From d2bf2660744292eadc42f6510f702be57a07c2db Mon Sep 17 00:00:00 2001 From: jilvin Abraham Date: Mon, 28 Apr 2025 23:17:03 +0530 Subject: [PATCH 1/6] Adding sslverifystatus flag --- lib/ansible/module_utils/yumdnf.py | 2 ++ lib/ansible/modules/dnf.py | 20 ++++++++++++++------ lib/ansible/modules/dnf5.py | 7 +++++++ lib/ansible/modules/yum_repository.py | 6 ++++++ 4 files changed, 29 insertions(+), 6 deletions(-) diff --git a/lib/ansible/module_utils/yumdnf.py b/lib/ansible/module_utils/yumdnf.py index b2cbba3fde2..116d493b125 100644 --- a/lib/ansible/module_utils/yumdnf.py +++ b/lib/ansible/module_utils/yumdnf.py @@ -49,6 +49,7 @@ yumdnf_argument_spec = dict( update_only=dict(required=False, default="no", type='bool'), validate_certs=dict(type='bool', default=True), sslverify=dict(type='bool', default=True), + sslverifystatus=dict(type='bool', default=False) lock_timeout=dict(type='int', default=30), ), required_one_of=[['name', 'list', 'update_cache']], @@ -98,6 +99,7 @@ class YumDnf(metaclass=ABCMeta): self.update_cache = self.module.params['update_cache'] self.validate_certs = self.module.params['validate_certs'] self.sslverify = self.module.params['sslverify'] + self.sslverifystatus = self.module.params['sslverifystatus'] self.lock_timeout = self.module.params['lock_timeout'] # It's possible someone passed a comma separated string since it used diff --git a/lib/ansible/modules/dnf.py b/lib/ansible/modules/dnf.py index 07f0384b5c9..542e6a96d06 100644 --- a/lib/ansible/modules/dnf.py +++ b/lib/ansible/modules/dnf.py @@ -198,6 +198,13 @@ options: type: bool default: "yes" version_added: "2.13" + sslverifystatus: + description: + - Enables or disables SSL certificate revocation status checking for the repository server. + - This should be set to V(false) if the repository server does not support OCSP stapling. + type: bool + default: "no" + version_added: "2.15" allow_downgrade: description: - Specify if the named package and version is allowed to downgrade @@ -509,7 +516,7 @@ class DnfModule(YumDnf): results=[] ) - def _configure_base(self, base, conf_file, disable_gpg_check, installroot='/', sslverify=True): + def _configure_base(self, base, conf_file, disable_gpg_check, installroot='/', sslverify=True, sslverifystatus=False): """Configure the dnf Base object.""" conf = base.conf @@ -540,6 +547,7 @@ class DnfModule(YumDnf): # Set certificate validation conf.sslverify = sslverify + conf.sslverifystatus = sslverifystatus # Set installroot conf.installroot = installroot @@ -631,10 +639,10 @@ class DnfModule(YumDnf): repo.gpgcheck = False repo.repo_gpgcheck = False - def _base(self, conf_file, disable_gpg_check, disablerepo, enablerepo, installroot, sslverify): + def _base(self, conf_file, disable_gpg_check, disablerepo, enablerepo, installroot, sslverify, sslverifystatus): """Return a fully configured dnf Base object.""" base = dnf.Base() - self._configure_base(base, conf_file, disable_gpg_check, installroot, sslverify) + self._configure_base(base, conf_file, disable_gpg_check, installroot, sslverify, sslverifystatus) base.setup_loggers() base.init_plugins(set(self.disable_plugin), set(self.enable_plugin)) @@ -1213,7 +1221,7 @@ class DnfModule(YumDnf): if self.update_cache and not self.names and not self.list: self.base = self._base( self.conf_file, self.disable_gpg_check, self.disablerepo, - self.enablerepo, self.installroot, self.sslverify + self.enablerepo, self.installroot, self.sslverify, self.sslverifystatus ) self.module.exit_json( msg="Cache updated", @@ -1231,7 +1239,7 @@ class DnfModule(YumDnf): if self.list: self.base = self._base( self.conf_file, self.disable_gpg_check, self.disablerepo, - self.enablerepo, self.installroot, self.sslverify + self.enablerepo, self.installroot, self.sslverify, self.sslverifystatus ) self.list_items(self.list) else: @@ -1244,7 +1252,7 @@ class DnfModule(YumDnf): ) self.base = self._base( self.conf_file, self.disable_gpg_check, self.disablerepo, - self.enablerepo, self.installroot, self.sslverify + self.enablerepo, self.installroot, self.sslverify, self.sslverifystatus ) if self.with_modules: diff --git a/lib/ansible/modules/dnf5.py b/lib/ansible/modules/dnf5.py index 5df5179fe27..44e6c25e966 100644 --- a/lib/ansible/modules/dnf5.py +++ b/lib/ansible/modules/dnf5.py @@ -168,6 +168,12 @@ options: - This should be set to V(false) if one of the configured repositories is using an untrusted or self-signed certificate. type: bool default: "yes" + sslverifystatus: + description: + - Enables or disables SSL certificate revocation status checking for the repository server. + - This should be set to V(false) if the repository server does not support OCSP stapling. + type: bool + default: "no" allow_downgrade: description: - Specify if the named package and version is allowed to downgrade @@ -617,6 +623,7 @@ class Dnf5Module(YumDnf): conf.pkg_gpgcheck = not self.disable_gpg_check