ansible_host: Fix for python 3.12 clients

2024-12-20 18:06:14 +00:00 · 2024-12-20 18:06:14 +00:00 · 8dd1e61c3b
commit 8dd1e61c3b
parent 4756acbaf0
2 changed files with 91 additions and 0 deletions
--- a/roles/ansible_host/files/urls.py.patch
+++ b/roles/ansible_host/files/urls.py.patch
@ -0,0 +1,86 @@
+--- ./urls.py.orig	2024-03-27 18:55:18.077213253 +0000
+++ urls.py	2024-03-27 18:21:07.613270952 +0000
+@@ -535,15 +535,18 @@
+ UnixHTTPSConnection = None
+ if hasattr(httplib, 'HTTPSConnection') and hasattr(urllib_request, 'HTTPSHandler'):
+     class CustomHTTPSConnection(httplib.HTTPSConnection):  # type: ignore[no-redef]
+-        def __init__(self, *args, **kwargs):
+        def __init__(self, client_cert=None, client_key=None, *args, **kwargs):
+             httplib.HTTPSConnection.__init__(self, *args, **kwargs)
+             self.context = None
+             if HAS_SSLCONTEXT:
+                 self.context = self._context
+             elif HAS_URLLIB3_PYOPENSSLCONTEXT:
+                 self.context = self._context = PyOpenSSLContext(PROTOCOL)
+-            if self.context and self.cert_file:
+-                self.context.load_cert_chain(self.cert_file, self.key_file)
+
+            self._client_cert = client_cert
+            self._client_key = client_key
+            if self.context and self._client_cert:
+                self.context.load_cert_chain(self._client_cert, self._client_key)
+ 
+         def connect(self):
+             "Connect to a host on a given (SSL) port."
+@@ -564,10 +567,10 @@
+             if HAS_SSLCONTEXT or HAS_URLLIB3_PYOPENSSLCONTEXT:
+                 self.sock = self.context.wrap_socket(sock, server_hostname=server_hostname)
+             elif HAS_URLLIB3_SSL_WRAP_SOCKET:
+-                self.sock = ssl_wrap_socket(sock, keyfile=self.key_file, cert_reqs=ssl.CERT_NONE,  # pylint: disable=used-before-assignment
+-                                            certfile=self.cert_file, ssl_version=PROTOCOL, server_hostname=server_hostname)
+                self.sock = ssl_wrap_socket(sock, keyfile=self._client_key, cert_reqs=ssl.CERT_NONE,  # pylint: disable=used-before-assignment
+                                            certfile=self._client_cert, ssl_version=PROTOCOL, server_hostname=server_hostname)
+             else:
+-                self.sock = ssl.wrap_socket(sock, keyfile=self.key_file, certfile=self.cert_file, ssl_version=PROTOCOL)
+                self.sock = ssl.wrap_socket(sock, keyfile=self._client_key, certfile=self._client_cert, ssl_version=PROTOCOL)
+ 
+     class CustomHTTPSHandler(urllib_request.HTTPSHandler):  # type: ignore[no-redef]
+ 
+@@ -602,10 +605,6 @@
+             return self.do_open(self._build_https_connection, req)
+ 
+         def _build_https_connection(self, host, **kwargs):
+-            kwargs.update({
+-                'cert_file': self.client_cert,
+-                'key_file': self.client_key,
+-            })
+             try:
+                 kwargs['context'] = self._context
+             except AttributeError:
+@@ -613,7 +612,7 @@
+             if self._unix_socket:
+                 return UnixHTTPSConnection(self._unix_socket)(host, **kwargs)
+             if not HAS_SSLCONTEXT:
+-                return CustomHTTPSConnection(host, **kwargs)
+                return CustomHTTPSConnection(host, client_cert=self.client_cert, client_key=self.client_key, **kwargs)
+             return httplib.HTTPSConnection(host, **kwargs)
+ 
+     @contextmanager
+@@ -979,7 +978,7 @@
+             pass
+ 
+ 
+-def make_context(cafile=None, cadata=None, ciphers=None, validate_certs=True):
+def make_context(cafile=None, cadata=None, ciphers=None, validate_certs=True, client_cert=None, client_key=None):
+     if ciphers is None:
+         ciphers = []
+ 
+@@ -1006,6 +1005,9 @@
+     if ciphers:
+         context.set_ciphers(':'.join(map(to_native, ciphers)))
+ 
+    if client_cert:
+        context.load_cert_chain(client_cert, keyfile=client_key)
+
+     return context
+ 
+ 
+@@ -1514,6 +1516,8 @@
+                 cadata=cadata,
+                 ciphers=ciphers,
+                 validate_certs=validate_certs,
+                client_cert=client_cert,
+                client_key=client_key,
+             )
+             handlers.append(HTTPSClientAuthHandler(client_cert=client_cert,
+                                                    client_key=client_key,
--- a/roles/ansible_host/tasks/main.yml
+++ b/roles/ansible_host/tasks/main.yml
@ -10,6 +10,11 @@
    - python3.11-dns        # required for lookup('dig', 'hostname')
    - python3.11-netaddr    # required by iptables role

+- name: Patch ansible to support python 3.12 clients
+  ansible.posix.patch:
+    src: urls.py.patch
+    dest: /usr/lib/python3.9/site-packages/ansible/module_utils/urls.py
+
 - name: Create private directory and force permissions
  ansible.builtin.file:
    path: /export/private