From cb2f0d6f54e4dd31d73c9c16177285a1c2eb0215 Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Wed, 26 Aug 2020 23:10:06 +0200 Subject: [PATCH] Ensure boto3 verify parameter isn't overridden by setting a profile (#147) * Ensure boto3 verify parameter isn't overridden by setting a profile fixes: https://github.com/ansible-collections/amazon.aws/issues/129 * Add regression tests * Fix deprecation warning in test * changelog fragment --- .../fragments/129-verify_overridden.yml | 2 + plugins/module_utils/ec2.py | 9 ++-- .../tasks/ca_bundle.yml | 44 +++++++++++++++++++ 3 files changed, 51 insertions(+), 4 deletions(-) create mode 100644 changelogs/fragments/129-verify_overridden.yml diff --git a/changelogs/fragments/129-verify_overridden.yml b/changelogs/fragments/129-verify_overridden.yml new file mode 100644 index 00000000000..ea8e5b212d6 --- /dev/null +++ b/changelogs/fragments/129-verify_overridden.yml @@ -0,0 +1,2 @@ +bugfixes: +- ec2 module_utils - Ensure boto3 verify parameter isn't overridden by setting a profile (https://github.com/ansible-collections/amazon.aws/issues/129) diff --git a/plugins/module_utils/ec2.py b/plugins/module_utils/ec2.py index 37a9e2ac642..d354e088b49 100644 --- a/plugins/module_utils/ec2.py +++ b/plugins/module_utils/ec2.py @@ -323,15 +323,16 @@ def get_aws_connection_info(module, boto3=False): boto_params = dict(aws_access_key_id=access_key, aws_secret_access_key=secret_key, aws_session_token=security_token) - if validate_certs and ca_bundle: - boto_params['verify'] = ca_bundle - else: - boto_params['verify'] = validate_certs if profile_name: boto_params = dict(aws_access_key_id=None, aws_secret_access_key=None, aws_session_token=None) boto_params['profile_name'] = profile_name + if validate_certs and ca_bundle: + boto_params['verify'] = ca_bundle + else: + boto_params['verify'] = validate_certs + else: boto_params = dict(aws_access_key_id=access_key, aws_secret_access_key=secret_key, diff --git a/tests/integration/targets/module_utils_core/roles/ansibleawsmodule.client/tasks/ca_bundle.yml b/tests/integration/targets/module_utils_core/roles/ansibleawsmodule.client/tasks/ca_bundle.yml index 514941fdf98..7ad4e7a34d2 100644 --- a/tests/integration/targets/module_utils_core/roles/ansibleawsmodule.client/tasks/ca_bundle.yml +++ b/tests/integration/targets/module_utils_core/roles/ansibleawsmodule.client/tasks/ca_bundle.yml @@ -9,11 +9,13 @@ copy: src: 'amazonroot.pem' dest: '{{ ca_tmp.path }}/amazonroot.pem' + mode: 0644 - name: 'Ensure we have a another CA (ISRG-X1) bundle available to us' copy: src: 'isrg-x1.pem' dest: '{{ ca_tmp.path }}/isrg-x1.pem' + mode: 0644 ################################################################################## # Test disabling cert validation (make sure we don't error) @@ -156,3 +158,45 @@ - assert: that: - isrg_ca_result is successful + +################################################################################## +# https://github.com/ansible-collections/amazon.aws/issues/129 +- name: 'Test CA bundle is used when authenticating with a profile - implied validation' + example_module: + profile: 'test_profile' + aws_ca_bundle: '{{ ca_tmp.path }}/isrg-x1.pem' + register: isrg_ca_result + ignore_errors: yes + +- assert: + that: + - isrg_ca_result is failed + # Caught when we try to do something, and passed to fail_json_aws + - '"CERTIFICATE_VERIFY_FAILED" in isrg_ca_result.msg' + - '"Fail JSON AWS" in isrg_ca_result.msg' + +- name: 'Test CA bundle is used when authenticating with a profile - explicit validation' + example_module: + profile: 'test_profile' + aws_ca_bundle: '{{ ca_tmp.path }}/isrg-x1.pem' + validate_certs: True + register: isrg_ca_result + ignore_errors: yes + +- assert: + that: + - isrg_ca_result is failed + # Caught when we try to do something, and passed to fail_json_aws + - '"CERTIFICATE_VERIFY_FAILED" in isrg_ca_result.msg' + - '"Fail JSON AWS" in isrg_ca_result.msg' + +- name: 'Test CA bundle is used when authenticating with a profile - explicitly disable validation' + example_module: + profile: 'test_profile' + aws_ca_bundle: '{{ ca_tmp.path }}/isrg-x1.pem' + validate_certs: False + register: isrg_ca_result + +- assert: + that: + - isrg_ca_result is success