mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
plugins/inventory/lxd: add server_cert option (#7392)
* plugins/module_utils/lxd: add server_cert_file and server_check_hostname params to LXDClient class Signed-off-by: Simon Deziel <simon.deziel@canonical.com> * plugins/inventory/lxd: add server_cert and server_check_hostname options Signed-off-by: Simon Deziel <simon.deziel@canonical.com> * Add changelog fragment Signed-off-by: Simon Deziel <simon.deziel@canonical.com> --------- Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
This commit is contained in:
parent
c7150dd818
commit
58846a6203
3 changed files with 29 additions and 2 deletions
3
changelogs/fragments/7392-lxd-inventory-server-cert.yml
Normal file
3
changelogs/fragments/7392-lxd-inventory-server-cert.yml
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
minor_changes:
|
||||||
|
- lxd inventory plugin - add ``server_cert`` option for trust anchor to use for TLS verification of server certificates (https://github.com/ansible-collections/community.general/pull/7392).
|
||||||
|
- lxd inventory plugin - add ``server_check_hostname`` option to disable hostname verification of server certificates (https://github.com/ansible-collections/community.general/pull/7392).
|
|
@ -41,6 +41,20 @@ DOCUMENTATION = r'''
|
||||||
aliases: [ cert_file ]
|
aliases: [ cert_file ]
|
||||||
default: $HOME/.config/lxc/client.crt
|
default: $HOME/.config/lxc/client.crt
|
||||||
type: path
|
type: path
|
||||||
|
server_cert:
|
||||||
|
description:
|
||||||
|
- The server certificate file path.
|
||||||
|
type: path
|
||||||
|
version_added: 8.0.0
|
||||||
|
server_check_hostname:
|
||||||
|
description:
|
||||||
|
- This option controls if the server's hostname is checked as part of the HTTPS connection verification.
|
||||||
|
This can be useful to disable, if for example, the server certificate provided (see O(server_cert) option)
|
||||||
|
does not cover a name matching the one used to communicate with the server. Such mismatch is common as LXD
|
||||||
|
generates self-signed server certificates by default.
|
||||||
|
type: bool
|
||||||
|
default: true
|
||||||
|
version_added: 8.0.0
|
||||||
trust_password:
|
trust_password:
|
||||||
description:
|
description:
|
||||||
- The client trusted password.
|
- The client trusted password.
|
||||||
|
@ -286,7 +300,7 @@ class InventoryModule(BaseInventoryPlugin):
|
||||||
urls = (url for url in url_list if self.validate_url(url))
|
urls = (url for url in url_list if self.validate_url(url))
|
||||||
for url in urls:
|
for url in urls:
|
||||||
try:
|
try:
|
||||||
socket_connection = LXDClient(url, self.client_key, self.client_cert, self.debug)
|
socket_connection = LXDClient(url, self.client_key, self.client_cert, self.debug, self.server_cert, self.server_check_hostname)
|
||||||
return socket_connection
|
return socket_connection
|
||||||
except LXDClientException as err:
|
except LXDClientException as err:
|
||||||
error_storage[url] = err
|
error_storage[url] = err
|
||||||
|
@ -1078,6 +1092,8 @@ class InventoryModule(BaseInventoryPlugin):
|
||||||
try:
|
try:
|
||||||
self.client_key = self.get_option('client_key')
|
self.client_key = self.get_option('client_key')
|
||||||
self.client_cert = self.get_option('client_cert')
|
self.client_cert = self.get_option('client_cert')
|
||||||
|
self.server_cert = self.get_option('server_cert')
|
||||||
|
self.server_check_hostname = self.get_option('server_check_hostname')
|
||||||
self.project = self.get_option('project')
|
self.project = self.get_option('project')
|
||||||
self.debug = self.DEBUG
|
self.debug = self.DEBUG
|
||||||
self.data = {} # store for inventory-data
|
self.data = {} # store for inventory-data
|
||||||
|
|
|
@ -41,7 +41,7 @@ class LXDClientException(Exception):
|
||||||
|
|
||||||
|
|
||||||
class LXDClient(object):
|
class LXDClient(object):
|
||||||
def __init__(self, url, key_file=None, cert_file=None, debug=False):
|
def __init__(self, url, key_file=None, cert_file=None, debug=False, server_cert_file=None, server_check_hostname=True):
|
||||||
"""LXD Client.
|
"""LXD Client.
|
||||||
|
|
||||||
:param url: The URL of the LXD server. (e.g. unix:/var/lib/lxd/unix.socket or https://127.0.0.1)
|
:param url: The URL of the LXD server. (e.g. unix:/var/lib/lxd/unix.socket or https://127.0.0.1)
|
||||||
|
@ -52,6 +52,10 @@ class LXDClient(object):
|
||||||
:type cert_file: ``str``
|
:type cert_file: ``str``
|
||||||
:param debug: The debug flag. The request and response are stored in logs when debug is true.
|
:param debug: The debug flag. The request and response are stored in logs when debug is true.
|
||||||
:type debug: ``bool``
|
:type debug: ``bool``
|
||||||
|
:param server_cert_file: The path of the server certificate file.
|
||||||
|
:type server_cert_file: ``str``
|
||||||
|
:param server_check_hostname: Whether to check the server's hostname as part of TLS verification.
|
||||||
|
:type debug: ``bool``
|
||||||
"""
|
"""
|
||||||
self.url = url
|
self.url = url
|
||||||
self.debug = debug
|
self.debug = debug
|
||||||
|
@ -61,6 +65,10 @@ class LXDClient(object):
|
||||||
self.key_file = key_file
|
self.key_file = key_file
|
||||||
parts = generic_urlparse(urlparse(self.url))
|
parts = generic_urlparse(urlparse(self.url))
|
||||||
ctx = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
|
ctx = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
|
||||||
|
if server_cert_file:
|
||||||
|
# Check that the received cert is signed by the provided server_cert_file
|
||||||
|
ctx.load_verify_locations(cafile=server_cert_file)
|
||||||
|
ctx.check_hostname = server_check_hostname
|
||||||
ctx.load_cert_chain(cert_file, keyfile=key_file)
|
ctx.load_cert_chain(cert_file, keyfile=key_file)
|
||||||
self.connection = HTTPSConnection(parts.get('netloc'), context=ctx)
|
self.connection = HTTPSConnection(parts.get('netloc'), context=ctx)
|
||||||
elif url.startswith('unix:'):
|
elif url.startswith('unix:'):
|
||||||
|
|
Loading…
Reference in a new issue