plugins/dnf, plugins/yum: implement sslverify option (#76356)

4 files changed, 38 insertions, 7 deletions

diff --git a/changelogs/fragments/76356-yumdnf-sslverify.yml b/changelogs/fragments/76356-yumdnf-sslverify.yml
new file mode 100644
index 0000000000..ae021b1085
--- /dev/null
+++ b/changelogs/fragments/76356-yumdnf-sslverify.yml
@@ -0,0 +1,3 @@
+---
+minor_changes:
+  - yum, dnf - add sslverify option to temporarily disable certificate validation for a repository
diff --git a/lib/ansible/module_utils/yumdnf.py b/lib/ansible/module_utils/yumdnf.py
index 58827312bf..018f0d25ec 100644
--- a/lib/ansible/module_utils/yumdnf.py
+++ b/lib/ansible/module_utils/yumdnf.py
@@ -50,6 +50,7 @@ yumdnf_argument_spec = dict(
         update_cache=dict(type='bool', default=False, aliases=['expire-cache']),
         update_only=dict(required=False, default="no", type='bool'),
         validate_certs=dict(type='bool', default=True),
+        sslverify=dict(type='bool', default=True),
         lock_timeout=dict(type='int', default=30),
     ),
     required_one_of=[['name', 'list', 'update_cache']],
@@ -95,6 +96,7 @@ class YumDnf(with_metaclass(ABCMeta, object)):
         self.update_only = self.module.params['update_only']
         self.update_cache = self.module.params['update_cache']
         self.validate_certs = self.module.params['validate_certs']
+        self.sslverify = self.module.params['sslverify']
         self.lock_timeout = self.module.params['lock_timeout']
 
         # It's possible someone passed a comma separated string since it used
diff --git a/lib/ansible/modules/dnf.py b/lib/ansible/modules/dnf.py
index 9b1faaa5f0..23764a4a62 100644
--- a/lib/ansible/modules/dnf.py
+++ b/lib/ansible/modules/dnf.py
@@ -172,6 +172,13 @@ options:
     type: bool
     default: "yes"
     version_added: "2.7"
+  sslverify:
+    description:
+      - Disables SSL validation of the repository server for this transaction.
+      - This should be set to C(no) if one of the configured repositories is using an untrusted or self-signed certificate.
+    type: bool
+    default: "yes"
+    version_added: "2.13"
   allow_downgrade:
     description:
       - Specify if the named package and version is allowed to downgrade
@@ -587,7 +594,7 @@ class DnfModule(YumDnf):
             results=[]
         )
 
-    def _configure_base(self, base, conf_file, disable_gpg_check, installroot='/'):
+    def _configure_base(self, base, conf_file, disable_gpg_check, installroot='/', sslverify=True):
         """Configure the dnf Base object."""
 
         conf = base.conf
@@ -616,6 +623,9 @@ class DnfModule(YumDnf):
         # Don't prompt for user confirmations
         conf.assumeyes = True
 
+        # Set certificate validation
+        conf.sslverify = sslverify
+
         # Set installroot
         conf.installroot = installroot
 
@@ -686,10 +696,10 @@ class DnfModule(YumDnf):
                 for repo in repos.get_matching(repo_pattern):
                     repo.enable()
 
-    def _base(self, conf_file, disable_gpg_check, disablerepo, enablerepo, installroot):
+    def _base(self, conf_file, disable_gpg_check, disablerepo, enablerepo, installroot, sslverify):
         """Return a fully configured dnf Base object."""
         base = dnf.Base()
-        self._configure_base(base, conf_file, disable_gpg_check, installroot)
+        self._configure_base(base, conf_file, disable_gpg_check, installroot, sslverify)
         try:
             # this method has been supported in dnf-4.2.17-6 or later
             # https://bugzilla.redhat.com/show_bug.cgi?id=1788212
@@ -1350,7 +1360,7 @@ class DnfModule(YumDnf):
         if self.update_cache and not self.names and not self.list:
             self.base = self._base(
                 self.conf_file, self.disable_gpg_check, self.disablerepo,
-                self.enablerepo, self.installroot
+                self.enablerepo, self.installroot, self.sslverify
             )
             self.module.exit_json(
                 msg="Cache updated",
@@ -1368,7 +1378,7 @@ class DnfModule(YumDnf):
         if self.list:
             self.base = self._base(
                 self.conf_file, self.disable_gpg_check, self.disablerepo,
-                self.enablerepo, self.installroot
+                self.enablerepo, self.installroot, self.sslverify
             )
             self.list_items(self.list)
         else:
@@ -1381,7 +1391,7 @@ class DnfModule(YumDnf):
                 )
             self.base = self._base(
                 self.conf_file, self.disable_gpg_check, self.disablerepo,
-                self.enablerepo, self.installroot
+                self.enablerepo, self.installroot, self.sslverify
             )
 
             if self.with_modules:
diff --git a/lib/ansible/modules/yum.py b/lib/ansible/modules/yum.py
index 53756a5bb7..ef0b314088 100644
--- a/lib/ansible/modules/yum.py
+++ b/lib/ansible/modules/yum.py
@@ -119,7 +119,13 @@ options:
     type: bool
     default: "yes"
     version_added: "2.1"
-
+  sslverify:
+    description:
+      - Disables SSL validation of the repository server for this transaction.
+      - This should be set to C(no) if one of the configured repositories is using an untrusted or self-signed certificate.
+    type: bool
+    default: "yes"
+    version_added: "2.13"
   update_only:
     description:
       - When using latest, only update installed packages. Do not install packages.
@@ -551,6 +557,11 @@ class YumModule(YumDnf):
             if self.disable_excludes:
                 self._yum_base.conf.disable_excludes = self.disable_excludes
 
+            # setting conf.sslverify allows retrieving the repo's metadata
+            # without validating the certificate, but that does not allow
+            # package installation from a bad-ssl repo.
+            self._yum_base.conf.sslverify = self.sslverify
+
             # A sideeffect of accessing conf is that the configuration is
             # loaded and plugins are discovered
             self.yum_base.conf
@@ -956,6 +967,11 @@ class YumModule(YumDnf):
         if self.releasever:
             cmd.extend(['--releasever=%s' % self.releasever])
 
+        # setting sslverify using --setopt is required as conf.sslverify only
+        # affects the metadata retrieval.
+        if not self.sslverify:
+            cmd.extend(['--setopt', 'sslverify=0'])
+
         if self.module.check_mode:
             self.module.exit_json(changed=True, results=res['results'], changes=dict(installed=pkgs))
         else: