Use default order in configure_gnutls_tls_crypto_policy

[jan-cerny]

We will align the check with the default contents of the /etc/crypto-policies/back-ends/gnutls.config on RHEL 8.10 We can do this because the order doesn't matter, VERS-* priority string keywords are order-independent; gnutls always prefers the higher versions. This is easier than trying to invent some complex regular expression that accounts for ordering.

Resolves: https://issues.redhat.com/browse/RHEL-1821

[qlty-cloud-legacy]

Code Climate has analyzed commit 011690e and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.7% (0.0% change).

View more on Code Climate.

[Mab879]

I was able to reproduce the errors from the UBI 8 Automatus tests locally. Please take look.

$ ./automatus.py rule --datastream ../build/ssg-rhel8-ds.xml --libvirt qemu:///system automatus_rhel8_10 --remediate-using ansible configure_gnutls_tls_crypto_policy
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/mburket/Developer/ComplianceAsCode/content/tests/logs/rule-custom-2025-07-11-1401/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy
INFO - Script empty_policy.fail.sh using profile (all) OK
ERROR - Ansible playbook remediation run has exited with return code 2 instead of expected 0
ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy'.
INFO - Script incorrect_policy.fail.sh using profile (all) OK
ERROR - Ansible playbook remediation run has exited with return code 2 instead of expected 0
ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy'.
INFO - Script missing_file.fail.sh using profile (all) OK
ERROR - Ansible playbook remediation run has exited with return code 2 instead of expected 0
ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy'.
INFO - Script correct.pass.sh using profile (all) OK

[jan-cerny]

Hi @Mab879 I can't reproduce it on my machine. When I look at the logs from the CI job the Ansible error looks like it has no connection with changes in the PR. Do you have the same errors in your logs?

Here is part of configure_gnutls_tls_crypto_policy-incorrect_policy.fail.sh-remediation.verbose.log, and other remediation logs contain a very similar thing.

fatal: [localhost]: FAILED! => {
    "ansible_facts": {},
    "changed": false,
    "failed_modules": {
        "ansible.legacy.setup": {
            "ansible_facts": {
                "discovered_interpreter_python": "/usr/bin/python3"
            },
            "exception": "Traceback (most recent call last):\r\n  File \"/root/.ansible/tmp/ansible-tmp-1752247329.1946037-7696-11409458308488/AnsiballZ_setup.py\", line 107, in <module>\r\n    _ansiballz_main()\r\n  File \"/root/.ansible/tmp/ansible-tmp-1752247329.1946037-7696-11409458308488/AnsiballZ_setup.py\", line 99, in _ansiballz_main\r\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n  File \"/root/.ansible/tmp/ansible-tmp-1752247329.1946037-7696-11409458308488/AnsiballZ_setup.py\", line 44, in invoke_module\r\n    from ansible.module_utils import basic\r\n  File \"<frozen importlib._bootstrap>\", line 971, in _find_and_load\r\n  File \"<frozen importlib._bootstrap>\", line 951, in _find_and_load_unlocked\r\n  File \"<frozen importlib._bootstrap>\", line 894, in _find_spec\r\n  File \"<frozen importlib._bootstrap_external>\", line 1157, in find_spec\r\n  File \"<frozen importlib._bootstrap_external>\", line 1131, in _get_spec\r\n  File \"<frozen importlib._bootstrap_external>\", line 1112, in _legacy_get_spec\r\n  File \"<frozen importlib._bootstrap>\", line 441, in spec_from_loader\r\n  File \"<frozen importlib._bootstrap_external>\", line 544, in spec_from_file_location\r\n  File \"/tmp/ansible_ansible.legacy.setup_payload_c0il_jcc/ansible_ansible.legacy.setup_payload.zip/ansible/module_utils/basic.py\", line 5\r\nSyntaxError: future feature annotations is not defined\r\n",
            "failed": true,
            "module_stderr": "OpenSSH_8.9p1 Ubuntu-3ubuntu0.13, OpenSSL 3.0.2 15 Mar 2022\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files\r\ndebug1: /etc/ssh/ssh_config line 21: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 7703\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 1\r\nShared connection to localhost closed.\r\n",
            "module_stdout": "Traceback (most recent call last):\r\n  File \"/root/.ansible/tmp/ansible-tmp-1752247329.1946037-7696-11409458308488/AnsiballZ_setup.py\", line 107, in <module>\r\n    _ansiballz_main()\r\n  File \"/root/.ansible/tmp/ansible-tmp-1752247329.1946037-7696-11409458308488/AnsiballZ_setup.py\", line 99, in _ansiballz_main\r\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n  File \"/root/.ansible/tmp/ansible-tmp-1752247329.1946037-7696-11409458308488/AnsiballZ_setup.py\", line 44, in invoke_module\r\n    from ansible.module_utils import basic\r\n  File \"<frozen importlib._bootstrap>\", line 971, in _find_and_load\r\n  File \"<frozen importlib._bootstrap>\", line 951, in _find_and_load_unlocked\r\n  File \"<frozen importlib._bootstrap>\", line 894, in _find_spec\r\n  File \"<frozen importlib._bootstrap_external>\", line 1157, in find_spec\r\n  File \"<frozen importlib._bootstrap_external>\", line 1131, in _get_spec\r\n  File \"<frozen importlib._bootstrap_external>\", line 1112, in _legacy_get_spec\r\n  File \"<frozen importlib._bootstrap>\", line 441, in spec_from_loader\r\n  File \"<frozen importlib._bootstrap_external>\", line 544, in spec_from_file_location\r\n  File \"/tmp/ansible_ansible.legacy.setup_payload_c0il_jcc/ansible_ansible.legacy.setup_payload.zip/ansible/module_utils/basic.py\", line 5\r\nSyntaxError: future feature annotations is not defined\r\n",
            "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
            "rc": 1,
            "warnings": [
                "Platform linux on host localhost is using the discovered Python interpreter at /usr/bin/python3, but future installation of another Python interpreter could change the meaning of that path. See https://docs.ansible.com/ansible-core/2.17/reference_appendices/interpreter_discovery.html for more information."
            ]
        }
    },
    "msg": "The following modules failed to execute: ansible.legacy.setup\n"
}

[jan-cerny]

@Mab879 I have created a test PR with a harmless change to trigger Automatus tests for rule configure_gnutls_crypto_policy #13722 and I see that in Automatus UBI 8 it has the same fail as here and if I go to the logs I can see the same Ansible error. It means it isn't caused by the contents of this PR.

Allegedly this error is caused by Python version incompatibility between the controller (where the ansible-playbook command runs on) and the target system (in this case the UBI 8 container). I think we need to look into changing the Automatus UBI 8 configuration in general.

[Mab879]

Thanks for investigating. Looks like I had an issue with my Python config in the Automatus VM.