conf.localpkg_gpgcheck = not self.disable_gpg_check conf.sslverify = self.sslverify + conf.sslverifystatus = self.sslverifystatus conf.clean_requirements_on_remove = self.autoremove conf.installroot = self.installroot conf.use_host_config = True # needed for installroot diff --git a/lib/ansible/modules/yum_repository.py b/lib/ansible/modules/yum_repository.py index c63932f1e55..2b4793d64f3 100644 --- a/lib/ansible/modules/yum_repository.py +++ b/lib/ansible/modules/yum_repository.py @@ -336,6 +336,11 @@ options: - Defines whether yum should verify SSL certificates/hosts at all. type: bool aliases: [ validate_certs ] + sslverifystatus: + description: + - Defines whether SSL certificate revocation status checking should be done for the repository server. + type: bool + default: false state: description: - State of the repo file. @@ -584,6 +589,7 @@ def main(): sslclientcert=dict(aliases=['client_cert']), sslclientkey=dict(aliases=['client_key'], no_log=False), sslverify=dict(type='bool', aliases=['validate_certs']), + sslverifystatus=dict(type='bool'), state=dict(choices=['present', 'absent'], default='present'), throttle=dict(), timeout=dict(), From f16b28f187b94ff797d9096442d474ad8d8b5333 Mon Sep 17 00:00:00 2001 From: Jilvin Thomas Abraham Date: Mon, 28 Apr 2025 23:40:52 +0530 Subject: [PATCH 2/6] Update yumdnf.py Added missing comma --- lib/ansible/module_utils/yumdnf.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ansible/module_utils/yumdnf.py b/lib/ansible/module_utils/yumdnf.py index 116d493b125..8ec163722ab 100644 --- a/lib/ansible/module_utils/yumdnf.py +++ b/lib/ansible/module_utils/yumdnf.py @@ -49,7 +49,7 @@ yumdnf_argument_spec = dict( update_only=dict(required=False, default="no", type='bool'), validate_certs=dict(type='bool', default=True), sslverify=dict(type='bool', default=True), - sslverifystatus=dict(type='bool', default=False) + sslverifystatus=dict(type='bool', default=False), lock_timeout=dict(type='int', default=30), ), required_one_of=[['name', 'list', 'update_cache']], From 8c272f63d279ceca52ab5e6aaece1d1604d4f967 Mon Sep 17 00:00:00 2001 From: Jilvin Thomas Abraham Date: Mon, 28 Apr 2025 23:49:16 +0530 Subject: [PATCH 3/6] Update dnf.py updated version from 2.15 to 2.19 --- lib/ansible/modules/dnf.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ansible/modules/dnf.py b/lib/ansible/modules/dnf.py index 542e6a96d06..9d5ce20c4fe 100644 --- a/lib/ansible/modules/dnf.py +++ b/lib/ansible/modules/dnf.py @@ -204,7 +204,7 @@ options: - This should be set to V(false) if the repository server does not support OCSP stapling. type: bool default: "no" - version_added: "2.15" + version_added: "2.19" allow_downgrade: description: - Specify if the named package and version is allowed to downgrade From 4c9896089d24d0c1ba18924f6c71e0cd972b8fab Mon Sep 17 00:00:00 2001 From: Jilvin Thomas Abraham Date: Mon, 28 Apr 2025 23:51:14 +0530 Subject: [PATCH 4/6] Update dnf5.py version added --- lib/ansible/modules/dnf5.py | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/ansible/modules/dnf5.py b/lib/ansible/modules/dnf5.py index 44e6c25e966..2fb7300fcc6 100644 --- a/lib/ansible/modules/dnf5.py +++ b/lib/ansible/modules/dnf5.py @@ -174,6 +174,7 @@ options: - This should be set to V(false) if the repository server does not support OCSP stapling. type: bool default: "no" + version_added: 2.19 allow_downgrade: description: - Specify if the named package and version is allowed to downgrade From 23b88f39c29ca103582615bc84e643d91dddf9d2 Mon Sep 17 00:00:00 2001 From: Jilvin Thomas Abraham Date: Mon, 28 Apr 2025 23:52:21 +0530 Subject: [PATCH 5/6] Update yum_repository.py removed default --- lib/ansible/modules/yum_repository.py | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/ansible/modules/yum_repository.py b/lib/ansible/modules/yum_repository.py index 2b4793d64f3..b465b9f5b1d 100644 --- a/lib/ansible/modules/yum_repository.py +++ b/lib/ansible/modules/yum_repository.py @@ -340,7 +340,6 @@ options: description: - Defines whether SSL certificate revocation status checking should be done for the repository server. type: bool - default: false state: description: - State of the repo file. From 887416f050561ebe0b6a97a0b81fad568200dd9f Mon Sep 17 00:00:00 2001 From: Jilvin Thomas Abraham Date: Mon, 28 Apr 2025 23:59:11 +0530 Subject: [PATCH 6/6] Update yum_repository.py added version --- lib/ansible/modules/yum_repository.py | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/ansible/modules/yum_repository.py b/lib/ansible/modules/yum_repository.py index b465b9f5b1d..03884323d88 100644 --- a/lib/ansible/modules/yum_repository.py +++ b/lib/ansible/modules/yum_repository.py @@ -340,6 +340,7 @@ options: description: - Defines whether SSL certificate revocation status checking should be done for the repository server. type: bool + version_added: '2.19' state: description: - State of the repo file.