ansible/test/integration/targets/uri/tasks/main.yml

# test code for the uri module
# (c) 2014, Leonid Evdokimov <leon@darkk.net.ru>

# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible.  If not, see <https://www.gnu.org/licenses/>.

- name: set role facts
  set_fact:
    http_port: 15260
    files_dir: '{{ remote_tmp_dir|expanduser }}/files'
    checkout_dir: '{{ remote_tmp_dir }}/git'

- name: create a directory to serve files from
  file:
    dest: "{{ files_dir }}"
    state: directory

- copy:
    src: "{{ item }}"
    dest: "{{files_dir}}/{{ item }}"
  with_sequence: start=0 end=4 format=pass%d.json

- copy:
    src: "{{ item }}"
    dest: "{{files_dir}}/{{ item }}"
  with_sequence: start=0 end=30 format=fail%d.json

- copy:
    src: "testserver.py"
    dest: "{{ remote_tmp_dir }}/testserver.py"

- name: start SimpleHTTPServer
  shell: cd {{ files_dir }} && {{ ansible_python.executable }} {{ remote_tmp_dir}}/testserver.py {{ http_port }}
  async: 120 # this test set can take ~1m to run on FreeBSD (via Shippable)
  poll: 0

- wait_for: port={{ http_port }}


- name: checksum pass_json
  stat: path={{ files_dir }}/{{ item }}.json get_checksum=yes
  register: pass_checksum
  with_sequence: start=0 end=4 format=pass%d

- name: fetch pass_json
  uri: return_content=yes url=http://localhost:{{ http_port }}/{{ item }}.json
  register: fetch_pass_json
  with_sequence: start=0 end=4 format=pass%d

- name: check pass_json
  assert:
    that:
      - '"json" in item.1'
      - item.0.stat.checksum == item.1.content | checksum
  with_together:
    - "{{pass_checksum.results}}"
    - "{{fetch_pass_json.results}}"


- name: checksum fail_json
  stat: path={{ files_dir }}/{{ item }}.json get_checksum=yes
  register: fail_checksum
  with_sequence: start=0 end=30 format=fail%d

- name: fetch fail_json
  uri: return_content=yes url=http://localhost:{{ http_port }}/{{ item }}.json
  register: fail
  with_sequence: start=0 end=30 format=fail%d

- name: check fail_json
  assert:
    that:
      - item.0.stat.checksum == item.1.content | checksum
      - '"json" not in item.1'
  with_together:
    - "{{fail_checksum.results}}"
    - "{{fail.results}}"

- name: test https fetch to a site with mismatched hostname and certificate
  uri:
    url: "https://{{ badssl_host }}/"
    dest: "{{ remote_tmp_dir }}/shouldnotexist.html"
  ignore_errors: True
  register: result

- stat:
    path: "{{ remote_tmp_dir }}/shouldnotexist.html"
  register: stat_result

- name: Assert that the file was not downloaded
  assert:
    that:
      - result.failed == true
      - "'Failed to validate the SSL certificate' in result.msg or 'Hostname mismatch' in result.msg or (result.msg is match('hostname .* doesn.t match .*'))"
      - stat_result.stat.exists == false
      - result.status is defined
      - result.status == -1
      - result.url == 'https://' ~ badssl_host ~ '/'

- name: Clean up any cruft from the results directory
  file:
    name: "{{ remote_tmp_dir }}/kreitz.html"
    state: absent

- name: test https fetch to a site with mismatched hostname and certificate and validate_certs=no
  uri:
    url: "https://{{ badssl_host }}/"
    dest: "{{ remote_tmp_dir }}/kreitz.html"
    validate_certs: no
  register: result

- stat:
    path: "{{ remote_tmp_dir }}/kreitz.html"
  register: stat_result

- name: Assert that the file was downloaded
  assert:
    that:
      - "stat_result.stat.exists == true"
      - "result.changed == true"

- name: "get ca certificate {{ self_signed_host }}"
  get_url:
    url: "http://{{ httpbin_host }}/ca2cert.pem"
    dest: "{{ remote_tmp_dir }}/ca2cert.pem"

- name: test https fetch to a site with self signed certificate using ca_path
  uri:
    url: "https://{{ self_signed_host }}:444/"
    dest: "{{ remote_tmp_dir }}/self-signed_using_ca_path.html"
    ca_path: "{{ remote_tmp_dir }}/ca2cert.pem"
    validate_certs: yes
  register: result

