Allow ca_path to point to a bundle (#75894)

* Allow ca_path to point to a bundle. Fixes #75015
3 years ago · 8510db4935
parent 23b9d197eb
commit 8510db4935
3 changed files with 42 additions and 8 deletions
--- a/changelogs/fragments/75015-ca-path-bundle.yml
+++ b/changelogs/fragments/75015-ca-path-bundle.yml
@ -0,0 +1,3 @@
+bugfixes:
+- urls - Allow ``ca_path`` to point to a bundle containing multiple PEM certs
+  (https://github.com/ansible/ansible/issues/75015)
--- a/lib/ansible/module_utils/urls.py
+++ b/lib/ansible/module_utils/urls.py
@ -475,6 +475,11 @@ zKPZsZ2miVGclicJHzm5q080b1p/sZtuKIEZk6vZqEg=
 -----END CERTIFICATE-----
 """

+b_PEM_CERT_RE = re.compile(
+    br'^-----BEGIN CERTIFICATE-----\n.+?-----END CERTIFICATE-----$',
+    flags=re.M | re.S
+)
+
 #
 # Exceptions
 #
@ -745,6 +750,11 @@ def generic_urlparse(parts):
    return generic_parts


+def extract_pem_certs(b_data):
+    for match in b_PEM_CERT_RE.finditer(b_data):
+        yield match.group(0)
+
+
 class RequestWithMethod(urllib_request.Request):
    '''
    Workaround for using DELETE/PUT/etc with urllib2
@ -918,11 +928,12 @@ class SSLValidationHandler(urllib_request.BaseHandler):
            paths_checked = [self.ca_path]
            with open(to_bytes(self.ca_path, errors='surrogate_or_strict'), 'rb') as f:
                if HAS_SSLCONTEXT:
-                    cadata.extend(
-                        ssl.PEM_cert_to_DER_cert(
-                            to_native(f.read(), errors='surrogate_or_strict')
+                    for b_pem in extract_pem_certs(f.read()):
+                        cadata.extend(
+                            ssl.PEM_cert_to_DER_cert(
+                                to_native(b_pem, errors='surrogate_or_strict')
+                            )
                        )
-                    )
            return self.ca_path, cadata, paths_checked

        if not HAS_SSLCONTEXT:
@ -981,11 +992,12 @@ class SSLValidationHandler(urllib_request.BaseHandler):
                                    b_cert = cert_file.read()
                                if HAS_SSLCONTEXT:
                                    try:
-                                        cadata.extend(
-                                            ssl.PEM_cert_to_DER_cert(
-                                                to_native(b_cert, errors='surrogate_or_strict')
+                                        for b_pem in extract_pem_certs(b_cert):
+                                            cadata.extend(
+                                                ssl.PEM_cert_to_DER_cert(
+                                                    to_native(b_pem, errors='surrogate_or_strict')
+                                                )
                                            )
-                                        )
                                    except Exception:
                                        continue
                                else:
--- a/test/integration/targets/uri/tasks/main.yml
+++ b/test/integration/targets/uri/tasks/main.yml
@ -173,6 +173,25 @@
      - result is failed
      - "'certificate verify failed' in result.msg"

+- name: Locate ca-bundle
+  stat:
+    path: '{{ item }}'
+  loop:
+    - /etc/ssl/certs/ca-bundle.crt
+    - /etc/ssl/certs/ca-certificates.crt
+    - /var/lib/ca-certificates/ca-bundle.pem
+    - /usr/local/share/certs/ca-root-nss.crt
+    - '{{ macos_cafile.stdout_lines|default(["/_i_dont_exist_ca.pem"])|first }}'
+    - /etc/ssl/cert.pem
+  register: ca_bundle_candidates
+
+- name: Test that ca_path can be a full bundle
+  uri:
+    url: "https://{{ httpbin_host }}/get"
+    ca_path: '{{ ca_bundle }}'
+  vars:
+    ca_bundle: '{{ ca_bundle_candidates.results|selectattr("stat.exists")|map(attribute="item")|first }}'
+
 - name: test redirect without follow_redirects
  uri:
    url: 'https://{{ httpbin_host }}/redirect/2'