Merge 887416f050 into 869088b959

lib/ansible/module_utils/yumdnf.py

@@ -45,6 +45,7 @@ yumdnf_argument_spec = dict(
         update_only=dict(required=False, default="no", type='bool'),
         validate_certs=dict(type='bool', default=True),
         sslverify=dict(type='bool', default=True),
+        sslverifystatus=dict(type='bool', default=False),
         lock_timeout=dict(type='int', default=30),
     ),
     required_one_of=[['name', 'list', 'update_cache']],
@@ -93,6 +94,7 @@ class YumDnf(metaclass=ABCMeta):
         self.update_cache = self.module.params['update_cache']
         self.validate_certs = self.module.params['validate_certs']
         self.sslverify = self.module.params['sslverify']
+        self.sslverifystatus = self.module.params['sslverifystatus']
         self.lock_timeout = self.module.params['lock_timeout']
 
         # It's possible someone passed a comma separated string since it used

lib/ansible/modules/dnf.py

@@ -198,6 +198,13 @@ options:
     type: bool
     default: "yes"
     version_added: "2.13"
+  sslverifystatus:
+    description:
+      - Enables or disables SSL certificate revocation status checking for the repository server.
+      - This should be set to V(false) if the repository server does not support OCSP stapling.
+    type: bool
+    default: "no"
+    version_added: "2.19"
   allow_downgrade:
     description:
       - Specify if the named package and version is allowed to downgrade
@@ -504,7 +511,7 @@ class DnfModule(YumDnf):
             results=[]
         )
 
-    def _configure_base(self, base, conf_file, disable_gpg_check, installroot='/', sslverify=True):
+    def _configure_base(self, base, conf_file, disable_gpg_check, installroot='/', sslverify=True, sslverifystatus=False):
         """Configure the dnf Base object."""
 
         conf = base.conf
@@ -535,6 +542,7 @@ class DnfModule(YumDnf):
 
         # Set certificate validation
         conf.sslverify = sslverify
+        conf.sslverifystatus = sslverifystatus
 
         # Set installroot
         if not os.path.isdir(installroot):
@@ -629,10 +637,10 @@ class DnfModule(YumDnf):
                 repo.gpgcheck = False
                 repo.repo_gpgcheck = False
 
-    def _base(self, conf_file, disable_gpg_check, disablerepo, enablerepo, installroot, sslverify):
+    def _base(self, conf_file, disable_gpg_check, disablerepo, enablerepo, installroot, sslverify, sslverifystatus):
         """Return a fully configured dnf Base object."""
         base = dnf.Base()
-        self._configure_base(base, conf_file, disable_gpg_check, installroot, sslverify)
+        self._configure_base(base, conf_file, disable_gpg_check, installroot, sslverify, sslverifystatus)
 
         base.setup_loggers()
         base.init_plugins(set(self.disable_plugin), set(self.enable_plugin))
@@ -1206,7 +1214,7 @@ class DnfModule(YumDnf):
         if self.update_cache and not self.names and not self.list:
             self.base = self._base(
                 self.conf_file, self.disable_gpg_check, self.disablerepo,
-                self.enablerepo, self.installroot, self.sslverify
+                self.enablerepo, self.installroot, self.sslverify, self.sslverifystatus
             )
             self.module.exit_json(
                 msg="Cache updated",
@@ -1224,7 +1232,7 @@ class DnfModule(YumDnf):
         if self.list:
             self.base = self._base(
                 self.conf_file, self.disable_gpg_check, self.disablerepo,
-                self.enablerepo, self.installroot, self.sslverify
+                self.enablerepo, self.installroot, self.sslverify, self.sslverifystatus
             )
             self.list_items(self.list)
         else:
@@ -1237,7 +1245,7 @@ class DnfModule(YumDnf):
                 )
             self.base = self._base(
                 self.conf_file, self.disable_gpg_check, self.disablerepo,
-                self.enablerepo, self.installroot, self.sslverify
+                self.enablerepo, self.installroot, self.sslverify, self.sslverifystatus
             )
 
             if self.with_modules:

lib/ansible/modules/dnf5.py

@@ -168,6 +168,13 @@ options:
       - This should be set to V(false) if one of the configured repositories is using an untrusted or self-signed certificate.
     type: bool
     default: "yes"
+  sslverifystatus:
+    description:
+      - Enables or disables SSL certificate revocation status checking for the repository server.
+      - This should be set to V(false) if the repository server does not support OCSP stapling.
+    type: bool
+    default: "no"
+    version_added: 2.19
   allow_downgrade:
     description:
       - Specify if the named package and version is allowed to downgrade
@@ -594,6 +601,7 @@ class Dnf5Module(YumDnf):
             conf.pkg_gpgcheck = not self.disable_gpg_check
         conf.localpkg_gpgcheck = not self.disable_gpg_check
         conf.sslverify = self.sslverify
+        conf.sslverifystatus = self.sslverifystatus
         conf.clean_requirements_on_remove = self.autoremove
 
         if not os.path.isdir(self.installroot):

lib/ansible/modules/yum_repository.py

@@ -328,6 +328,11 @@ options:
       - Defines whether yum should verify SSL certificates/hosts at all.
     type: bool
     aliases: [ validate_certs ]
+  sslverifystatus:
+    description:
+      - Defines whether SSL certificate revocation status checking should be done for the repository server.
+    type: bool
+    version_added: '2.19'
   state:
     description:
       - State of the repo file.
@@ -570,6 +575,7 @@ def main():
         sslclientcert=dict(aliases=['client_cert']),
         sslclientkey=dict(aliases=['client_key'], no_log=False),
         sslverify=dict(type='bool', aliases=['validate_certs']),
+        sslverifystatus=dict(type='bool'),
         state=dict(choices=['present', 'absent'], default='present'),
         throttle=dict(),
         timeout=dict(),