- stat:
    path: "{{ remote_tmp_dir }}/self-signed_using_ca_path.html"
  register: stat_result

- name: Assert that the file was downloaded
  assert:
    that:
      - "stat_result.stat.exists == true"
      - "result.changed == true"

- name: test https fetch to a site with self signed certificate without using ca_path
  uri:
    url: "https://{{ self_signed_host }}:444/"
    dest: "{{ remote_tmp_dir }}/self-signed-without_using_ca_path.html"
    validate_certs: yes
  register: result
  ignore_errors: true

- stat:
    path: "{{ remote_tmp_dir }}/self-signed-without_using_ca_path.html"
  register: stat_result

- name: Assure that https access to a host with self-signed certificate without providing ca_path fails
  assert:
    that:
      - "stat_result.stat.exists == false"
      - result is failed
      - "'certificate verify failed' in result.msg"

- name: Locate ca-bundle
  stat:
    path: '{{ item }}'
  loop:
    - /etc/ssl/certs/ca-bundle.crt
    - /etc/ssl/certs/ca-certificates.crt
    - /var/lib/ca-certificates/ca-bundle.pem
    - /usr/local/share/certs/ca-root-nss.crt
    - '{{ macos_cafile.stdout_lines|default(["/_i_dont_exist_ca.pem"])|first }}'
    - /etc/ssl/cert.pem
  register: ca_bundle_candidates

- name: Test that ca_path can be a full bundle
  uri:
    url: "https://{{ httpbin_host }}/get"
    ca_path: '{{ ca_bundle }}'
  vars:
    ca_bundle: '{{ ca_bundle_candidates.results|selectattr("stat.exists")|map(attribute="item")|first }}'

- name: test redirect without follow_redirects
  uri:
    url: 'https://{{ httpbin_host }}/redirect/2'
    follow_redirects: 'none'
    status_code: 302
  register: result

- name: Assert location header
  assert:
    that:
      - 'result.location|default("") == "https://{{ httpbin_host }}/relative-redirect/1"'

- name: Check SSL with redirect
  uri:
    url: 'https://{{ httpbin_host }}/redirect/2'
  register: result

- name: Assert SSL with redirect
  assert:
    that:
      - 'result.url|default("") == "https://{{ httpbin_host }}/get"'

- name: redirect to bad SSL site
  uri:
    url: 'http://{{ badssl_host }}'
  register: result
  ignore_errors: true

- name: Ensure bad SSL site reidrect fails
  assert:
    that:
      - result is failed
      - 'badssl_host in result.msg'

- name: test basic auth
  uri:
    url: 'https://{{ httpbin_host }}/basic-auth/user/passwd'
    user: user
    password: passwd

- name: test basic forced auth
  uri:
    url: 'https://{{ httpbin_host }}/hidden-basic-auth/user/passwd'
    force_basic_auth: true
    user: user
    password: passwd

- name: test digest auth
  uri:
    url: 'https://{{ httpbin_host }}/digest-auth/auth/user/passwd'
    user: user
    password: passwd
    headers:
      Cookie: "fake=fake_value"

- name: test unredirected_headers
  uri:
    url: 'https://{{ httpbin_host }}/redirect-to?status_code=301&url=/basic-auth/user/passwd'
    user: user
    password: passwd
    force_basic_auth: true
    unredirected_headers:
      - authorization
  ignore_errors: true
  register: unredirected_headers

- name: test omitting unredirected headers
  uri:
    url: 'https://{{ httpbin_host }}/redirect-to?status_code=301&url=/basic-auth/user/passwd'
    user: user
    password: passwd
    force_basic_auth: true
  register: redirected_headers

- name: ensure unredirected_headers caused auth to fail
  assert:
    that:
      - unredirected_headers is failed
      - unredirected_headers.status == 401
      - redirected_headers is successful
      - redirected_headers.status == 200

- name: test PUT
  uri:
    url: 'https://{{ httpbin_host }}/put'
    method: PUT
    body: 'foo=bar'

- name: test OPTIONS
  uri:
    url: 'https://{{ httpbin_host }}/'
    method: OPTIONS
  register: result

- name: Assert we got an allow header
  assert:
    that:
      - 'result.allow.split(", ")|sort == ["GET", "HEAD", "OPTIONS"]'

