644 tests/sanity/ignore-2.13.txt delete mode 100644 tests/sanity/ignore-2.9.txt diff --git a/tests/integration/targets/acme_certificate/tests/validate.yml b/tests/integration/targets/acme_certificate/tests/validate.yml index 4173e5ccc..a5ba56813 100644 --- a/tests/integration/targets/acme_certificate/tests/validate.yml +++ b/tests/integration/targets/acme_certificate/tests/validate.yml @@ -167,21 +167,17 @@ assert: that: - "'account' in account_orders_urls" - - "'orders' in account_orders_urls" - - "account_orders_urls.orders[0] is string" + - "'orders' not in account_orders_urls" - "'order_uris' in account_orders_urls" - "account_orders_urls.order_uris[0] is string" - - "account_orders_urls.order_uris == account_orders_urls.orders" - name: Validate that orders were retrieved as list of URLs (2/2) assert: that: - "'account' in account_orders_urls2" - - "'orders' in account_orders_urls2" - - "account_orders_urls2.orders[0] is string" + - "'orders' not in account_orders_urls2" - "'order_uris' in account_orders_urls2" - "account_orders_urls2.order_uris[0] is string" - - "account_orders_urls2.order_uris == account_orders_urls2.orders" - name: Validate that orders were retrieved as list of objects (1/2) assert: diff --git a/tests/sanity/ignore-2.10.txt b/tests/sanity/ignore-2.10.txt index 1a7438356..53182707a 100644 --- a/tests/sanity/ignore-2.10.txt +++ b/tests/sanity/ignore-2.10.txt @@ -1,3 +1 @@ -plugins/module_utils/acme/__init__.py empty-init -plugins/module_utils/crypto/__init__.py empty-init plugins/modules/acme_account_info.py validate-modules:return-syntax-error diff --git a/tests/sanity/ignore-2.11.txt b/tests/sanity/ignore-2.11.txt index 1a7438356..53182707a 100644 --- a/tests/sanity/ignore-2.11.txt +++ b/tests/sanity/ignore-2.11.txt @@ -1,3 +1 @@ -plugins/module_utils/acme/__init__.py empty-init -plugins/module_utils/crypto/__init__.py empty-init plugins/modules/acme_account_info.py validate-modules:return-syntax-error diff --git a/tests/sanity/ignore-2.12.txt b/tests/sanity/ignore-2.12.txt index 1a7438356..53182707a 100644 --- a/tests/sanity/ignore-2.12.txt +++ b/tests/sanity/ignore-2.12.txt @@ -1,3 +1 @@ -plugins/module_utils/acme/__init__.py empty-init -plugins/module_utils/crypto/__init__.py empty-init plugins/modules/acme_account_info.py validate-modules:return-syntax-error diff --git a/tests/sanity/ignore-2.13.txt b/tests/sanity/ignore-2.13.txt deleted file mode 100644 index a70b6a551..000000000 --- a/tests/sanity/ignore-2.13.txt +++ /dev/null @@ -1,2 +0,0 @@ -plugins/module_utils/acme/__init__.py empty-init -plugins/module_utils/crypto/__init__.py empty-init diff --git a/tests/sanity/ignore-2.9.txt b/tests/sanity/ignore-2.9.txt deleted file mode 100644 index a70b6a551..000000000 --- a/tests/sanity/ignore-2.9.txt +++ /dev/null @@ -1,2 +0,0 @@ -plugins/module_utils/acme/__init__.py empty-init -plugins/module_utils/crypto/__init__.py empty-init From c6ddf071fef3ad0b751bb058b240a925136ec243 Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sun, 10 Oct 2021 10:25:09 +0200 Subject: [PATCH 5/6] Bump version to 2.0.0. --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index 78f24e9e0..c17b119f7 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -1,6 +1,6 @@ namespace: community name: crypto -version: 1.9.4 +version: 2.0.0 readme: README.md authors: - Ansible (github.com/ansible) From 01f19352ed75591c250c3eedc3bb1915e49c3b7a Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Tue, 12 Oct 2021 07:57:48 +0200 Subject: [PATCH 6/6] Fix formulation. --- plugins/doc_fragments/module_csr.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/doc_fragments/module_csr.py b/plugins/doc_fragments/module_csr.py index e9a025ace..2b749b910 100644 --- a/plugins/doc_fragments/module_csr.py +++ b/plugins/doc_fragments/module_csr.py @@ -43,7 +43,7 @@ class ModuleDocFragment(object): - The version of the certificate signing request. - "The only allowed value according to L(RFC 2986,https://tools.ietf.org/html/rfc2986#section-4.1) is 1." - - This option will no longer accept unsupported values from community.crypto 2.0.0 on. + - This option no longer accepts unsupported values since community.crypto 2.0.0. type: int default: 1 choices: