get_certificate: add cryptography backend (#60599)

* Add cryptography backend for get_certificate.

* Add changelog.

* Use short names (if possible).

* Adjust version (to behave as pyOpenSSL).

* Work around bugs (needed for cryptography 1.2.3).

* Don't run cryptography backend tests for CentOS 6.

* Bump cryptography requirement to 1.6 or newer.

Otherwise, signature_algorithm_oid isn't there, either.

* Simplify requirement text.

* CentOS 6 has cryptography 1.9, so we still need to block.

* Add auto-detect test.

* Improve YAML.

2 files changed, 45 insertions, 1 deletions

diff --git a/test/integration/targets/get_certificate/tasks/main.yml b/test/integration/targets/get_certificate/tasks/main.yml
index 827b852a84..ac06e1f8bb 100644
--- a/test/integration/targets/get_certificate/tasks/main.yml
+++ b/test/integration/targets/get_certificate/tasks/main.yml
@@ -1,5 +1,42 @@
+---
 - block:
 
-    - include_tasks: ../tests/validate.yml
+  - name: Get servers certificate with backend auto-detection
+    get_certificate:
+      host: "{{ httpbin_host }}"
+      port: 443
+
+  when: |
+    pyopenssl_version.stdout is version('0.15', '>=') or
+    (cryptography_version.stdout is version('1.6', '>=') and (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6))
+
+- block:
+
+  - include_tasks: ../tests/validate.yml
+    vars:
+      select_crypto_backend: pyopenssl
 
   when: pyopenssl_version.stdout is version('0.15', '>=')
+
+- name: Remove output directory
+  file:
+    path: "{{ output_dir }}"
+    state: absent
+
+- name: Re-create output directory
+  file:
+    path: "{{ output_dir }}"
+    state: directory
+
+- block:
+
+  - include_tasks: ../tests/validate.yml
+    vars:
+      select_crypto_backend: cryptography
+
+  # The module doesn't work with CentOS 6. Since the pyOpenSSL installed there is too old,
+  # we never noticed before. This becomes a problem with the new cryptography backend,
+  # since there is a new enough cryptography version...
+  when: |
+    cryptography_version.stdout is version('1.6', '>=') and
+    (ansible_distribution != 'CentOS' or ansible_distribution_major_version|int > 6)
diff --git a/test/integration/targets/get_certificate/tests/validate.yml b/test/integration/targets/get_certificate/tests/validate.yml
index b0172e9695..5dec56c83b 100644
--- a/test/integration/targets/get_certificate/tests/validate.yml
+++ b/test/integration/targets/get_certificate/tests/validate.yml
@@ -1,7 +1,9 @@
+---
 - name: Get servers certificate
   get_certificate:
     host: "{{ httpbin_host }}"
     port: 443
+    select_crypto_backend: "{{ select_crypto_backend }}"
   register: result
 
 - debug: var=result
@@ -18,6 +20,7 @@
   get_certificate:
     host: "{{ httpbin_host }}"
     port: 80
+    select_crypto_backend: "{{ select_crypto_backend }}"
   register: result
   ignore_errors: true
 
@@ -33,6 +36,7 @@
     host: "{{ httpbin_host }}"
     port: 1234
     timeout: 1
+    select_crypto_backend: "{{ select_crypto_backend }}"
   register: result
   ignore_errors: true
 
@@ -48,6 +52,7 @@
     host: "{{ httpbin_host }}"
     port: 443
     ca_cert: dn.e
+    select_crypto_backend: "{{ select_crypto_backend }}"
   register: result
   ignore_errors: true
 
@@ -68,6 +73,7 @@
     ca_cert: '{{ output_dir }}/temp.pem'
     host: "{{ httpbin_host }}"
     port: 443
+    select_crypto_backend: "{{ select_crypto_backend }}"
   register: result
 
 - assert:
@@ -90,6 +96,7 @@
     ca_cert: '{{ my_temp_dir.path }}/bogus_ca.pem'
     host: "{{ httpbin_host }}"
     port: 443
+    select_crypto_backend: "{{ select_crypto_backend }}"
   register: result
   ignore_errors: true