Allow ca_path to point to a bundle (#75894)

* Allow ca_path to point to a bundle. Fixes #75015
author: Matt Martz <matt@sivel.net> 2021-10-07 14:04:48 -0500
committer: GitHub <noreply@github.com> 2021-10-08 05:04:48 +1000
commit: 8510db4935a27fd190614a2cb7d41628a0f24def (patch)
tree: 8a811bbd4fb003a5eb19ad708b84e7f4c7bd456f /lib/ansible/module_utils/urls.py
parent: 23b9d197ebf8e281965003675ae480bc09264e99 (diff)
download: ansible-8510db4935a27fd190614a2cb7d41628a0f24def.tar.gz
1 files changed, 20 insertions, 8 deletions
diff --git a/lib/ansible/module_utils/urls.py b/lib/ansible/module_utils/urls.py
index 5ba945931d..c6b194d680 100644
--- a/lib/ansible/module_utils/urls.py
+++ b/lib/ansible/module_utils/urls.py
@@ -475,6 +475,11 @@ zKPZsZ2miVGclicJHzm5q080b1p/sZtuKIEZk6vZqEg=
 -----END CERTIFICATE-----
 """
 
+b_PEM_CERT_RE = re.compile(
+    br'^-----BEGIN CERTIFICATE-----\n.+?-----END CERTIFICATE-----$',
+    flags=re.M | re.S
+)
+
 #
 # Exceptions
 #
@@ -745,6 +750,11 @@ def generic_urlparse(parts):
     return generic_parts
 
 
+def extract_pem_certs(b_data):
+    for match in b_PEM_CERT_RE.finditer(b_data):
+        yield match.group(0)
+
+
 class RequestWithMethod(urllib_request.Request):
     '''
     Workaround for using DELETE/PUT/etc with urllib2
@@ -918,11 +928,12 @@ class SSLValidationHandler(urllib_request.BaseHandler):
             paths_checked = [self.ca_path]
             with open(to_bytes(self.ca_path, errors='surrogate_or_strict'), 'rb') as f:
                 if HAS_SSLCONTEXT:
-                    cadata.extend(
-                        ssl.PEM_cert_to_DER_cert(
-                            to_native(f.read(), errors='surrogate_or_strict')
+                    for b_pem in extract_pem_certs(f.read()):
+                        cadata.extend(
+                            ssl.PEM_cert_to_DER_cert(
+                                to_native(b_pem, errors='surrogate_or_strict')
+                            )
                         )
-                    )
             return self.ca_path, cadata, paths_checked
 
         if not HAS_SSLCONTEXT:
@@ -981,11 +992,12 @@ class SSLValidationHandler(urllib_request.BaseHandler):
                                     b_cert = cert_file.read()
                                 if HAS_SSLCONTEXT:
                                     try:
-                                        cadata.extend(
-                                            ssl.PEM_cert_to_DER_cert(
-                                                to_native(b_cert, errors='surrogate_or_strict')
+                                        for b_pem in extract_pem_certs(b_cert):
+                                            cadata.extend(
+                                                ssl.PEM_cert_to_DER_cert(
+                                                    to_native(b_pem, errors='surrogate_or_strict')
+                                                )
                                             )
-                                        )
                                     except Exception:
                                         continue
                                 else:
author	Matt Martz <matt@sivel.net>	2021-10-07 14:04:48 -0500
committer	GitHub <noreply@github.com>	2021-10-08 05:04:48 +1000
commit	8510db4935a27fd190614a2cb7d41628a0f24def (patch)
tree	8a811bbd4fb003a5eb19ad708b84e7f4c7bd456f /lib/ansible/module_utils/urls.py
parent	23b9d197ebf8e281965003675ae480bc09264e99 (diff)
download	ansible-8510db4935a27fd190614a2cb7d41628a0f24def.tar.gz