uri - add ca_path parameter (#71979)

* add changelog fragment for #71979 (ca_path for uri) * add integration tests for ca_path in the uri module * return path of ca cert instead of its content * connect to port 444 on self_signed_host and use quay.io/ansible/http-test-container:1.3.0 * state that the certificate in ca_path is used for validation
2021-02-05 15:40:52 +01:00 · 2021-02-05 15:40:52 +01:00 · 8d6136eab9
commit 8d6136eab9
parent 82cdd7e735
4 changed files with 55 additions and 7 deletions
--- a/changelogs/fragments/71979_ca_path_for_uri.yaml
+++ b/changelogs/fragments/71979_ca_path_for_uri.yaml
@ -0,0 +1,2 @@
+minor_changes:
+  - uri - add ``ca_path`` argument to allow specification of a CA certificate (https://github.com/ansible/ansible/pull/71979).
--- a/lib/ansible/module_utils/urls.py
+++ b/lib/ansible/module_utils/urls.py
@ -923,9 +923,7 @@ class SSLValidationHandler(urllib_request.BaseHandler):
                            to_native(f.read(), errors='surrogate_or_strict')
                        )
                    )
-                else:
-                    ca_certs.append(f.read())
-            return ca_certs, cadata, paths_checked
+            return self.ca_path, cadata, paths_checked

        if not HAS_SSLCONTEXT:
            paths_checked.append('/etc/ssl/certs')
--- a/lib/ansible/modules/uri.py
+++ b/lib/ansible/modules/uri.py
@ -141,6 +141,11 @@ options:
      - If I(client_cert) contains both the certificate and key, this option is not required.
    type: path
    version_added: '2.4'
+  ca_path:
+    description:
+      - PEM formatted file that contains a CA certificate to be used for validation
+    type: path
+    version_added: '2.11'
  src:
    description:
      - Path to file to be submitted to the remote server.
@ -548,13 +553,12 @@ def form_urlencoded(body):
    return body


-def uri(module, url, dest, body, body_format, method, headers, socket_timeout):
+def uri(module, url, dest, body, body_format, method, headers, socket_timeout, ca_path):
    # is dest is set and is a directory, let's check if we get redirected and
    # set the filename from that url
    redirected = False
    redir_info = {}
    r = {}
-
    src = module.params['src']
    if src:
        try:
@ -594,6 +598,7 @@ def uri(module, url, dest, body, body_format, method, headers, socket_timeout):

    resp, info = fetch_url(module, url, data=data, headers=headers,
                           method=method, timeout=socket_timeout, unix_socket=module.params['unix_socket'],
+                           ca_path=ca_path,
                           **kwargs)

    try:
@ -636,6 +641,7 @@ def main():
        headers=dict(type='dict', default={}),
        unix_socket=dict(type='path'),
        remote_src=dict(type='bool', default=False),
+        ca_path=dict(type='path', default=None),
    )

    module = AnsibleModule(
@ -658,7 +664,7 @@ def main():
    removes = module.params['removes']
    status_code = [int(x) for x in list(module.params['status_code'])]
    socket_timeout = module.params['timeout']
-
+    ca_path = module.params['ca_path']
    dict_headers = module.params['headers']

    if not re.match('^[A-Z]+$', method):
@ -702,7 +708,7 @@ def main():
    # Make the request
    start = datetime.datetime.utcnow()
    resp, content, dest = uri(module, url, dest, body, body_format, method,
-                              dict_headers, socket_timeout)
+                              dict_headers, socket_timeout, ca_path)
    resp['elapsed'] = (datetime.datetime.utcnow() - start).seconds
    resp['status'] = int(resp['status'])
    resp['changed'] = False
--- a/test/integration/targets/uri/tasks/main.yml
+++ b/test/integration/targets/uri/tasks/main.yml
@ -131,6 +131,48 @@
      - "stat_result.stat.exists == true"
      - "result.changed == true"

+- name: "get ca certificate {{ self_signed_host }}"
+  get_url:
+    url: "http://{{ httpbin_host }}/ca2cert.pem"
+    dest: "{{ remote_tmp_dir }}/ca2cert.pem"
+
+- name: test https fetch to a site with self signed certificate using ca_path
+  uri:
+    url: "https://{{ self_signed_host }}:444/"
+    dest: "{{ output_dir }}/self-signed_using_ca_path.html"
+    ca_path: "{{ remote_tmp_dir }}/ca2cert.pem"
+    validate_certs: yes
+  register: result
+
+- stat:
+    path: "{{ output_dir }}/self-signed_using_ca_path.html"
+  register: stat_result
+
+- name: Assert that the file was downloaded
+  assert:
+    that:
+      - "stat_result.stat.exists == true"
+      - "result.changed == true"
+
+- name: test https fetch to a site with self signed certificate without using ca_path
+  uri:
+    url: "https://{{ self_signed_host }}:444/"
+    dest: "{{ output_dir }}/self-signed-without_using_ca_path.html"
+    validate_certs: yes
+  register: result
+  ignore_errors: true
+
+- stat:
+    path: "{{ output_dir }}/self-signed-without_using_ca_path.html"
+  register: stat_result
+
+- name: Assure that https access to a host with self-signed certificate without providing ca_path fails
+  assert:
+    that:
+      - "stat_result.stat.exists == false"
+      - result is failed
+      - "'certificate verify failed' in result.msg"
+
 - name: test redirect without follow_redirects
  uri:
    url: 'https://{{ httpbin_host }}/redirect/2'