Merge branch 'ansible-collections:main' into vmware_guest_snapshot

ansible-collections · Jan 25, 2024 · 6fb4ca8 · 6fb4ca8
2 parents 3993d3e + 8d99829
commit 6fb4ca8
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 13 deletions.
diff --git a/changelogs/fragments/1848-fix-vm-reconfiguration-with-enabled-vbs.yml b/changelogs/fragments/1848-fix-vm-reconfiguration-with-enabled-vbs.yml
@@ -0,0 +1,3 @@
+bugfixes:
+  - vmware_guest - Fix failure of vm reconfiguration with enabled virt_based_security
+    (https://github.com/ansible-collections/community.vmware/pull/1848).
diff --git a/changelogs/fragments/1930-fix_ssl_deprecation_function.yml b/changelogs/fragments/1930-fix_ssl_deprecation_function.yml
@@ -0,0 +1,3 @@
+bugfixes:
+  - module_utils/vmware.py - remove ssl.wrap_socet() function. Replaced for code based on ssl.get_server_certificate
+    (https://github.com/ansible-collections/community.vmware/issues/1930).
diff --git a/plugins/module_utils/vmware.py b/plugins/module_utils/vmware.py
@@ -1174,9 +1174,9 @@ def vcenter_version_at_least(self, version=None):
         self.module.fail_json(msg='The passed vCenter version: %s is None.' % version)
 
     def get_cert_fingerprint(self, fqdn, port, proxy_host=None, proxy_port=None):
-        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-        sock.settimeout(1)
         if proxy_host:
+            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+            sock.settimeout(1)
             sock.connect((
                 proxy_host,
                 proxy_port))
@@ -1191,17 +1191,16 @@ def get_cert_fingerprint(self, fqdn, port, proxy_host=None, proxy_port=None):
             der_cert_bin = ctx.wrap_socket(sock, server_hostname=fqdn).getpeercert(True)
             sock.close()
         else:
-            wrapped_socket = ssl.wrap_socket(sock)
             try:
-                wrapped_socket.connect((fqdn, port))
-            except socket.error as socket_error:
-                self.module.fail_json(msg="Cannot connect to host : %s" % socket_error)
-            else:
-                der_cert_bin = wrapped_socket.getpeercert(True)
-                wrapped_socket.close()
-
-        string = str(hashlib.sha1(der_cert_bin).hexdigest())
-        return ':'.join(a + b for a, b in zip(string[::2], string[1::2]))
+                pem = ssl.get_server_certificate((fqdn, port))
+            except Exception:
+                self.module.fail_json(msg=f"Cannot connect to host: {fqdn}")
+            der_cert_bin = ssl.PEM_cert_to_DER_cert(pem)
+        if der_cert_bin:
+            string = str(hashlib.sha1(der_cert_bin).hexdigest())
+            return ':'.join(a + b for a, b in zip(string[::2], string[1::2]))
+        else:
+            self.module.fail_json(msg=f"Unable to obtain certificate fingerprint for host: {fqdn}")
 
     def get_managed_objects_properties(self, vim_type, properties=None):
         """

diff --git a/plugins/modules/vmware_guest.py b/plugins/modules/vmware_guest.py
@@ -1672,7 +1672,7 @@ def configure_hardware_params(self, vm_obj):
 
         virt_based_security = self.params['hardware']['virt_based_security']
         if virt_based_security is not None:
-            if vm_obj is None or virt_based_security != self.configspec.flags.vbsEnabled:
+            if vm_obj is None or virt_based_security != vm_obj.config.flags.vbsEnabled:
                 self.change_detected = True
                 if self.configspec.flags is None:
                     self.configspec.flags = vim.vm.FlagInfo()