crypto modules: Improve requirements / error messages (ansible#57868)

* Reformat requirements.

* Include Python lib versions in lib required error messages, if available.

* Update lib/ansible/modules/crypto/openssl_publickey.py

Co-Authored-By: MarkusTeufelberger <[email protected]>

* Add changelog.

changelogs/fragments/57868-crypto-improve-req-errors.yml

@@ -0,0 +1,2 @@
+bugfixes:
+- "crypto modules - improve error messages when required Python library is missing."

lib/ansible/modules/crypto/get_certificate.py

@@ -44,8 +44,7 @@
   - When using ca_cert on OS X it has been reported that in some conditions the validate will always succeed.
 
 requirements:
-  - "python >= 2.6"
-  - "python-pyOpenSSL >= 0.15"
+  - "pyOpenSSL >= 0.15"
 '''
 
 RETURN = '''
@@ -153,7 +152,7 @@ def main():
     )
 
     if not pyopenssl_found:
-        module.fail_json(msg=missing_required_lib('pyOpenSSL'), exception=PYOPENSSL_IMP_ERR)
+        module.fail_json(msg=missing_required_lib('pyOpenSSL >= 0.15'), exception=PYOPENSSL_IMP_ERR)
 
     if timeout:
         setdefaulttimeout(timeout)

lib/ansible/modules/crypto/openssl_certificate.py

@@ -1859,7 +1859,8 @@ def main():
 
             if backend == 'pyopenssl':
                 if not PYOPENSSL_FOUND:
-                    module.fail_json(msg=missing_required_lib('pyOpenSSL'), exception=PYOPENSSL_IMP_ERR)
+                    module.fail_json(msg=missing_required_lib('pyOpenSSL >= {0}'.format(MINIMAL_PYOPENSSL_VERSION)),
+                                     exception=PYOPENSSL_IMP_ERR)
                 if module.params['provider'] in ['selfsigned', 'ownca', 'assertonly']:
                     try:
                         getattr(crypto.X509Req, 'get_extensions')
@@ -1876,7 +1877,8 @@ def main():
                     certificate = AssertOnlyCertificate(module)
             elif backend == 'cryptography':
                 if not CRYPTOGRAPHY_FOUND:
-                    module.fail_json(msg=missing_required_lib('cryptography'), exception=CRYPTOGRAPHY_IMP_ERR)
+                    module.fail_json(msg=missing_required_lib('cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)),
+                                     exception=CRYPTOGRAPHY_IMP_ERR)
                 if module.params['selfsigned_version'] == 2 or module.params['ownca_version'] == 2:
                     module.fail_json(msg='The cryptography backend does not support v2 certificates, '
                                          'use select_crypto_backend=pyopenssl for v2 certificates')

lib/ansible/modules/crypto/openssl_certificate_info.py

@@ -697,7 +697,8 @@ def main():
 
         if backend == 'pyopenssl':
             if not PYOPENSSL_FOUND:
-                module.fail_json(msg=missing_required_lib('pyOpenSSL'), exception=PYOPENSSL_IMP_ERR)
+                module.fail_json(msg=missing_required_lib('pyOpenSSL >= {0}'.format(MINIMAL_PYOPENSSL_VERSION)),
+                                 exception=PYOPENSSL_IMP_ERR)
             try:
                 getattr(crypto.X509Req, 'get_extensions')
             except AttributeError:
@@ -706,7 +707,8 @@ def main():
             certificate = CertificateInfoPyOpenSSL(module)
         elif backend == 'cryptography':
             if not CRYPTOGRAPHY_FOUND:
-                module.fail_json(msg=missing_required_lib('cryptography'), exception=CRYPTOGRAPHY_IMP_ERR)
+                module.fail_json(msg=missing_required_lib('cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)),
+                                 exception=CRYPTOGRAPHY_IMP_ERR)
             certificate = CertificateInfoCryptography(module)
 
         result = certificate.get_info()

lib/ansible/modules/crypto/openssl_csr.py

@@ -896,15 +896,17 @@ def main():
     try:
         if backend == 'pyopenssl':
             if not PYOPENSSL_FOUND:
-                module.fail_json(msg=missing_required_lib('pyOpenSSL'), exception=PYOPENSSL_IMP_ERR)
+                module.fail_json(msg=missing_required_lib('pyOpenSSL >= {0}'.format(MINIMAL_PYOPENSSL_VERSION)),
+                                 exception=PYOPENSSL_IMP_ERR)
             try:
                 getattr(crypto.X509Req, 'get_extensions')
             except AttributeError:
                 module.fail_json(msg='You need to have PyOpenSSL>=0.15 to generate CSRs')
             csr = CertificateSigningRequestPyOpenSSL(module)
         elif backend == 'cryptography':
             if not CRYPTOGRAPHY_FOUND:
-                module.fail_json(msg=missing_required_lib('cryptography'), exception=CRYPTOGRAPHY_IMP_ERR)
+                module.fail_json(msg=missing_required_lib('cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)),
+                                 exception=CRYPTOGRAPHY_IMP_ERR)
             csr = CertificateSigningRequestCryptography(module)
 
         if module.params['state'] == 'present':