# Ubuntu12.04 doesn't have python-urllib3, this makes handling required dependencies a pain across all variations
# We'll use this to just skip 12.04 on those tests.  We should be sufficiently covered with other OSes and versions
- name: Set fact if running on Ubuntu 12.04
  set_fact:
    is_ubuntu_precise: "{{ ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'precise' }}"

- name: Test that SNI succeeds on python versions that have SNI
  uri:
    url: 'https://{{ sni_host }}/'
    return_content: true
  when: ansible_python.has_sslcontext
  register: result

- name: Assert SNI verification succeeds on new python
  assert:
    that:
      - result is successful
      - 'sni_host in result.content'
  when: ansible_python.has_sslcontext

- name: Verify SNI verification fails on old python without urllib3 contrib
  uri:
    url: 'https://{{ sni_host }}'
  ignore_errors: true
  when: not ansible_python.has_sslcontext
  register: result

- name: Assert SNI verification fails on old python
  assert:
    that:
      - result is failed
  when: result is not skipped

- name: check if urllib3 is installed as an OS package
  package:
    name: "{{ uri_os_packages[ansible_os_family].urllib3 }}"
  check_mode: yes
  when: not ansible_python.has_sslcontext and not is_ubuntu_precise|bool and uri_os_packages[ansible_os_family].urllib3|default
  register: urllib3

- name: uninstall conflicting urllib3 pip package
  pip:
    name: urllib3
    state: absent
  when: not ansible_python.has_sslcontext and not is_ubuntu_precise|bool and uri_os_packages[ansible_os_family].urllib3|default and urllib3.changed

- name: install OS packages that are needed for SNI on old python
  package:
    name: "{{ item }}"
  with_items: "{{ uri_os_packages[ansible_os_family].step1 | default([]) }}"
  when: not ansible_python.has_sslcontext and not is_ubuntu_precise|bool

- name: install python modules for Older Python SNI verification
  pip:
    name: "{{ item }}"
  with_items:
    - ndg-httpsclient
  when: not ansible_python.has_sslcontext and not is_ubuntu_precise|bool

- name: Verify SNI verification succeeds on old python with urllib3 contrib
  uri:
    url: 'https://{{ sni_host }}'
    return_content: true
  when: not ansible_python.has_sslcontext and not is_ubuntu_precise|bool
  register: result

- name: Assert SNI verification succeeds on old python
  assert:
    that:
      - result is successful
      - 'sni_host in result.content'
  when: not ansible_python.has_sslcontext and not is_ubuntu_precise|bool

- name: Uninstall ndg-httpsclient
  pip:
    name: "{{ item }}"
    state: absent
  with_items:
    - ndg-httpsclient
  when: not ansible_python.has_sslcontext and not is_ubuntu_precise|bool

- name: uninstall OS packages that are needed for SNI on old python
  package:
    name: "{{ item }}"
    state: absent
  with_items: "{{ uri_os_packages[ansible_os_family].step1 | default([]) }}"
  when: not ansible_python.has_sslcontext and not is_ubuntu_precise|bool

- name: install OS packages that are needed for building cryptography
  package:
    name: "{{ item }}"
  with_items: "{{ uri_os_packages[ansible_os_family].step2 | default([]) }}"
  when: not ansible_python.has_sslcontext and not is_ubuntu_precise|bool

- name: create constraints path
  set_fact:
    remote_constraints: "{{ remote_tmp_dir }}/constraints.txt"
  when: not ansible_python.has_sslcontext and not is_ubuntu_precise|bool

- name: create constraints file
  copy:
    content: |
      cryptography == 2.1.4
      idna == 2.5
      pyopenssl == 17.5.0
      six == 1.13.0
      urllib3 == 1.23
    dest: "{{ remote_constraints }}"
  when: not ansible_python.has_sslcontext and not is_ubuntu_precise|bool

- name: install urllib3 and pyopenssl via pip
  pip:
    name: "{{ item }}"
    extra_args: "-c {{ remote_constraints }}"
  with_items:
    - urllib3
    - PyOpenSSL
  when: not ansible_python.has_sslcontext and not is_ubuntu_precise|bool

- name: Verify SNI verification succeeds on old python with pip urllib3 contrib
  uri:
    url: 'https://{{ sni_host }}'
    return_content: true
  when: not ansible_python.has_sslcontext and not is_ubuntu_precise|bool
  register: result

