Expose unredirected_headers on maven_artifact (#4812)

* Expose unredirected_headers to module In some cases, when the initial request returns a redirect and we want to follow it to get the artifact, we might not want to include certain headers in the redirection request. Specially headers like Authorization and Cookies. Or perhaps the redirect server returns a 400 because it included some unexpected headers. Fetch url already supports this feature, but it was being shadowed by maven_artifact. In here we just expose it. * Fix Linting errors * Applied Comments - Specified version added - Changed description of unredirected_headers * Check for ansible version If it's 2.11 or older, we ignore unredirected_headers, otherwise we use it, as fetch_url has them * Applied comments - Removed duplicated code in the call of fetch_url. Used kwargs instead - Added check if unredirected_params is not empty and the fetch_url function does not support it - Changed function that checks for ansible version - Removed unused import * Remove 2.11 breaking change Made default only for ansible-core version 2.12 and above, but for keep it empty for ansible-core version 2.11 and below. Also include the following changes: - change doc to use C() on the function description - changed doc to use ansible-core instead of Ansible * Changes in description for readability * Add changelog fragment * Change description changelog fragment
2024-09-14 20:13:21 +02:00 · 2022-07-24 19:09:58 +09:00 · 2022-07-24 19:09:58 +09:00 · a2677fd051
commit a2677fd051
parent 31ef6c914b
2 changed files with 32 additions and 1 deletions
--- a/changelogs/fragments/4812-expose-unredirected-headers.yml
+++ b/changelogs/fragments/4812-expose-unredirected-headers.yml
@ -0,0 +1,2 @@
+minor_changes:
+  - maven_artifact - add a new ``unredirected_headers`` option that can be used with ansible-core 2.12 and above. The default value is to not use ``Authorization`` and ``Cookie`` headers on redirects for security reasons. With ansible-core 2.11, all headers are still passed on for redirects (https://github.com/ansible-collections/community.general/pull/4812).
--- a/plugins/modules/packaging/language/maven_artifact.py
+++ b/plugins/modules/packaging/language/maven_artifact.py
@ -150,6 +150,15 @@ options:
        default: 'md5'
        choices: ['md5', 'sha1']
        version_added: 3.2.0
+    unredirected_headers:
+        type: list
+        elements: str
+        version_added: 5.2.0
+        description:
+            - A list of headers that should not be included in the redirection. This headers are sent to the fetch_url C(fetch_url) function.
+            - On ansible-core version 2.12 or later, the default of this option is C([Authorization, Cookie]).
+            - Useful if the redirection URL does not need to have sensitive headers in the request.
+            - Requires ansible-core version 2.12 or later.
    directory_mode:
        type: str
        description:
@ -230,6 +239,7 @@ import tempfile
 import traceback
 import re

+from ansible_collections.community.general.plugins.module_utils.version import LooseVersion
 from ansible.module_utils.ansible_release import __version__ as ansible_version
 from re import match

@ -509,7 +519,18 @@ class MavenDownloader:
        self.module.params['url_password'] = self.module.params.get('password', '')
        self.module.params['http_agent'] = self.user_agent

-        response, info = fetch_url(self.module, url_to_use, timeout=req_timeout, headers=self.headers)
+        kwargs = {}
+        if self.module.params['unredirected_headers']:
+            kwargs['unredirected_headers'] = self.module.params['unredirected_headers']
+
+        response, info = fetch_url(
+            self.module,
+            url_to_use,
+            timeout=req_timeout,
+            headers=self.headers,
+            **kwargs
+        )
+
        if info['status'] == 200:
            return response
        if force:
@ -614,12 +635,20 @@ def main():
            keep_name=dict(required=False, default=False, type='bool'),
            verify_checksum=dict(required=False, default='download', choices=['never', 'download', 'change', 'always']),
            checksum_alg=dict(required=False, default='md5', choices=['md5', 'sha1']),
+            unredirected_headers=dict(type='list', elements='str', required=False),
            directory_mode=dict(type='str'),
        ),
        add_file_common_args=True,
        mutually_exclusive=([('version', 'version_by_spec')])
    )

+    if LooseVersion(ansible_version) < LooseVersion("2.12") and module.params['unredirected_headers']:
+        module.fail_json(msg="Unredirected Headers parameter provided, but your ansible-core version does not support it. Minimum version is 2.12")
+
+    if LooseVersion(ansible_version) >= LooseVersion("2.12") and module.params['unredirected_headers'] is None:
+        # if the user did not supply unredirected params, we use the default, ONLY on ansible core 2.12 and above
+        module.params['unredirected_headers'] = ['Authorization', 'Cookie']
+
    if not HAS_LXML_ETREE:
        module.fail_json(msg=missing_required_lib('lxml'), exception=LXML_ETREE_IMP_ERR)