From 1beabef60e541cf290927a3332150dab1e010b34 Mon Sep 17 00:00:00 2001 From: Michael Williams Date: Mon, 27 Jul 2020 04:33:08 -0500 Subject: [PATCH] Shameless recommit of changes in jesstruck/ansible:jenkins_plugins_sha1 (#677) * Shameless recommit of changes in jesstruck/ansible:jenkins_plugins_sha1 * Add changelog fragment. * Change variable name to remove reference to sha1 Also, update changelog fragment typos/style. * Update changelog fragment typos/style. --- .../fragments/677-jenkins_plugins_sha1.yaml | 5 ++++ .../web_infrastructure/jenkins_plugin.py | 29 ++++++------------- 2 files changed, 14 insertions(+), 20 deletions(-) create mode 100644 changelogs/fragments/677-jenkins_plugins_sha1.yaml diff --git a/changelogs/fragments/677-jenkins_plugins_sha1.yaml b/changelogs/fragments/677-jenkins_plugins_sha1.yaml new file mode 100644 index 0000000000..2a39a1cd6d --- /dev/null +++ b/changelogs/fragments/677-jenkins_plugins_sha1.yaml @@ -0,0 +1,5 @@ +--- +bugfixes: + - jenkins_plugin - replace MD5 checksum verification with SHA1 due to MD5 + being disabled on systems with FIPS-only algorithms enabled + (https://github.com/ansible/ansible/issues/34304). diff --git a/plugins/modules/web_infrastructure/jenkins_plugin.py b/plugins/modules/web_infrastructure/jenkins_plugin.py index 3364dd6390..8327a27786 100644 --- a/plugins/modules/web_infrastructure/jenkins_plugin.py +++ b/plugins/modules/web_infrastructure/jenkins_plugin.py @@ -429,12 +429,12 @@ class JenkinsPlugin(object): self.module.fail_json( msg="Jenkins home directory doesn't exist.") - md5sum_old = None + checksum_old = None if os.path.isfile(plugin_file): # Make the checksum of the currently installed plugin - with open(plugin_file, 'rb') as md5_plugin_fh: - md5_plugin_content = md5_plugin_fh.read() - md5sum_old = hashlib.md5(md5_plugin_content).hexdigest() + with open(plugin_file, 'rb') as plugin_fh: + plugin_content = plugin_fh.read() + checksum_old = hashlib.sha1(plugin_content).hexdigest() if self.params['version'] in [None, 'latest']: # Take latest version @@ -454,13 +454,13 @@ class JenkinsPlugin(object): if ( self.params['updates_expiration'] == 0 or self.params['version'] not in [None, 'latest'] or - md5sum_old is None): + checksum_old is None): # Download the plugin file directly r = self._download_plugin(plugin_url) # Write downloaded plugin into file if checksums don't match - if md5sum_old is None: + if checksum_old is None: # No previously installed plugin if not self.module.check_mode: self._write_file(plugin_file, r) @@ -471,11 +471,11 @@ class JenkinsPlugin(object): data = r.read() # Make new checksum - md5sum_new = hashlib.md5(data).hexdigest() + checksum_new = hashlib.sha1(data).hexdigest() # If the checksum is different from the currently installed # plugin, store the new plugin - if md5sum_old != md5sum_new: + if checksum_old != checksum_new: if not self.module.check_mode: self._write_file(plugin_file, data) @@ -484,19 +484,8 @@ class JenkinsPlugin(object): # Check for update from the updates JSON file plugin_data = self._download_updates() - try: - with open(plugin_file, 'rb') as sha1_plugin_fh: - sha1_plugin_content = sha1_plugin_fh.read() - sha1_old = hashlib.sha1(sha1_plugin_content) - except Exception as e: - self.module.fail_json( - msg="Cannot calculate SHA1 of the old plugin.", - details=to_native(e)) - - sha1sum_old = base64.b64encode(sha1_old.digest()) - # If the latest version changed, download it - if sha1sum_old != to_bytes(plugin_data['sha1']): + if checksum_old != to_bytes(plugin_data['sha1']): if not self.module.check_mode: r = self._download_plugin(plugin_url) self._write_file(plugin_file, r)