openssl_certificate: fix state=absent (#54298)

* Fix state=absent.

* Add changelog.

changelogs/fragments/54298-openssl_certificate-remove.yaml

@@ -0,0 +1,2 @@
+bugfixes:
+- "openssl_certificate - fix ``state=absent``."

lib/ansible/modules/crypto/openssl_certificate.py

@@ -691,6 +691,18 @@ class Certificate(crypto_utils.OpenSSLObject):
 
         return True
 
+    def dump(self, check_mode=False):
+        # Use only for absent
+
+        result = {
+            'changed': self.changed,
+            'filename': self.path,
+            'privatekey': self.privatekey_path,
+            'csr': self.csr_path
+        }
+
+        return result
+
 
 class SelfSignedCertificateCryptography(Certificate):
     """Generate the self-signed certificate, using the cryptography backend"""
@@ -1841,72 +1853,77 @@ def main():
         add_file_common_args=True,
     )
 
-    if module.params['provider'] != 'assertonly' and module.params['csr_path'] is None:
+    if module.params['state'] == 'absent':
-        module.fail_json(msg='csr_path is required when provider is not assertonly')
+        # backend doesn't matter
+        certificate = Certificate(module, 'cryptography')
 
-    base_dir = os.path.dirname(module.params['path']) or '.'
+    else:
-    if not os.path.isdir(base_dir):
+        if module.params['provider'] != 'assertonly' and module.params['csr_path'] is None:
-        module.fail_json(
+            module.fail_json(msg='csr_path is required when provider is not assertonly')
-            name=base_dir,
-            msg='The directory %s does not exist or the file is not a directory' % base_dir
-        )
 
-    provider = module.params['provider']
+        base_dir = os.path.dirname(module.params['path']) or '.'
+        if not os.path.isdir(base_dir):
+            module.fail_json(
+                name=base_dir,
+                msg='The directory %s does not exist or the file is not a directory' % base_dir
+            )
 
-    backend = module.params['select_crypto_backend']
+        provider = module.params['provider']
-    if backend == 'auto':
-        # Detect what backend we can use
-        can_use_cryptography = CRYPTOGRAPHY_FOUND and CRYPTOGRAPHY_VERSION >= LooseVersion(MINIMAL_CRYPTOGRAPHY_VERSION)
-        can_use_pyopenssl = PYOPENSSL_FOUND and PYOPENSSL_VERSION >= LooseVersion(MINIMAL_PYOPENSSL_VERSION)
 
-        # If cryptography is available we'll use it
+        backend = module.params['select_crypto_backend']
-        if can_use_cryptography:
-            backend = 'cryptography'
-        elif can_use_pyopenssl:
-            backend = 'pyopenssl'
-
-        if module.params['selfsigned_version'] == 2 or module.params['ownca_version'] == 2:
-            module.warn('crypto backend forced to pyopenssl. The cryptography library does not support v2 certificates')
-            backend = 'pyopenssl'
-
-        # Fail if no backend has been found
         if backend == 'auto':
-            module.fail_json(msg=("Can't detect none of the required Python libraries "
+            # Detect what backend we can use
-                                  "cryptography (>= {0}) or PyOpenSSL (>= {1})").format(
+            can_use_cryptography = CRYPTOGRAPHY_FOUND and CRYPTOGRAPHY_VERSION >= LooseVersion(MINIMAL_CRYPTOGRAPHY_VERSION)
-                                      MINIMAL_CRYPTOGRAPHY_VERSION,
+            can_use_pyopenssl = PYOPENSSL_FOUND and PYOPENSSL_VERSION >= LooseVersion(MINIMAL_PYOPENSSL_VERSION)
-                                      MINIMAL_PYOPENSSL_VERSION))
 
