From a2677fd0512a093269792613b0516c76361f53a7 Mon Sep 17 00:00:00 2001
From: Raul Gabriel Verdi <95469166+raul-verdi@users.noreply.github.com>
Date: Sun, 24 Jul 2022 19:09:58 +0900
Subject: [PATCH] Expose unredirected_headers on maven_artifact (#4812)

* Expose unredirected_headers to module

In some cases, when the initial request returns a redirect and we want
to follow it to get the artifact, we might not want to include certain
headers in the redirection request. Specially headers like
Authorization and Cookies.
Or perhaps the redirect server returns a 400 because it included some
unexpected headers.
Fetch url already supports this feature, but it was being shadowed by
maven_artifact. In here we just expose it.

* Fix Linting errors

* Applied Comments

 - Specified version added
 - Changed description of unredirected_headers

* Check for ansible version

If it's 2.11 or older, we ignore unredirected_headers, otherwise we use
it, as fetch_url has them

* Applied comments

- Removed duplicated code in the call of fetch_url. Used kwargs instead
- Added check if unredirected_params is not empty and the fetch_url
  function does not support it
- Changed function that checks for ansible version
- Removed unused import

* Remove 2.11 breaking change

Made default only for ansible-core version 2.12 and above, but for keep
it empty for ansible-core version 2.11 and below.
Also include the following changes:
  - change doc to use C() on the function description
  - changed doc to use ansible-core instead of Ansible

* Changes in description for readability

* Add changelog fragment

* Change description changelog fragment
---
 .../4812-expose-unredirected-headers.yml      |  2 ++
 .../packaging/language/maven_artifact.py      | 31 ++++++++++++++++++-
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/fragments/4812-expose-unredirected-headers.yml

diff --git a/changelogs/fragments/4812-expose-unredirected-headers.yml b/changelogs/fragments/4812-expose-unredirected-headers.yml
new file mode 100644
index 0000000000..c0bfe536b8
--- /dev/null
+++ b/changelogs/fragments/4812-expose-unredirected-headers.yml
@@ -0,0 +1,2 @@
+minor_changes:
+  - maven_artifact - add a new ``unredirected_headers`` option that can be used with ansible-core 2.12 and above. The default value is to not use ``Authorization`` and ``Cookie`` headers on redirects for security reasons. With ansible-core 2.11, all headers are still passed on for redirects (https://github.com/ansible-collections/community.general/pull/4812).
diff --git a/plugins/modules/packaging/language/maven_artifact.py b/plugins/modules/packaging/language/maven_artifact.py
index eee3e2f67d..a9c4232baa 100644
--- a/plugins/modules/packaging/language/maven_artifact.py
+++ b/plugins/modules/packaging/language/maven_artifact.py
@@ -150,6 +150,15 @@ options:
         default: 'md5'
         choices: ['md5', 'sha1']
         version_added: 3.2.0
+    unredirected_headers:
+        type: list
+        elements: str
+        version_added: 5.2.0
+        description:
+            - A list of headers that should not be included in the redirection. This headers are sent to the fetch_url C(fetch_url) function.
+            - On ansible-core version 2.12 or later, the default of this option is C([Authorization, Cookie]).
+            - Useful if the redirection URL does not need to have sensitive headers in the request.
+            - Requires ansible-core version 2.12 or later.
     directory_mode:
         type: str
         description:
@@ -230,6 +239,7 @@ import tempfile
 import traceback
 import re
 
+from ansible_collections.community.general.plugins.module_utils.version import LooseVersion
 from ansible.module_utils.ansible_release import __version__ as ansible_version
 from re import match
 
@@ -509,7 +519,18 @@ class MavenDownloader:
         self.module.params['url_password'] = self.module.params.get('password', '')
         self.module.params['http_agent'] = self.user_agent
 
-        response, info = fetch_url(self.module, url_to_use, timeout=req_timeout, headers=self.headers)
+        kwargs = {}
+        if self.module.params['unredirected_headers']:
+            kwargs['unredirected_headers'] = self.module.params['unredirected_headers']
+
+        response, info = fetch_url(
+            self.module,
+            url_to_use,
+            timeout=req_timeout,
+            headers=self.headers,
+            **kwargs
+        )
+
         if info['status'] == 200:
             return response
         if force:
@@ -614,12 +635,20 @@ def main():
             keep_name=dict(required=False, default=False, type='bool'),
             verify_checksum=dict(required=False, default='download', choices=['never', 'download', 'change', 'always']),
             checksum_alg=dict(required=False, default='md5', choices=['md5', 'sha1']),
+            unredirected_headers=dict(type='list', elements='str', required=False),
             directory_mode=dict(type='str'),
         ),
         add_file_common_args=True,
         mutually_exclusive=([('version', 'version_by_spec')])
     )
 
+    if LooseVersion(ansible_version) < LooseVersion("2.12") and module.params['unredirected_headers']:
+        module.fail_json(msg="Unredirected Headers parameter provided, but your ansible-core version does not support it. Minimum version is 2.12")
+
+    if LooseVersion(ansible_version) >= LooseVersion("2.12") and module.params['unredirected_headers'] is None:
+        # if the user did not supply unredirected params, we use the default, ONLY on ansible core 2.12 and above
+        module.params['unredirected_headers'] = ['Authorization', 'Cookie']
+
     if not HAS_LXML_ETREE:
         module.fail_json(msg=missing_required_lib('lxml'), exception=LXML_ETREE_IMP_ERR)