From a381c1bbd671172834015c62f50c7e7225efb827 Mon Sep 17 00:00:00 2001 From: Kamil Szczygiel Date: Wed, 27 Jan 2016 20:41:28 +0100 Subject: [PATCH 1/3] added skip_ssl argument for VMware module to skip SSL verification (required when using self signed certificates) --- lib/ansible/module_utils/vmware.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/lib/ansible/module_utils/vmware.py b/lib/ansible/module_utils/vmware.py index 6eb612de744..ca0440a26c3 100644 --- a/lib/ansible/module_utils/vmware.py +++ b/lib/ansible/module_utils/vmware.py @@ -21,6 +21,7 @@ try: import atexit import time + import ssl # requests is required for exception handling of the ConnectionError import requests from pyVim import connect @@ -104,6 +105,7 @@ def vmware_argument_spec(): hostname=dict(type='str', required=True), username=dict(type='str', aliases=['user', 'admin'], required=True), password=dict(type='str', aliases=['pass', 'pwd'], required=True, no_log=True), + skip_ssl=dict(type='bool', required=False, default=False), ) @@ -112,8 +114,15 @@ def connect_to_api(module, disconnect_atexit=True): hostname = module.params['hostname'] username = module.params['username'] password = module.params['password'] + skip_ssl = module.params['skip_ssl'] + try: - service_instance = connect.SmartConnect(host=hostname, user=username, pwd=password) + if skip_ssl: + context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) + context.verify_mode = ssl.CERT_NONE + service_instance = connect.SmartConnect(host=hostname, user=username, pwd=password, sslContext=context) + else: + service_instance = connect.SmartConnect(host=hostname, user=username, pwd=password) # Disabling atexit should be used in special cases only. # Such as IP change of the ESXi host which removes the connection anyway. From fa13aa8c007ac7bb3534626d3312e05fee2c7190 Mon Sep 17 00:00:00 2001 From: Kamil Szczygiel Date: Tue, 2 Feb 2016 15:47:56 +0100 Subject: [PATCH 2/3] rename param from skip_ssl to validate_certs --- lib/ansible/module_utils/vmware.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/ansible/module_utils/vmware.py b/lib/ansible/module_utils/vmware.py index ca0440a26c3..6bba123f26d 100644 --- a/lib/ansible/module_utils/vmware.py +++ b/lib/ansible/module_utils/vmware.py @@ -105,7 +105,7 @@ def vmware_argument_spec(): hostname=dict(type='str', required=True), username=dict(type='str', aliases=['user', 'admin'], required=True), password=dict(type='str', aliases=['pass', 'pwd'], required=True, no_log=True), - skip_ssl=dict(type='bool', required=False, default=False), + validate_certs=dict(type='bool', required=False, default=True), ) @@ -114,15 +114,15 @@ def connect_to_api(module, disconnect_atexit=True): hostname = module.params['hostname'] username = module.params['username'] password = module.params['password'] - skip_ssl = module.params['skip_ssl'] + validate_certs = module.params['validate_certs'] try: - if skip_ssl: + if validate_certs: + service_instance = connect.SmartConnect(host=hostname, user=username, pwd=password) + else: context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) context.verify_mode = ssl.CERT_NONE service_instance = connect.SmartConnect(host=hostname, user=username, pwd=password, sslContext=context) - else: - service_instance = connect.SmartConnect(host=hostname, user=username, pwd=password) # Disabling atexit should be used in special cases only. # Such as IP change of the ESXi host which removes the connection anyway. From 9f1eea43fa15aa6457e9b8bd099514ae8ada30d9 Mon Sep 17 00:00:00 2001 From: Kamil Szczygiel Date: Tue, 9 Feb 2016 08:49:26 +0100 Subject: [PATCH 3/3] support for python < 2.7 --- lib/ansible/module_utils/vmware.py | 31 +++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/lib/ansible/module_utils/vmware.py b/lib/ansible/module_utils/vmware.py index 6bba123f26d..2f895801466 100644 --- a/lib/ansible/module_utils/vmware.py +++ b/lib/ansible/module_utils/vmware.py @@ -116,26 +116,27 @@ def connect_to_api(module, disconnect_atexit=True): password = module.params['password'] validate_certs = module.params['validate_certs'] + if validate_certs and not hasattr(ssl, 'SSLContext'): + module.fail_json(msg='pyVim does not support changing verification mode with python < 2.7.9. Either update python or or use validate_certs=false') + try: - if validate_certs: - service_instance = connect.SmartConnect(host=hostname, user=username, pwd=password) - else: - context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) - context.verify_mode = ssl.CERT_NONE - service_instance = connect.SmartConnect(host=hostname, user=username, pwd=password, sslContext=context) - - # Disabling atexit should be used in special cases only. - # Such as IP change of the ESXi host which removes the connection anyway. - # Also removal significantly speeds up the return of the module - - if disconnect_atexit: - atexit.register(connect.Disconnect, service_instance) - return service_instance.RetrieveContent() + service_instance = connect.SmartConnect(host=hostname, user=username, pwd=password) except vim.fault.InvalidLogin, invalid_login: module.fail_json(msg=invalid_login.msg, apierror=str(invalid_login)) except requests.ConnectionError, connection_error: - module.fail_json(msg="Unable to connect to vCenter or ESXi API on TCP/443.", apierror=str(connection_error)) + if '[SSL: CERTIFICATE_VERIFY_FAILED]' in str(connection_error) and not validate_certs: + context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) + context.verify_mode = ssl.CERT_NONE + service_instance = connect.SmartConnect(host=hostname, user=username, pwd=password, sslContext=context) + else: + module.fail_json(msg="Unable to connect to vCenter or ESXi API on TCP/443.", apierror=str(connection_error)) + # Disabling atexit should be used in special cases only. + # Such as IP change of the ESXi host which removes the connection anyway. + # Also removal significantly speeds up the return of the module + if disconnect_atexit: + atexit.register(connect.Disconnect, service_instance) + return service_instance.RetrieveContent() def get_all_objs(content, vimtype):