Merging upstream version 9.4.0+dfsg.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 45 insertions, 9 deletions

diff --git a/ansible_collections/community/general/plugins/modules/irc.py b/ansible_collections/community/general/plugins/modules/irc.py
index 6cd7bc120..00ff299ee 100644
--- a/ansible_collections/community/general/plugins/modules/irc.py
+++ b/ansible_collections/community/general/plugins/modules/irc.py
@@ -50,8 +50,7 @@ options:
   color:
     type: str
     description:
-      - Text color for the message. ("none" is a valid option in 1.6 or later, in 1.6 and prior, the default color is black, not "none").
-        Added 11 more colors in version 2.0.
+      - Text color for the message.
     default: "none"
     choices: [ "none", "white", "black", "blue", "green", "red", "brown", "purple", "orange", "yellow", "light_green", "teal", "light_cyan",
                "light_blue", "pink", "gray", "light_gray"]
@@ -79,11 +78,17 @@ options:
       - Timeout to use while waiting for successful registration and join
         messages, this is to prevent an endless loop
     default: 30
-  use_ssl:
+  use_tls:
     description:
       - Designates whether TLS/SSL should be used when connecting to the IRC server
+      - O(use_tls) is available since community.general 8.1.0, before the option
+        was exlusively called O(use_ssl). The latter is now an alias of O(use_tls).
+      - B(Note:) for security reasons, you should always set O(use_tls=true) and
+        O(validate_certs=true) whenever possible.
     type: bool
     default: false
+    aliases:
+      - use_ssl
   part:
     description:
       - Designates whether user should part from channel after sending message or not.
@@ -96,6 +101,16 @@ options:
       - Text style for the message. Note italic does not work on some clients
     choices: [ "bold", "underline", "reverse", "italic", "none" ]
     default: none
+  validate_certs:
+    description:
+      - If set to V(false), the SSL certificates will not be validated.
+      - This should always be set to V(true). Using V(false) is unsafe and should only be done
+        if the network between between Ansible and the IRC server is known to be safe.
+      - B(Note:) for security reasons, you should always set O(use_tls=true) and
+        O(validate_certs=true) whenever possible.
+    default: false
+    type: bool
+    version_added: 8.1.0
 
 # informational: requirements for nodes
 requirements: [ socket ]
@@ -108,6 +123,8 @@ EXAMPLES = '''
 - name: Send a message to an IRC channel from nick ansible
   community.general.irc:
     server: irc.example.net
+    use_tls: true
+    validate_certs: true
     channel: #t1
     msg: Hello world
 
@@ -116,6 +133,8 @@ EXAMPLES = '''
     module: irc
     port: 6669
     server: irc.example.net
+    use_tls: true
+    validate_certs: true
     channel: #t1
     msg: 'All finished at {{ ansible_date_time.iso8601 }}'
     color: red
@@ -126,6 +145,8 @@ EXAMPLES = '''
     module: irc
     port: 6669
     server: irc.example.net
+    use_tls: true
+    validate_certs: true
     channel: #t1
     nick_to:
       - nick1
@@ -150,7 +171,8 @@ from ansible.module_utils.basic import AnsibleModule
 
 
 def send_msg(msg, server='localhost', port='6667', channel=None, nick_to=None, key=None, topic=None,
-             nick="ansible", color='none', passwd=False, timeout=30, use_ssl=False, part=True, style=None):
+             nick="ansible", color='none', passwd=False, timeout=30, use_tls=False, validate_certs=True,
+             part=True, style=None):
     '''send message to IRC'''
     nick_to = [] if nick_to is None else nick_to
 
@@ -194,8 +216,20 @@ def send_msg(msg, server='localhost', port='6667', channel=None, nick_to=None, k
     message = styletext + colortext + msg
 
     irc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    if use_ssl:
-        irc = ssl.wrap_socket(irc)
+    if use_tls:
+        if validate_certs:
+            try:
+                context = ssl.create_default_context()
+            except AttributeError:
+                raise Exception('Need at least Python 2.7.9 for SSL certificate validation')
+        else:
+            if getattr(ssl, 'PROTOCOL_TLS', None) is not None:
+                # Supported since Python 2.7.13
+                context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+            else:
+                context = ssl.SSLContext()
+            context.verify_mode = ssl.CERT_NONE
+        irc = context.wrap_socket(irc)
     irc.connect((server, int(port)))
 
     if passwd:
@@ -275,7 +309,8 @@ def main():
             passwd=dict(no_log=True),
             timeout=dict(type='int', default=30),
             part=dict(type='bool', default=True),
-            use_ssl=dict(type='bool', default=False)
+            use_tls=dict(type='bool', default=False, aliases=['use_ssl']),
+            validate_certs=dict(type='bool', default=False),
         ),
         supports_check_mode=True,
         required_one_of=[['channel', 'nick_to']]
@@ -294,12 +329,13 @@ def main():
     key = module.params["key"]
     passwd = module.params["passwd"]
     timeout = module.params["timeout"]
-    use_ssl = module.params["use_ssl"]
+    use_tls = module.params["use_tls"]
     part = module.params["part"]
     style = module.params["style"]
+    validate_certs = module.params["validate_certs"]
 
     try:
-        send_msg(msg, server, port, channel, nick_to, key, topic, nick, color, passwd, timeout, use_ssl, part, style)
+        send_msg(msg, server, port, channel, nick_to, key, topic, nick, color, passwd, timeout, use_tls, validate_certs, part, style)
     except Exception as e:
         module.fail_json(msg="unable to send to IRC: %s" % to_native(e), exception=traceback.format_exc())