search

ngine-io / ansible-collection-cloudstack

CloudStack Ansible Collections
https://galaxy.ansible.com/ngine_io/cloudstack
GNU General Public License v3.0
22 stars 30 forks source link

Add possibility to skip certificate validation #131

Closed tanganellilore closed 3 months ago

tanganellilore commented 3 months ago

Hi team,

i simply add the possibility to skip ssl verification if verify is null. In cs library we need to se dangerous_no_tls_verify to true for skip verification.

I simply add this on this pull request

resmo commented 3 months ago

Hi @tanganellilore

The cs doc says:

A CLOUDSTACK_VERIFY (optional) environment variable pointing to a CA authority cert file,

So if no api_verify_ssl_cert is set, it will use the internal trust store to verify the client cert. However, your change would turn verify off if no CA file is given (is null) so this would result in a security flaw.

We should add another argument for turning cert validation off! The common argument in other ansible modules is validate_certs (bool) with default=true, so we should reuse this argument name.

(see e.g. https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/get_url.py#L113)

and set dangerous_no_tls_verify according this value.

tanganellilore commented 3 months ago

Hi @resmo , do you think that i need to add also Env variable also for this? like CLOUDSTACK_VALIDATE_CERTS

resmo commented 3 months ago

Hi @resmo , do you think that i need to add also Env variable also for this? like CLOUDSTACK_VALIDATE_CERTS

No need, I would assume if you set CLOUDSTACK_DANGEROUS_NO_TLS_VERIFY=true it would already work as expected.

see https://github.com/exoscale/cs/blob/master/cs/client.py#L579

But a doc note would be appreciated.

tanganellilore commented 3 months ago

Modified as requested