ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-04-25 03:41:25 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

Support forced SSL-verified connection with given CA certificate

Browse source
This commit is contained in:
Maarten Bezemer 2016-11-22 16:18:45 +01:00 committed by Toshio Kuratomi
parent 09ceaafd42
commit 1f1379ea61
3 changed files with 101 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

36
lib/ansible/modules/database/postgresql/postgresql_db.py
View file

@ -89,10 +89,25 @@ options:
required: false
default: present
choices: [ "present", "absent" ]
ssl_mode:
description:
- Determines whether or with what priority a secure SSL TCP/IP connection will be negotiated with the server.
- See https://www.postgresql.org/docs/current/static/libpq-ssl.html for more information on the modes.
required: false
default: disable
choices: [disable, allow, prefer, require, verify-ca, verify-full]
version_added: '2.3'
ssl_rootcert:
description:
- Specifies the name of a file containing SSL certificate authority (CA) certificate(s). If the file exists, the server's certificate will be verified to be signed by one of these authorities.
required: false
default: null
version_added: '2.3'
notes:
- The default authentication assumes that you are either logging in as or sudo'ing to the C(postgres) account on the host.
- This module uses I(psycopg2), a Python PostgreSQL database adapter. You must ensure that psycopg2 is installed on
the host before using this module. If the remote host is the PostgreSQL server (which is the default case), then PostgreSQL must also be installed on the remote host. For Ubuntu-based systems, install the C(postgresql), C(libpq-dev), and C(python-psycopg2) packages on the remote host before using this module.
- The ssl_rootcert parameter requires at least Postgres version 8.4 and I(psycopg2) version 2.4.3.
requirements: [ psycopg2 ]
author: "Ansible Core Team"
'''
@ -242,6 +257,8 @@ def main():
lc_collate=dict(default=""),
lc_ctype=dict(default=""),
state=dict(default="present", choices=["absent", "present"]),
ssl_mode=dict(default="disable", choices=['disable', 'allow', 'prefer', 'require', 'verify-ca', 'verify-full']),
ssl_rootcert=dict(default=None),
),
supports_check_mode = True
)
@ -257,6 +274,7 @@ def main():
lc_collate = module.params["lc_collate"]
lc_ctype = module.params["lc_ctype"]
state = module.params["state"]
sslrootcert = module.params["ssl_rootcert"]
changed = False
# To use defaults values, keyword arguments must be absent, so
@ -266,16 +284,21 @@ def main():
"login_host":"host",
"login_user":"user",
"login_password":"password",
"port":"port"
"port":"port",
"ssl_mode":"sslmode",
"ssl_rootcert":"sslrootcert"
}
kw = dict( (params_map[k], v) for (k, v) in iteritems(module.params)
if k in params_map and v != '' )
if k in params_map and v != '' and v is not None)
# If a login_unix_socket is specified, incorporate it here.
is_localhost = "host" not in kw or kw["host"] == "" or kw["host"] == "localhost"
if is_localhost and module.params["login_unix_socket"] != "":
kw["host"] = module.params["login_unix_socket"]
if psycopg2.__version__ < '2.4.3' and sslrootcert is not None:
module.fail_json(msg='psycopg2 must be at least 2.4.3 in order to user the ssl_rootcert parameter')
try:
db_connection = psycopg2.connect(database="postgres", **kw)
# Enable autocommit so we can create databases
@ -287,6 +310,13 @@ def main():
.ISOLATION_LEVEL_AUTOCOMMIT)
cursor = db_connection.cursor(
cursor_factory=psycopg2.extras.DictCursor)
except TypeError:
e = get_exception()
if 'sslrootcert' in e.args[0]:
module.fail_json(msg='Postgresql server must be at least version 8.4 to support sslrootcert')
module.fail_json(msg="unable to connect to database: %s" % e)
except Exception:
e = get_exception()
module.fail_json(msg="unable to connect to database: %s" % e)
@ -318,7 +348,7 @@ def main():
e = get_exception()
module.fail_json(msg=str(e))
except SystemExit:
# Avoid catching this on Python 2.4
# Avoid catching this on Python 2.4
raise
except Exception:
e = get_exception()