modules: get_url: Fix checksum binary validation (#74502) (#74675)

From the sha512sum man page:

... The default mode is to print a line with checksum, a character indicating type ('*' for binary, ' ' for text), and name for each FILE.

(cherry picked from commit 403a5d147df7261537d5fb37c2474858b96de174)

3 files changed, 47 insertions, 3 deletions

diff --git a/changelogs/fragments/74502-get_url-filx-checksum-binary.yml b/changelogs/fragments/74502-get_url-filx-checksum-binary.yml
new file mode 100644
index 0000000000..76ee656bba
--- /dev/null
+++ b/changelogs/fragments/74502-get_url-filx-checksum-binary.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - get_url - Fixed checksum validation for binary files (leading asterisk) in checksum files (https://github.com/ansible/ansible/pull/74502).
diff --git a/lib/ansible/modules/get_url.py b/lib/ansible/modules/get_url.py
index 572c12c9a6..314f7e1d40 100644
--- a/lib/ansible/modules/get_url.py
+++ b/lib/ansible/modules/get_url.py
@@ -511,14 +511,21 @@ def main():
             os.remove(checksum_tmpsrc)
             checksum_map = []
             for line in lines:
-                parts = line.split(None, 1)
+                # Split by one whitespace to keep the leading type char ' ' (whitespace) for text and '*' for binary
+                parts = line.split(" ", 1)
                 if len(parts) == 2:
-                    checksum_map.append((parts[0], parts[1]))
+                    # Remove the leading type char, we expect
+                    if parts[1].startswith((" ", "*",)):
+                        parts[1] = parts[1][1:]
+
+                    # Append checksum and path without potential leading './'
+                    checksum_map.append((parts[0], parts[1].lstrip("./")))
+
             filename = url_filename(url)
 
             # Look through each line in the checksum file for a hash corresponding to
             # the filename in the url, returning the first hash that is found.
-            for cksum in (s for (s, f) in checksum_map if f.strip('./') == filename):
+            for cksum in (s for (s, f) in checksum_map if f == filename):
                 checksum = cksum
                 break
             else:
diff --git a/test/integration/targets/get_url/tasks/main.yml b/test/integration/targets/get_url/tasks/main.yml
index a85a55871b..32da1d5118 100644
--- a/test/integration/targets/get_url/tasks/main.yml
+++ b/test/integration/targets/get_url/tasks/main.yml
@@ -367,6 +367,15 @@
       30949cc401e30ac494d695ab8764a9f76aae17c5d73c67f65e9b558f47eff892  ./not_target1.txt
       d0dbfc1945bc83bf6606b770e442035f2c4e15c886ee0c22fb3901ba19900b5b  ./not_target2.txt
 
+- name: create sha256 checksum file of src with a * leading path
+  copy:
+    dest: '{{ files_dir }}/sha256sum_with_asterisk.txt'
+    content: |
+      b1b6ce5073c8fac263a8fc5edfffdbd5dec1980c784e09c5bc69f8fb6056f006. *27617.txt
+      b1b6ce5073c8fac263a8fc5edfffdbd5dec1980c784e09c5bc69f8fb6056f006. *71420.txt
+      30949cc401e30ac494d695ab8764a9f76aae17c5d73c67f65e9b558f47eff892 *not_target1.txt
+      d0dbfc1945bc83bf6606b770e442035f2c4e15c886ee0c22fb3901ba19900b5b *not_target2.txt
+
 - copy:
     src: "testserver.py"
     dest: "{{ remote_tmp_dir }}/testserver.py"
@@ -423,6 +432,17 @@
     path: "{{ remote_tmp_dir }}/27617sha256_with_dot.txt"
   register: stat_result_sha256_with_dot
 
+- name: download src with sha256 checksum url with asterisk leading paths
+  get_url:
+    url: 'http://localhost:{{ http_port }}/27617.txt'
+    dest: '{{ remote_tmp_dir }}/27617sha256_with_asterisk.txt'
+    checksum: 'sha256:http://localhost:{{ http_port }}/sha256sum_with_asterisk.txt'
+  register: result_sha256_with_asterisk
+
+- stat:
+    path: "{{ remote_tmp_dir }}/27617sha256_with_asterisk.txt"
+  register: stat_result_sha256_with_asterisk
+
 - name: download src with sha256 checksum url with file scheme
   get_url:
     url: 'http://localhost:{{ http_port }}/27617.txt'
@@ -467,6 +487,17 @@
     path: "{{ remote_tmp_dir }}/71420sha256_with_dot.txt"
   register: stat_result_sha256_with_dot_71420
 
+- name: download 71420.txt with sha256 checksum url with asterisk leading paths
+  get_url:
+    url: 'http://localhost:{{ http_port }}/71420.txt'
+    dest: '{{ remote_tmp_dir }}/71420sha256_with_asterisk.txt'
+    checksum: 'sha256:http://localhost:{{ http_port }}/sha256sum_with_asterisk.txt'
+  register: result_sha256_with_asterisk_71420
+
+- stat:
+    path: "{{ remote_tmp_dir }}/71420sha256_with_asterisk.txt"
+  register: stat_result_sha256_with_asterisk_71420
+
 - name: download 71420.txt with sha256 checksum url with file scheme
   get_url:
     url: 'http://localhost:{{ http_port }}/71420.txt'
@@ -485,18 +516,22 @@
       - result_sha1 is changed
       - result_sha256 is changed
       - result_sha256_with_dot is changed
+      - result_sha256_with_asterisk is changed
       - result_sha256_with_file_scheme is changed
       - "stat_result_sha1.stat.exists == true"
       - "stat_result_sha256.stat.exists == true"
       - "stat_result_sha256_with_dot.stat.exists == true"
+      - "stat_result_sha256_with_asterisk.stat.exists == true"
       - "stat_result_sha256_with_file_scheme.stat.exists == true"
       - result_sha1_71420 is changed
       - result_sha256_71420 is changed
       - result_sha256_with_dot_71420 is changed
+      - result_sha256_with_asterisk_71420 is changed
       - result_sha256_with_file_scheme_71420 is changed
       - "stat_result_sha1_71420.stat.exists == true"
       - "stat_result_sha256_71420.stat.exists == true"
       - "stat_result_sha256_with_dot_71420.stat.exists == true"
+      - "stat_result_sha256_with_asterisk_71420.stat.exists == true"
       - "stat_result_sha256_with_file_scheme_71420.stat.exists == true"
 
 #https://github.com/ansible/ansible/issues/16191