# Test code for the file module. # (c) 2014, Richard Isaacson # This file is part of Ansible # # Ansible is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Ansible is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Ansible. If not, see . - name: Determine if python looks like it will support modern ssl features like SNI command: python -c 'from ssl import SSLContext' ignore_errors: True register: python_test - name: Set python_has_sslcontext if we have it set_fact: python_has_ssl_context: True when: python_test.rc == 0 - name: Set python_has_sslcontext False if we don't have it set_fact: python_has_ssl_context: False when: python_test.rc != 0 - name: test https fetch get_url: url="https://raw.githubusercontent.com/ansible/ansible/devel/README.md" dest={{output_dir}}/get_url.txt force=yes register: result - name: assert the get_url call was successful assert: that: - result.changed - '"OK" in result.msg' - name: test https fetch to a site with mismatched hostname and certificate get_url: url: "https://www.kennethreitz.org/" dest: "{{ output_dir }}/shouldnotexist.html" ignore_errors: True register: result # kennethreitz having trouble staying up. Eventually need to install our own # certs & web server to test this... also need to install and test it with # a proxy so the complications are inevitable until: "'read operation timed out' not in result.msg" retries: 30 delay: 10 - stat: path: "{{ output_dir }}/shouldnotexist.html" register: stat_result - name: Assert that the file was not downloaded assert: that: - "result.failed == true" - "'Certificate does not belong to ' in result.msg" - "stat_result.stat.exists == false" - name: test https fetch to a site with mismatched hostname and certificate and validate_certs=no get_url: url: "https://www.kennethreitz.org/" dest: "{{ output_dir }}/kreitz.html" validate_certs: no register: result until: "'read operation timed out' not in result.msg" retries: 30 delay: 10 - stat: path: "{{ output_dir }}/kreitz.html" register: stat_result - name: Assert that the file was downloaded assert: that: - "result.changed == true" - "stat_result.stat.exists == true" # At the moment, AWS can't make an https request to velox.ch... connection # timed out. So we'll use a different test until/unless the problem is resolved ## SNI Tests ## SNI is only built into the stdlib from python-2.7.9 onwards #- name: Test that SNI works # get_url: # # A test site that returns a page with information on what SNI information # # the client sent. A failure would have the string: did not send a TLS server name indication extension # url: 'https://foo.sni.velox.ch/' # dest: "{{ output_dir }}/sni.html" # register: get_url_result # ignore_errors: True # #- command: "grep 'sent the following TLS server name indication extension' {{ output_dir}}/sni.html" # register: data_result # when: "{{ python_has_ssl_context }}" # #- debug: var=get_url_result #- name: Assert that SNI works with this python version # assert: # that: # - 'data_result.rc == 0' # - '"failed" not in get_url_result' # when: "{{ python_has_ssl_context }}" # ## If the client doesn't support SNI then get_url should have failed with a certificate mismatch #- name: Assert that hostname verification failed because SNI is not supported on this version of python # assert: # that: # - 'get_url_result["failed"]' # when: "{{ not python_has_ssl_context }}" # These tests are just side effects of how the site is hosted. It's not # specifically a test site. So the tests may break due to the hosting changing - name: Test that SNI works get_url: url: 'https://www.mnot.net/blog/2014/05/09/if_you_can_read_this_youre_sniing' dest: "{{ output_dir }}/sni.html" register: get_url_result ignore_errors: True - command: "grep '

If You Can Read This, You're SNIing

' {{ output_dir}}/sni.html" register: data_result when: "{{ python_has_ssl_context }}" - debug: var=get_url_result - name: Assert that SNI works with this python version assert: that: - 'data_result.rc == 0' - '"failed" not in get_url_result' when: "{{ python_has_ssl_context }}" # If the client doesn't support SNI then get_url should have failed with a certificate mismatch - name: Assert that hostname verification failed because SNI is not supported on this version of python assert: that: - 'get_url_result["failed"]' when: "{{ not python_has_ssl_context }}" # End hacky SNI test section