Backport security fixes to etcd and url lookup plugins

73c7e982 · Toshio Kuratomi · 08c1ddd2 · 73c7e982 · 73c7e982
Commit 73c7e982 authored Jun 15, 2015 by Toshio Kuratomi
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 14 deletions

lib/ansible/runner/lookup_plugins/etcd.py
+12 -6

lib/ansible/runner/lookup_plugins/url.py
+17 -8

No files found.
--- a/lib/ansible/runner/lookup_plugins/etcd.py
+++ b/lib/ansible/runner/lookup_plugins/etcd.py
@@ -17,21 +17,24 @@
 from ansible import utils
 import os
-import urllib2
 try:
    import json
 except ImportError:
    import simplejson as json
+from ansible.module_utils.urls import open_url
 # this can be made configurable, not should not use ansible.cfg
 ANSIBLE_ETCD_URL = 'http://127.0.0.1:4001'
 if os.getenv('ANSIBLE_ETCD_URL') is not None:
    ANSIBLE_ETCD_URL = os.environ['ANSIBLE_ETCD_URL']
-class etcd():
+class Etcd(object):
-    def __init__(self, url=ANSIBLE_ETCD_URL):
+    def __init__(self, url=ANSIBLE_ETCD_URL, validate_certs=True):
        self.url = url
        self.baseurl = '%s/v1/keys' % (self.url)
+        self.validate_certs = validate_certs
    def get(self, key):
        url = "%s/%s" % (self.baseurl, key)
@@ -39,7 +42,7 @@ class etcd():
        data = None
        value = ""
        try:
-            r = urllib2.urlopen(url)
+            r = open_url(url, validate_certs=self.validate_certs)
            data = r.read()
        except:
            return value
@@ -61,7 +64,6 @@ class LookupModule(object):
    def __init__(self, basedir=None, **kwargs):
        self.basedir = basedir
-        self.etcd = etcd()
    def run(self, terms, inject=None, **kwargs):
@@ -70,9 +72,13 @@ class LookupModule(object):
        if isinstance(terms, basestring):
            terms = [ terms ]
+        validate_certs = kwargs.get('validate_certs', True)
+        etcd = Etcd(validate_certs=validate_certs)
        ret = []
        for term in terms:
            key = term.split()[0]
-            value = self.etcd.get(key)
+            value = etcd.get(key)
            ret.append(value)
        return ret
--- a/lib/ansible/runner/lookup_plugins/url.py
+++ b/lib/ansible/runner/lookup_plugins/url.py
@@ -18,6 +18,9 @@
 from ansible import utils
 import urllib2
+from ansible.module_utils.urls import open_url, ConnectionError, SSLValidationError
+from ansible.utils.unicode import to_unicode
 class LookupModule(object):
    def __init__(self, basedir=None, **kwargs):
@@ -30,19 +33,25 @@ class LookupModule(object):
        if isinstance(terms, basestring):
            terms = [ terms ]
+        validate_certs = kwargs.get('validate_certs', True)
        ret = []
        for term in terms:
            try:
-                r = urllib2.Request(term)
+                response = open_url(term, validate_certs=validate_certs)
-                response = urllib2.urlopen(r)
+            except urllib2.URLError as e:
-            except URLError, e:
+                utils.warning("Failed lookup url for %s : %s" % (term, str(e)))
-                utils.warnings("Failed lookup url for %s : %s" % (term, str(e)))
+                continue
+            except urllib2.HTTPError as e:
+                utils.warning("Received HTTP error for %s : %s" % (term, str(e)))
                continue
-            except HTTPError, e:
+            except SSLValidationError as e:
-                utils.warnings("Recieved HTTP error for %s : %s" % (term, str(e)))
+                utils.warning("Error validating the server's certificate for %s: %s" % (term, str(e)))
+                continue
+            except ConnectionError as e:
+                utils.warning("Error connecting to %s: %s" % (term, str(e)))
                continue
            for line in response.read().splitlines():
-                ret.append(line)
+                ret.append(to_unicode(line))
        return ret