diff --git a/roles/ansible_host/files/urls.py.patch b/roles/ansible_host/files/urls.py.patch new file mode 100644 index 0000000..ee1dda4 --- /dev/null +++ b/roles/ansible_host/files/urls.py.patch @@ -0,0 +1,86 @@ +--- ./urls.py.orig 2024-03-27 18:55:18.077213253 +0000 ++++ urls.py 2024-03-27 18:21:07.613270952 +0000 +@@ -535,15 +535,18 @@ + UnixHTTPSConnection = None + if hasattr(httplib, 'HTTPSConnection') and hasattr(urllib_request, 'HTTPSHandler'): + class CustomHTTPSConnection(httplib.HTTPSConnection): # type: ignore[no-redef] +- def __init__(self, *args, **kwargs): ++ def __init__(self, client_cert=None, client_key=None, *args, **kwargs): + httplib.HTTPSConnection.__init__(self, *args, **kwargs) + self.context = None + if HAS_SSLCONTEXT: + self.context = self._context + elif HAS_URLLIB3_PYOPENSSLCONTEXT: + self.context = self._context = PyOpenSSLContext(PROTOCOL) +- if self.context and self.cert_file: +- self.context.load_cert_chain(self.cert_file, self.key_file) ++ ++ self._client_cert = client_cert ++ self._client_key = client_key ++ if self.context and self._client_cert: ++ self.context.load_cert_chain(self._client_cert, self._client_key) + + def connect(self): + "Connect to a host on a given (SSL) port." +@@ -564,10 +567,10 @@ + if HAS_SSLCONTEXT or HAS_URLLIB3_PYOPENSSLCONTEXT: + self.sock = self.context.wrap_socket(sock, server_hostname=server_hostname) + elif HAS_URLLIB3_SSL_WRAP_SOCKET: +- self.sock = ssl_wrap_socket(sock, keyfile=self.key_file, cert_reqs=ssl.CERT_NONE, # pylint: disable=used-before-assignment +- certfile=self.cert_file, ssl_version=PROTOCOL, server_hostname=server_hostname) ++ self.sock = ssl_wrap_socket(sock, keyfile=self._client_key, cert_reqs=ssl.CERT_NONE, # pylint: disable=used-before-assignment ++ certfile=self._client_cert, ssl_version=PROTOCOL, server_hostname=server_hostname) + else: +- self.sock = ssl.wrap_socket(sock, keyfile=self.key_file, certfile=self.cert_file, ssl_version=PROTOCOL) ++ self.sock = ssl.wrap_socket(sock, keyfile=self._client_key, certfile=self._client_cert, ssl_version=PROTOCOL) + + class CustomHTTPSHandler(urllib_request.HTTPSHandler): # type: ignore[no-redef] + +@@ -602,10 +605,6 @@ + return self.do_open(self._build_https_connection, req) + + def _build_https_connection(self, host, **kwargs): +- kwargs.update({ +- 'cert_file': self.client_cert, +- 'key_file': self.client_key, +- }) + try: + kwargs['context'] = self._context + except AttributeError: +@@ -613,7 +612,7 @@ + if self._unix_socket: + return UnixHTTPSConnection(self._unix_socket)(host, **kwargs) + if not HAS_SSLCONTEXT: +- return CustomHTTPSConnection(host, **kwargs) ++ return CustomHTTPSConnection(host, client_cert=self.client_cert, client_key=self.client_key, **kwargs) + return httplib.HTTPSConnection(host, **kwargs) + + @contextmanager +@@ -979,7 +978,7 @@ + pass + + +-def make_context(cafile=None, cadata=None, ciphers=None, validate_certs=True): ++def make_context(cafile=None, cadata=None, ciphers=None, validate_certs=True, client_cert=None, client_key=None): + if ciphers is None: + ciphers = [] + +@@ -1006,6 +1005,9 @@ + if ciphers: + context.set_ciphers(':'.join(map(to_native, ciphers))) + ++ if client_cert: ++ context.load_cert_chain(client_cert, keyfile=client_key) ++ + return context + + +@@ -1514,6 +1516,8 @@ + cadata=cadata, + ciphers=ciphers, + validate_certs=validate_certs, ++ client_cert=client_cert, ++ client_key=client_key, + ) + handlers.append(HTTPSClientAuthHandler(client_cert=client_cert, + client_key=client_key, diff --git a/roles/ansible_host/tasks/main.yml b/roles/ansible_host/tasks/main.yml index b13d9f3..15e4728 100644 --- a/roles/ansible_host/tasks/main.yml +++ b/roles/ansible_host/tasks/main.yml @@ -10,6 +10,11 @@ - python3.11-dns # required for lookup('dig', 'hostname') - python3.11-netaddr # required by iptables role +- name: Patch ansible to support python 3.12 clients + ansible.posix.patch: + src: urls.py.patch + dest: /usr/lib/python3.9/site-packages/ansible/module_utils/urls.py + - name: Create private directory and force permissions ansible.builtin.file: path: /export/private