blob: cbf3b345f18926d12cf474d0314342ec896b6d0c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
# Test code for the file module.
# (c) 2014, Richard Isaacson <richard.c.isaacson@gmail.com>
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
- name: Determine if python looks like it will support modern ssl features like SNI
command: python -c 'from ssl import SSLContext'
ignore_errors: True
register: python_test
- name: Set python_has_sslcontext if we have it
set_fact:
python_has_ssl_context: True
when: python_test.rc == 0
- name: Set python_has_sslcontext False if we don't have it
set_fact:
python_has_ssl_context: False
when: python_test.rc != 0
- name: test https fetch
get_url: url="https://raw.githubusercontent.com/ansible/ansible/devel/README.md" dest={{output_dir}}/get_url.txt force=yes
register: result
- name: assert the get_url call was successful
assert:
that:
- result.changed
- '"OK" in result.msg'
- name: test https fetch to a site with mismatched hostname and certificate
get_url:
url: "https://www.kennethreitz.org/"
dest: "{{ output_dir }}/shouldnotexist.html"
ignore_errors: True
register: result
# kennethreitz having trouble staying up. Eventually need to install our own
# certs & web server to test this... also need to install and test it with
# a proxy so the complications are inevitable
until: "'read operation timed out' not in result.msg"
retries: 30
delay: 10
- stat:
path: "{{ output_dir }}/shouldnotexist.html"
register: stat_result
- name: Assert that the file was not downloaded
assert:
that:
- "result.failed == true"
- "'Certificate does not belong to ' in result.msg"
- "stat_result.stat.exists == false"
- name: test https fetch to a site with mismatched hostname and certificate and validate_certs=no
get_url:
url: "https://www.kennethreitz.org/"
dest: "{{ output_dir }}/kreitz.html"
validate_certs: no
register: result
until: "'read operation timed out' not in result.msg"
retries: 30
delay: 10
- stat:
path: "{{ output_dir }}/kreitz.html"
register: stat_result
- name: Assert that the file was downloaded
assert:
that:
- "result.changed == true"
- "stat_result.stat.exists == true"
# SNI Tests
# SNI is only built into the stdlib from python-2.7.9 onwards
- name: Test that SNI works
get_url:
# A test site that returns a page with information on what SNI information
# the client sent. A failure would have the string: did not send a TLS server name indication extension
url: 'https://foo.sni.velox.ch/'
dest: "{{ output_dir }}/sni.html"
register: get_url_result
ignore_errors: True
- command: "grep 'sent the following TLS server name indication extension' {{ output_dir}}/sni.html"
register: data_result
when: "{{ python_has_ssl_context }}"
# If distros start backporting SNI, can make a new conditional based on whether this works:
# python -c 'from ssl import SSLContext'
- debug: var=get_url_result
- name: Assert that SNI works with this python version
assert:
that:
- 'data_result.rc == 0'
- '"failed" not in get_url_result'
when: "{{ python_has_ssl_context }}"
# If the client doesn't support SNI then get_url should have failed with a certificate mismatch
- name: Assert that hostname verification failed because SNI is not supported on this version of python
assert:
that:
- 'get_url_result["failed"]'
when: "{{ not python_has_ssl_context }}"
|