From aaa10cd506b9e08b78c9c36feeddbb46f6f6905d Mon Sep 17 00:00:00 2001 From: Philippe Kueck Date: Fri, 10 Dec 2021 11:53:21 +0100 Subject: plugins/dnf, plugins/yum: implement sslverify option (#76356) --- changelogs/fragments/76356-yumdnf-sslverify.yml | 3 +++ lib/ansible/module_utils/yumdnf.py | 2 ++ lib/ansible/modules/dnf.py | 22 ++++++++++++++++------ lib/ansible/modules/yum.py | 18 +++++++++++++++++- 4 files changed, 38 insertions(+), 7 deletions(-) create mode 100644 changelogs/fragments/76356-yumdnf-sslverify.yml diff --git a/changelogs/fragments/76356-yumdnf-sslverify.yml b/changelogs/fragments/76356-yumdnf-sslverify.yml new file mode 100644 index 0000000000..ae021b1085 --- /dev/null +++ b/changelogs/fragments/76356-yumdnf-sslverify.yml @@ -0,0 +1,3 @@ +--- +minor_changes: + - yum, dnf - add sslverify option to temporarily disable certificate validation for a repository diff --git a/lib/ansible/module_utils/yumdnf.py b/lib/ansible/module_utils/yumdnf.py index 58827312bf..018f0d25ec 100644 --- a/lib/ansible/module_utils/yumdnf.py +++ b/lib/ansible/module_utils/yumdnf.py @@ -50,6 +50,7 @@ yumdnf_argument_spec = dict( update_cache=dict(type='bool', default=False, aliases=['expire-cache']), update_only=dict(required=False, default="no", type='bool'), validate_certs=dict(type='bool', default=True), + sslverify=dict(type='bool', default=True), lock_timeout=dict(type='int', default=30), ), required_one_of=[['name', 'list', 'update_cache']], @@ -95,6 +96,7 @@ class YumDnf(with_metaclass(ABCMeta, object)): self.update_only = self.module.params['update_only'] self.update_cache = self.module.params['update_cache'] self.validate_certs = self.module.params['validate_certs'] + self.sslverify = self.module.params['sslverify'] self.lock_timeout = self.module.params['lock_timeout'] # It's possible someone passed a comma separated string since it used diff --git a/lib/ansible/modules/dnf.py b/lib/ansible/modules/dnf.py index 9b1faaa5f0..23764a4a62 100644 --- a/lib/ansible/modules/dnf.py +++ b/lib/ansible/modules/dnf.py @@ -172,6 +172,13 @@ options: type: bool default: "yes" version_added: "2.7" + sslverify: + description: + - Disables SSL validation of the repository server for this transaction. + - This should be set to C(no) if one of the configured repositories is using an untrusted or self-signed certificate. + type: bool + default: "yes" + version_added: "2.13" allow_downgrade: description: - Specify if the named package and version is allowed to downgrade @@ -587,7 +594,7 @@ class DnfModule(YumDnf): results=[] ) - def _configure_base(self, base, conf_file, disable_gpg_check, installroot='/'): + def _configure_base(self, base, conf_file, disable_gpg_check, installroot='/', sslverify=True): """Configure the dnf Base object.""" conf = base.conf @@ -616,6 +623,9 @@ class DnfModule(YumDnf): # Don't prompt for user confirmations conf.assumeyes = True + # Set certificate validation + conf.sslverify = sslverify + # Set installroot conf.installroot = installroot @@ -686,10 +696,10 @@ class DnfModule(YumDnf): for repo in repos.get_matching(repo_pattern): repo.enable() - def _base(self, conf_file, disable_gpg_check, disablerepo, enablerepo, installroot): + def _base(self, conf_file, disable_gpg_check, disablerepo, enablerepo, installroot, sslverify): """Return a fully configured dnf Base object.""" base = dnf.Base() - self._configure_base(base, conf_file, disable_gpg_check, installroot) + self._configure_base(base, conf_file, disable_gpg_check, installroot, sslverify) try: # this method has been supported in dnf-4.2.17-6 or later # https://bugzilla.redhat.com/show_bug.cgi?id=1788212 @@ -1350,7 +1360,7 @@ class DnfModule(YumDnf): if self.update_cache and not self.names and not self.list: self.base = self._base( self.conf_file, self.disable_gpg_check, self.disablerepo, - self.enablerepo, self.installroot + self.enablerepo, self.installroot, self.sslverify ) self.module.exit_json( msg="Cache updated", @@ -1368,7 +1378,7 @@ class DnfModule(YumDnf): if self.list: self.base = self._base( self.conf_file, self.disable_gpg_check, self.disablerepo, - self.enablerepo, self.installroot + self.enablerepo, self.installroot, self.sslverify ) self.list_items(self.list) else: @@ -1381,7 +1391,7 @@ class DnfModule(YumDnf): ) self.base = self._base( self.conf_file, self.disable_gpg_check, self.disablerepo, - self.enablerepo, self.installroot + self.enablerepo, self.installroot, self.sslverify ) if self.with_modules: diff --git a/lib/ansible/modules/yum.py b/lib/ansible/modules/yum.py index 53756a5bb7..ef0b314088 100644 --- a/lib/ansible/modules/yum.py +++ b/lib/ansible/modules/yum.py @@ -119,7 +119,13 @@ options: type: bool default: "yes" version_added: "2.1" - + sslverify: + description: + - Disables SSL validation of the repository server for this transaction. + - This should be set to C(no) if one of the configured repositories is using an untrusted or self-signed certificate. + type: bool + default: "yes" + version_added: "2.13" update_only: description: - When using latest, only update installed packages. Do not install packages. @@ -551,6 +557,11 @@ class YumModule(YumDnf): if self.disable_excludes: self._yum_base.conf.disable_excludes = self.disable_excludes + # setting conf.sslverify allows retrieving the repo's metadata + # without validating the certificate, but that does not allow + # package installation from a bad-ssl repo. + self._yum_base.conf.sslverify = self.sslverify + # A sideeffect of accessing conf is that the configuration is # loaded and plugins are discovered self.yum_base.conf @@ -956,6 +967,11 @@ class YumModule(YumDnf): if self.releasever: cmd.extend(['--releasever=%s' % self.releasever]) + # setting sslverify using --setopt is required as conf.sslverify only + # affects the metadata retrieval. + if not self.sslverify: + cmd.extend(['--setopt', 'sslverify=0']) + if self.module.check_mode: self.module.exit_json(changed=True, results=res['results'], changes=dict(installed=pkgs)) else: -- cgit v1.2.1