Merge pull request ansible#14261 from kamsz/devel

Add validate_certs param to skip SSL verification in VMware
zz · Feb 10, 2016 · 371c731 · 371c731
2 parents 486304b + 9f1eea4
commit 371c731
Showing 1 changed file with 20 additions and 10 deletions.
diff --git a/lib/ansible/module_utils/vmware.py b/lib/ansible/module_utils/vmware.py
@@ -21,6 +21,7 @@
 try:
     import atexit
     import time
+    import ssl
     # requests is required for exception handling of the ConnectionError
     import requests
     from pyVim import connect
@@ -104,6 +105,7 @@ def vmware_argument_spec():
         hostname=dict(type='str', required=True),
         username=dict(type='str', aliases=['user', 'admin'], required=True),
         password=dict(type='str', aliases=['pass', 'pwd'], required=True, no_log=True),
+        validate_certs=dict(type='bool', required=False, default=True),
     )
 
 
@@ -112,21 +114,29 @@ def connect_to_api(module, disconnect_atexit=True):
     hostname = module.params['hostname']
     username = module.params['username']
     password = module.params['password']
-    try:
-        service_instance = connect.SmartConnect(host=hostname, user=username, pwd=password)
+    validate_certs = module.params['validate_certs']
 
-        # Disabling atexit should be used in special cases only.
-        # Such as IP change of the ESXi host which removes the connection anyway.
-        # Also removal significantly speeds up the return of the module
+    if validate_certs and not hasattr(ssl, 'SSLContext'):
+        module.fail_json(msg='pyVim does not support changing verification mode with python < 2.7.9. Either update python or or use validate_certs=false')
 
-        if disconnect_atexit:
-            atexit.register(connect.Disconnect, service_instance)
-        return service_instance.RetrieveContent()
+    try:
+        service_instance = connect.SmartConnect(host=hostname, user=username, pwd=password)
     except vim.fault.InvalidLogin, invalid_login:
         module.fail_json(msg=invalid_login.msg, apierror=str(invalid_login))
     except requests.ConnectionError, connection_error:
-        module.fail_json(msg="Unable to connect to vCenter or ESXi API on TCP/443.", apierror=str(connection_error))
-
+        if '[SSL: CERTIFICATE_VERIFY_FAILED]' in str(connection_error) and not validate_certs:
+            context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+            context.verify_mode = ssl.CERT_NONE
+            service_instance = connect.SmartConnect(host=hostname, user=username, pwd=password, sslContext=context)
+        else:
+            module.fail_json(msg="Unable to connect to vCenter or ESXi API on TCP/443.", apierror=str(connection_error))
+
+    # Disabling atexit should be used in special cases only.
+    # Such as IP change of the ESXi host which removes the connection anyway.
+    # Also removal significantly speeds up the return of the module
+    if disconnect_atexit:
+        atexit.register(connect.Disconnect, service_instance)
+    return service_instance.RetrieveContent()
 
 def get_all_objs(content, vimtype):