-    if backend == 'pyopenssl':
+            # If cryptography is available we'll use it
-        if not PYOPENSSL_FOUND:
+            if can_use_cryptography:
-            module.fail_json(msg=missing_required_lib('pyOpenSSL'), exception=PYOPENSSL_IMP_ERR)
+                backend = 'cryptography'
-        if module.params['provider'] in ['selfsigned', 'ownca', 'assertonly']:
+            elif can_use_pyopenssl:
-            try:
+                backend = 'pyopenssl'
-                getattr(crypto.X509Req, 'get_extensions')
-            except AttributeError:
-                module.fail_json(msg='You need to have PyOpenSSL>=0.15')
 
-        if provider == 'selfsigned':
+            if module.params['selfsigned_version'] == 2 or module.params['ownca_version'] == 2:
-            certificate = SelfSignedCertificate(module)
+                module.warn('crypto backend forced to pyopenssl. The cryptography library does not support v2 certificates')
-        elif provider == 'acme':
+                backend = 'pyopenssl'
-            certificate = AcmeCertificate(module, 'pyopenssl')
+
-        elif provider == 'ownca':
+            # Fail if no backend has been found
-            certificate = OwnCACertificate(module)
+            if backend == 'auto':
-        else:
+                module.fail_json(msg=("Can't detect none of the required Python libraries "
-            certificate = AssertOnlyCertificate(module)
+                                      "cryptography (>= {0}) or PyOpenSSL (>= {1})").format(
-    elif backend == 'cryptography':
+                                          MINIMAL_CRYPTOGRAPHY_VERSION,
-        if not CRYPTOGRAPHY_FOUND:
+                                          MINIMAL_PYOPENSSL_VERSION))
-            module.fail_json(msg=missing_required_lib('cryptography'), exception=CRYPTOGRAPHY_IMP_ERR)
+
-        if module.params['selfsigned_version'] == 2 or module.params['ownca_version'] == 2:
+        if backend == 'pyopenssl':
-            module.fail_json(msg='The cryptography backend does not support v2 certificates, '
+            if not PYOPENSSL_FOUND:
-                                 'use select_crypto_backend=pyopenssl for v2 certificates')
+                module.fail_json(msg=missing_required_lib('pyOpenSSL'), exception=PYOPENSSL_IMP_ERR)
-        if provider == 'selfsigned':
+            if module.params['provider'] in ['selfsigned', 'ownca', 'assertonly']:
-            certificate = SelfSignedCertificateCryptography(module)
+                try:
-        elif provider == 'acme':
+                    getattr(crypto.X509Req, 'get_extensions')
-            certificate = AcmeCertificate(module, 'cryptography')
+                except AttributeError:
-        elif provider == 'ownca':
+                    module.fail_json(msg='You need to have PyOpenSSL>=0.15')
-            certificate = OwnCACertificateCryptography(module)
+
-        else:
+            if provider == 'selfsigned':
-            certificate = AssertOnlyCertificateCryptography(module)
+                certificate = SelfSignedCertificate(module)
+            elif provider == 'acme':
+                certificate = AcmeCertificate(module, 'pyopenssl')
+            elif provider == 'ownca':
+                certificate = OwnCACertificate(module)
+            else:
+                certificate = AssertOnlyCertificate(module)
+        elif backend == 'cryptography':
+            if not CRYPTOGRAPHY_FOUND:
+                module.fail_json(msg=missing_required_lib('cryptography'), exception=CRYPTOGRAPHY_IMP_ERR)
+            if module.params['selfsigned_version'] == 2 or module.params['ownca_version'] == 2:
+                module.fail_json(msg='The cryptography backend does not support v2 certificates, '
+                                     'use select_crypto_backend=pyopenssl for v2 certificates')
+            if provider == 'selfsigned':
+                certificate = SelfSignedCertificateCryptography(module)
+            elif provider == 'acme':
+                certificate = AcmeCertificate(module, 'cryptography')
+            elif provider == 'ownca':
+                certificate = OwnCACertificateCryptography(module)
+            else:
+                certificate = AssertOnlyCertificateCryptography(module)
 
     if module.params['state'] == 'present':