lib/ansible/modules/crypto/openssl_csr_info.py

@@ -525,7 +525,8 @@ def main():
 
         if backend == 'pyopenssl':
             if not PYOPENSSL_FOUND:
-                module.fail_json(msg=missing_required_lib('pyOpenSSL'), exception=PYOPENSSL_IMP_ERR)
+                module.fail_json(msg=missing_required_lib('pyOpenSSL >= {0}'.format(MINIMAL_PYOPENSSL_VERSION)),
+                                 exception=PYOPENSSL_IMP_ERR)
             try:
                 getattr(crypto.X509Req, 'get_extensions')
             except AttributeError:
@@ -534,7 +535,8 @@ def main():
             certificate = CertificateSigningRequestInfoPyOpenSSL(module)
         elif backend == 'cryptography':
             if not CRYPTOGRAPHY_FOUND:
-                module.fail_json(msg=missing_required_lib('cryptography'), exception=CRYPTOGRAPHY_IMP_ERR)
+                module.fail_json(msg=missing_required_lib('cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)),
+                                 exception=CRYPTOGRAPHY_IMP_ERR)
             certificate = CertificateSigningRequestInfoCryptography(module)
 
         result = certificate.get_info()

lib/ansible/modules/crypto/openssl_privatekey.py

@@ -671,11 +671,13 @@ def main():
     try:
         if backend == 'pyopenssl':
             if not PYOPENSSL_FOUND:
-                module.fail_json(msg=missing_required_lib('pyOpenSSL'), exception=PYOPENSSL_IMP_ERR)
+                module.fail_json(msg=missing_required_lib('pyOpenSSL >= {0}'.format(MINIMAL_PYOPENSSL_VERSION)),
+                                 exception=PYOPENSSL_IMP_ERR)
             private_key = PrivateKeyPyOpenSSL(module)
         elif backend == 'cryptography':
             if not CRYPTOGRAPHY_FOUND:
-                module.fail_json(msg=missing_required_lib('cryptography'), exception=CRYPTOGRAPHY_IMP_ERR)
+                module.fail_json(msg=missing_required_lib('cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)),
+                                 exception=CRYPTOGRAPHY_IMP_ERR)
             private_key = PrivateKeyCryptography(module)
 
         if private_key.state == 'present':

lib/ansible/modules/crypto/openssl_privatekey_info.py

@@ -610,11 +610,13 @@ def main():
 
         if backend == 'pyopenssl':
             if not PYOPENSSL_FOUND:
-                module.fail_json(msg=missing_required_lib('pyOpenSSL'), exception=PYOPENSSL_IMP_ERR)
+                module.fail_json(msg=missing_required_lib('pyOpenSSL >= {0}'.format(MINIMAL_PYOPENSSL_VERSION)),
+                                 exception=PYOPENSSL_IMP_ERR)
             privatekey = PrivateKeyInfoPyOpenSSL(module)
         elif backend == 'cryptography':
             if not CRYPTOGRAPHY_FOUND:
-                module.fail_json(msg=missing_required_lib('cryptography'), exception=CRYPTOGRAPHY_IMP_ERR)
+                module.fail_json(msg=missing_required_lib('cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)),
+                                 exception=CRYPTOGRAPHY_IMP_ERR)
             privatekey = PrivateKeyInfoCryptography(module)
 
         result = privatekey.get_info()

lib/ansible/modules/crypto/openssl_publickey.py

@@ -22,7 +22,8 @@
     - Keys are generated in PEM format.
     - This module works only if the version of PyOpenSSL is recent enough (> 16.0.0).
 requirements:
-    - python-pyOpenSSL
+    - pyOpenSSL
+    - cryptography (if I(format) is C(OpenSSH))
 author:
 - Yanis Guenane (@Spredzy)
 options:
@@ -149,14 +150,22 @@
 PYOPENSSL_IMP_ERR = None
 try:
     from OpenSSL import crypto
-    from cryptography.hazmat.backends import default_backend
-    from cryptography.hazmat.primitives import serialization as crypto_serialization
 except ImportError:
     PYOPENSSL_IMP_ERR = traceback.format_exc()
     pyopenssl_found = False
 else:
     pyopenssl_found = True
 
+CRYPTOGRAPHY_IMP_ERR = None
+try:
+    from cryptography.hazmat.backends import default_backend
+    from cryptography.hazmat.primitives import serialization as crypto_serialization
+except ImportError:
+    CRYPTOGRAPHY_IMP_ERR = traceback.format_exc()
+    cryptography_found = False
+else:
+    cryptography_found = True
+
 from ansible.module_utils import crypto as crypto_utils
 from ansible.module_utils._text import to_native, to_bytes
 from ansible.module_utils.basic import AnsibleModule, missing_required_lib
@@ -310,6 +319,8 @@ def main():
 
     if not pyopenssl_found:
         module.fail_json(msg=missing_required_lib('pyOpenSSL'), exception=PYOPENSSL_IMP_ERR)
+    if module.params['format'] == 'OpenSSH' and not cryptography_found:
+        module.fail_json(msg=missing_required_lib('cryptography'), exception=CRYPTOGRAPHY_IMP_ERR)
 
     base_dir = os.path.dirname(module.params['path']) or '.'
     if not os.path.isdir(base_dir):