Fix ValueError: excluded_subtrees must be a non-empty list or None

[lisongmin]

SUMMARY

Fixes excluded_subtrees must be a non-empty list or None

ISSUE TYPE

• Bugfix Pull Request

COMPONENT NAME

openssl_csr

ADDITIONAL INFORMATION

When config community.crypto.openssl_csr with name_constraints_permitted option, the error occur as follow:

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: excluded_subtrees must be a non-empty list or None
fatal: [centos7-cert-1 -> localhost]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):
  File \"/root/.ansible/tmp/ansible-tmp-1655431760.3878613-15371-172134621846530/AnsiballZ_openssl_csr.py\", line 107, in <module>
    _ansiballz_main()
  File \"/root/.ansible/tmp/ansible-tmp-1655431760.3878613-15371-172134621846530/AnsiballZ_openssl_csr.py\", line 99, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File \"/root/.ansible/tmp/ansible-tmp-1655431760.3878613-15371-172134621846530/AnsiballZ_openssl_csr.py\", line 47, in invoke_module
    runpy.run_module(mod_name='ansible_collections.community.crypto.plugins.modules.openssl_csr', init_globals=dict(_module_fqn='ansible_collections.community.crypto.plugins.modules.openssl_csr', _modlib_path=modlib_path),
  File \"/usr/lib/python3.10/runpy.py\", line 209, in run_module
    return _run_module_code(code, init_globals, run_name, mod_spec)
  File \"/usr/lib/python3.10/runpy.py\", line 96, in _run_module_code
    _run_code(code, mod_globals, init_globals,
  File \"/usr/lib/python3.10/runpy.py\", line 86, in _run_code
    exec(code, run_globals)
  File \"/tmp/ansible_community.crypto.openssl_csr_payload_0mr5hlnk/ansible_community.crypto.openssl_csr_payload.zip/ansible_collections/community/crypto/plugins/modules/openssl_csr.py\", line 348, in <module>
  File \"/tmp/ansible_community.crypto.openssl_csr_payload_0mr5hlnk/ansible_community.crypto.openssl_csr_payload.zip/ansible_collections/community/crypto/plugins/modules/openssl_csr.py\", line 337, in main
  File \"/tmp/ansible_community.crypto.openssl_csr_payload_0mr5hlnk/ansible_community.crypto.openssl_csr_payload.zip/ansible_collections/community/crypto/plugins/modules/openssl_csr.py\", line 281, in generate
  File \"/tmp/ansible_community.crypto.openssl_csr_payload_0mr5hlnk/ansible_community.crypto.openssl_csr_payload.zip/ansible_collections/community/crypto/plugins/module_utils/crypto/module_backends/csr.py\", line 347, in generate_csr
  File \"/usr/lib/python3.10/site-packages/cryptography/x509/extensions.py\", line 1274, in __init__
    raise ValueError(
ValueError: excluded_subtrees must be a non-empty list or None
", "module_stdout": "", "msg": "MODULE FAILURE
See stdout/stderr for the exact error", "rc": 1}

[felixfontein]

Thanks for your contribution! Could you please add a changelog fragment? Thanks.

You also need to adjust _check_nameConstraints; the lines

            current_nc_perm = [to_text(altname) for altname in current_nc_ext.value.permitted_subtrees] if current_nc_ext else []
            current_nc_excl = [to_text(altname) for altname in current_nc_ext.value.excluded_subtrees] if current_nc_ext else []

need to be changed to

            current_nc_perm = [to_text(altname) for altname in current_nc_ext.value.permitted_subtrees or []] if current_nc_ext else []
            current_nc_excl = [to_text(altname) for altname in current_nc_ext.value.excluded_subtrees or []] if current_nc_ext else []

[patchback]

Backport to stable-1: 💚 backport PR created

✅ Backport PR branch: patchback/backports/stable-1/b29f238083602aad4e700215dc6e9230924fc1b5/pr-481

Backported as #482

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

[felixfontein]

@lisongmin thanks a lot for reporting and fixing this!