- name: Assert SNI verification succeeds on old python with pip urllib3 contrib
  assert:
    that:
      - result is successful
      - 'sni_host in result.content'
  when: not ansible_python.has_sslcontext and not is_ubuntu_precise|bool

- name: Uninstall urllib3 and PyOpenSSL
  pip:
    name: "{{ item }}"
    state: absent
  with_items:
    - urllib3
    - PyOpenSSL
  when: not ansible_python.has_sslcontext and not is_ubuntu_precise|bool

- name: validate the status_codes are correct
  uri:
    url: "https://{{ httpbin_host }}/status/202"
    status_code: 202
    method: POST
    body: foo

- name: Validate body_format json does not override content-type in 2.3 or newer
  uri:
    url: "https://{{ httpbin_host }}/post"
    method: POST
    body:
      foo: bar
    body_format: json
    headers:
      'Content-Type': 'text/json'
    return_content: true
  register: result
  failed_when: result.json.headers['Content-Type'] != 'text/json'

- name: Validate body_format form-urlencoded using dicts works
  uri:
    url: https://{{ httpbin_host }}/post
    method: POST
    body:
      user: foo
      password: bar!#@ |&82$M
      submit: Sign in
    body_format: form-urlencoded
    return_content: yes
  register: result

- name: Assert form-urlencoded dict input
  assert:
    that:
    - result is successful
    - result.json.headers['Content-Type'] == 'application/x-www-form-urlencoded'
    - result.json.form.password == 'bar!#@ |&82$M'

- name: Validate body_format form-urlencoded using lists works
  uri:
    url: https://{{ httpbin_host }}/post
    method: POST
    body:
      - [ user, foo ]
      - [ password, bar!#@ |&82$M ]
      - [ submit, Sign in ]
    body_format: form-urlencoded
    return_content: yes
  register: result

- name: Assert form-urlencoded list input
  assert:
    that:
    - result is successful
    - result.json.headers['Content-Type'] == 'application/x-www-form-urlencoded'
    - result.json.form.password == 'bar!#@ |&82$M'

- name: Validate body_format form-urlencoded of invalid input fails
  uri:
    url: https://{{ httpbin_host }}/post
    method: POST
    body:
    - foo
    - bar: baz
    body_format: form-urlencoded
    return_content: yes
  register: result
  ignore_errors: yes

- name: Assert invalid input fails
  assert:
    that:
    - result is failure
    - "'failed to parse body as form_urlencoded: too many values to unpack' in result.msg"

- name: multipart/form-data
  uri:
    url: https://{{ httpbin_host }}/post
    method: POST
    body_format: form-multipart
    body:
      file1:
        filename: formdata.txt
      file2:
        content: text based file content
        filename: fake.txt
        mime_type: text/plain
      text_form_field1: value1
      text_form_field2:
        content: value2
        mime_type: text/plain
  register: multipart

- name: Assert multipart/form-data
  assert:
    that:
      - multipart.json.files.file1 == '_multipart/form-data_\n'
      - multipart.json.files.file2 == 'text based file content'
      - multipart.json.form.text_form_field1 == 'value1'
      - multipart.json.form.text_form_field2 == 'value2'

# https://github.com/ansible/ansible/issues/74276 - verifies we don't have a traceback
- name: multipart/form-data with invalid value
  uri:
    url: https://{{ httpbin_host }}/post
    method: POST
    body_format: form-multipart
    body:
      integer_value: 1
  register: multipart_invalid
  failed_when: 'multipart_invalid.msg != "failed to parse body as form-multipart: value must be a string, or mapping, cannot be type int"'

- name: Validate invalid method
  uri:
    url: https://{{ httpbin_host }}/anything
    method: UNKNOWN
  register: result
  ignore_errors: yes

- name: Assert invalid method fails
  assert:
    that:
    - result is failure
    - result.status == 405
    - "'METHOD NOT ALLOWED' in result.msg"

- name: Test client cert auth, no certs
  uri:
    url: "https://ansible.http.tests/ssl_client_verify"
    status_code: 200
    return_content: true
  register: result
  failed_when: result.content != "ansible.http.tests:NONE"
  when: has_httptester

