From de2427beaf2ee8ace15c77dd5ce0021e85b3cfcb Mon Sep 17 00:00:00 2001
From: Matt Martz <matt@sivel.net>
Date: Fri, 26 Jan 2018 10:48:08 -0600
Subject: [PATCH] Add transfer checksum verification in copy module (#35367)

* Add transfer checksum verification in copy module, to ensure that the file was transferred to the remote successfully. Fixes #35029

* Guard on no checksum

* Add version_added
---
 lib/ansible/modules/files/copy.py  | 14 ++++++++++++++
 lib/ansible/plugins/action/copy.py |  3 +++
 2 files changed, 17 insertions(+)

diff --git a/lib/ansible/modules/files/copy.py b/lib/ansible/modules/files/copy.py
index b9df3933741..ec9c0f857aa 100644
--- a/lib/ansible/modules/files/copy.py
+++ b/lib/ansible/modules/files/copy.py
@@ -83,6 +83,11 @@ options:
     type: bool
     default: 'yes'
     version_added: "2.4"
+  checksum:
+    description:
+      - SHA1 checksum of the file being transferred. Used to valdiate that the copy of the file was successful.
+      - If this is not provided, ansible will use the local calculated checksum of the src file.
+    version_added: '2.5'
 extends_documentation_fragment:
     - files
     - validate
@@ -265,6 +270,7 @@ def main():
             directory_mode=dict(type='raw'),
             remote_src=dict(type='bool'),
             local_follow=dict(type='bool'),
+            checksum=dict(),
         ),
         add_file_common_args=True,
         supports_check_mode=True,
@@ -281,6 +287,7 @@ def main():
     follow = module.params['follow']
     mode = module.params['mode']
     remote_src = module.params['remote_src']
+    checksum = module.params['checksum']
 
     if not os.path.exists(b_src):
         module.fail_json(msg="Source %s not found" % (src))
@@ -299,6 +306,13 @@ def main():
 
     changed = False
 
+    if checksum and checksum_src != checksum:
+        module.fail_json(
+            msg='Copied file does not match the expected checksum. Transfer failed.',
+            checksum=checksum_src,
+            expected_checksum=checksum
+        )
+
     # Special handling for recursive copy - create intermediate dirs
     if original_basename and dest.endswith(os.sep):
         dest = os.path.join(dest, original_basename)
diff --git a/lib/ansible/plugins/action/copy.py b/lib/ansible/plugins/action/copy.py
index 45b639b5ace..a9901a4cd5b 100644
--- a/lib/ansible/plugins/action/copy.py
+++ b/lib/ansible/plugins/action/copy.py
@@ -291,6 +291,9 @@ class ActionModule(ActionBase):
                     original_basename=source_rel,
                 )
             )
+            if not self._task.args.get('checksum'):
+                new_module_args['checksum'] = local_checksum
+
             if lmode:
                 new_module_args['mode'] = lmode