Adding OpenSSL/cryptography dependency for integration tests

tests/integration/targets/openssh_keypair/meta/main.yml

@@ -1,2 +1,3 @@
 dependencies:
   - setup_ssh_keygen
+  - setup_openssl

tests/integration/targets/openssh_keypair/tasks/main.yml

@@ -4,6 +4,9 @@
 # and should not be used as examples of how to write Ansible roles #
 ####################################################################
 
+# Bumps up cryptography and bcrypt versions to be compatible with OpenSSH >= 7.8
+- import_tasks: ./setup_cryptography.yml
+
 - name: Generate privatekey1 - standard (check mode)
   openssh_keypair:
     path: '{{ output_dir }}/privatekey1'
@@ -149,6 +152,7 @@
     size: 1024
     passphrase: "{{ passphrase }}"
   register: privatekey9_modified_result
+  when: cryptography_version.stdout is version('3.0', '>=')
 
 - name: Generate another unprotected key
   openssh_keypair:
@@ -162,6 +166,8 @@
     passphrase: "{{ passphrase }}"
   ignore_errors: true
   register: privatekey10_result
+  when: cryptography_version.stdout is version('3.0', '>=')
+
 
 - name: Try to force modify the password protected key with force=true
   openssh_keypair:
@@ -170,20 +176,24 @@
     passphrase: "{{ passphrase }}"
     force: true
   register: privatekey10_result_force
+  when: cryptography_version.stdout is version('3.0', '>=')
 
 - name: Ensure that ssh-keygen can read keys generated with passphrase
   command: 'ssh-keygen -yf {{ output_dir }}/privatekey10 -P {{ passphrase }}'
   register: privatekey10_result_sshkeygen
+  when: cryptography_version.stdout is version('3.0', '>=')
 
 - name: Generate PEM encoded key with passphrase
   command: 'ssh-keygen -f {{ output_dir }}/privatekey11 -N {{ passphrase }} -m PEM'
+  when: cryptography_version.stdout is version('3.0', '>=')
 
 - name: Try to verify a PEM encoded key
   openssh_keypair:
     path: '{{ output_dir }}/privatekey11'
     size: 2048
     passphrase: "{{ passphrase }}"
   register: privatekey11_result
+  when: cryptography_version.stdout is version('3.0', '>=')
 
 - import_tasks: ../tests/validate.yml
 
@@ -286,6 +296,8 @@
   loop: "{{ regenerate_values }}"
   ignore_errors: yes
   register: result
+  when: cryptography_version.stdout is version('3.0', '>=')
+
 - assert:
     that:
       - result.results[0] is success
@@ -294,6 +306,7 @@
       - result.results[2] is changed
       - result.results[3] is changed
       - result.results[4] is changed
+  when: cryptography_version.stdout is version('3.0', '>=')
 
 - name: Regenerate - modify password protected keys
   openssh_keypair:
@@ -325,6 +338,8 @@
   loop: "{{ regenerate_values }}"
   ignore_errors: yes
   register: result
+  when: cryptography_version.stdout is version('3.0', '>=')
+
 - assert:
     that:
       - result.results[0] is success
@@ -333,6 +348,7 @@
       - result.results[2] is changed
       - result.results[3] is changed
       - result.results[4] is changed
+  when: cryptography_version.stdout is version('3.0', '>=')
 
 - name: Regenerate - not modify regular keys (check mode)
   openssh_keypair:

tests/integration/targets/openssh_keypair/tasks/setup_cryptography.yml

@@ -0,0 +1,33 @@
+---
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: Attempt to install dependencies for OpenSSH > 7.8
+  block:
+    - name: Ensure cryptography >= 3.0 available
+      become: true
+      pip:
+        name: cryptography>=3.0
+        extra_args: "-c {{ remote_constraints }}"
+
+    - name: Register cryptography version
+      command: "{{ ansible_python.executable }} -c 'import cryptography; print(cryptography.__version__)'"
+      register: cryptography_version
+
+    - name: Ensure bcrypt 3.1.5 available
+      become: true
+      pip:
+        name: bcrypt==3.1.5
+        extra_args: "-c {{ remote_constraints }}"
+
+    - name: Register bcrypt version
+      command: "{{ ansible_python.executable }} -c 'import bcrypt; print(bcrypt.__version__)'"
+      register: bcrypt_version
+  ignore_errors: true
+
+- name: Ensure bcrypt_version is defined
+  set_fact:
+    bcrypt_version: 0.0
+  when: bcrypt_version is not defined

tests/integration/targets/openssh_keypair/tests/validate.yml

@@ -143,24 +143,29 @@
   assert:
     that:
       - privatekey9_modified_result is changed
+  when: cryptography_version.stdout is version('3.0', '>=')
 
 - name: Check that modifying unprotected key with passphrase fails
   assert:
     that:
       - privatekey10_result is failed
       - "'Unable to read the key. The key is protected with a passphrase or broken.' in privatekey8_result.msg"
+  when: cryptography_version.stdout is version('3.0', '>=')
 
 - name: Check that unprotected key was regenerated with force=yes and passphrase supplied
   assert:
     that:
       - privatekey10_result_force is changed
+  when: cryptography_version.stdout is version('3.0', '>=')
 
 - name: Check that ssh-keygen output from passphrase protected key matches openssh_keypair
   assert:
     that:
       - privatekey10_result_force.public_key == privatekey10_result_sshkeygen.stdout
+  when: cryptography_version.stdout is version('3.0', '>=')
 
 - name: Check that PEM encoded private keys are loaded successfully
   assert:
     that:
       - privatekey11_result is success
+  when: cryptography_version.stdout is version('3.0', '>=')