- name: Test client cert auth, with certs
  uri:
    url: "https://ansible.http.tests/ssl_client_verify"
    client_cert: "{{ remote_tmp_dir }}/client.pem"
    client_key: "{{ remote_tmp_dir }}/client.key"
    return_content: true
  register: result
  failed_when: result.content != "ansible.http.tests:SUCCESS"
  when: has_httptester

- name: Test client cert auth, with no validation
  uri:
    url: "https://fail.ansible.http.tests/ssl_client_verify"
    client_cert: "{{ remote_tmp_dir }}/client.pem"
    client_key: "{{ remote_tmp_dir }}/client.key"
    return_content: true
    validate_certs: no
  register: result
  failed_when: result.content != "ansible.http.tests:SUCCESS"
  when: has_httptester

- name: Test client cert auth, with validation and ssl mismatch
  uri:
    url: "https://fail.ansible.http.tests/ssl_client_verify"
    client_cert: "{{ remote_tmp_dir }}/client.pem"
    client_key: "{{ remote_tmp_dir }}/client.key"
    return_content: true
    validate_certs: yes
  register: result
  failed_when: result is not failed
  when: has_httptester

- uri:
    url: https://{{ httpbin_host }}/response-headers?Set-Cookie=Foo%3Dbar&Set-Cookie=Baz%3Dqux
  register: result

- assert:
    that:
      - result['set_cookie'] == 'Foo=bar, Baz=qux'
      # Python sorts cookies in order of most specific (ie. longest) path first
      # items with the same path are reversed from response order
      - result['cookies_string'] == 'Baz=qux; Foo=bar'

- name: Write out netrc template
  template:
    src: netrc.j2
    dest: "{{ remote_tmp_dir }}/netrc"

- name: Test netrc with port
  uri:
    url: "https://{{ httpbin_host }}:443/basic-auth/user/passwd"
  environment:
    NETRC: "{{ remote_tmp_dir }}/netrc"

- name: Test JSON POST with src
  uri:
    url: "https://{{ httpbin_host}}/post"
    src: pass0.json
    method: POST
    return_content: true
    body_format: json
  register: result

- name: Validate POST with src works
  assert:
    that:
      - result.json.json[0] == 'JSON Test Pattern pass1'

- name: Copy file pass0.json to remote
  copy:
    src: "{{ role_path }}/files/pass0.json"
    dest: "{{ remote_tmp_dir }}/pass0.json"

- name: Test JSON POST with src and remote_src=True
  uri:
    url: "https://{{ httpbin_host}}/post"
    src: "{{ remote_tmp_dir }}/pass0.json"
    remote_src: true
    method: POST
    return_content: true
    body_format: json
  register: result

- name: Validate POST with src  and remote_src=True works
  assert:
    that:
      - result.json.json[0] == 'JSON Test Pattern pass1'

- name: Make request that includes password in JSON keys
  uri:
    url: "https://{{ httpbin_host}}/get?key-password=value-password"
    user: admin
    password: password
  register: sanitize_keys

- name: assert that keys were sanitized
  assert:
    that:
      - sanitize_keys.json.args['key-********'] == 'value-********'

- name: Create a testing file
  copy:
    content: "content"
    dest: "{{ remote_tmp_dir }}/output"

- name: Download a file from non existing location
  uri:
    url: http://does/not/exist
    dest: "{{ remote_tmp_dir }}/output"
  ignore_errors: yes

- name: Save testing file's output
  command: "cat {{ remote_tmp_dir }}/output"
  register: file_out

- name: Test the testing file was not overwritten
  assert:
    that:
      - "'content' in file_out.stdout"

- name: Clean up
  file:
    dest: "{{ remote_tmp_dir }}/output"
    state: absent

- name: Test follow_redirects=none
  import_tasks: redirect-none.yml

- name: Test follow_redirects=safe
  import_tasks: redirect-safe.yml

- name: Test follow_redirects=urllib2
  import_tasks: redirect-urllib2.yml

- name: Test follow_redirects=all
  import_tasks: redirect-all.yml

- name: Check unexpected failures
  import_tasks: unexpected-failures.yml

- name: Check return-content
  import_tasks: return-content.yml

- name: Test use_gssapi=True
  include_tasks:
    file: use_gssapi.yml
    apply:
      environment:
        KRB5_CONFIG: '{{ krb5_config }}'
        KRB5CCNAME: FILE:{{ remote_tmp_dir }}/krb5.cc
  when: krb5_config is defined