Add transfer checksum verification in copy module (#35367)

* Add transfer checksum verification in copy module, to ensure that the file was transferred to the remote successfully. Fixes #35029 * Guard on no checksum * Add version_added
2018-01-26 10:48:08 -06:00 · 2018-01-26 10:48:08 -06:00 · de2427beaf
commit de2427beaf
parent e8633b7a22
2 changed files with 17 additions and 0 deletions
--- a/lib/ansible/modules/files/copy.py
+++ b/lib/ansible/modules/files/copy.py
@ -83,6 +83,11 @@ options:
    type: bool
    default: 'yes'
    version_added: "2.4"
+  checksum:
+    description:
+      - SHA1 checksum of the file being transferred. Used to valdiate that the copy of the file was successful.
+      - If this is not provided, ansible will use the local calculated checksum of the src file.
+    version_added: '2.5'
 extends_documentation_fragment:
    - files
    - validate
@ -265,6 +270,7 @@ def main():
            directory_mode=dict(type='raw'),
            remote_src=dict(type='bool'),
            local_follow=dict(type='bool'),
+            checksum=dict(),
        ),
        add_file_common_args=True,
        supports_check_mode=True,
@ -281,6 +287,7 @@ def main():
    follow = module.params['follow']
    mode = module.params['mode']
    remote_src = module.params['remote_src']
+    checksum = module.params['checksum']

    if not os.path.exists(b_src):
        module.fail_json(msg="Source %s not found" % (src))
@ -299,6 +306,13 @@ def main():

    changed = False

+    if checksum and checksum_src != checksum:
+        module.fail_json(
+            msg='Copied file does not match the expected checksum. Transfer failed.',
+            checksum=checksum_src,
+            expected_checksum=checksum
+        )
+
    # Special handling for recursive copy - create intermediate dirs
    if original_basename and dest.endswith(os.sep):
        dest = os.path.join(dest, original_basename)
--- a/lib/ansible/plugins/action/copy.py
+++ b/lib/ansible/plugins/action/copy.py
@ -291,6 +291,9 @@ class ActionModule(ActionBase):
                    original_basename=source_rel,
                )
            )
+            if not self._task.args.get('checksum'):
+                new_module_args['checksum'] = local_checksum
+
            if lmode:
                new_module_args['mode'] = lmode