Merge pull request #39 from njordr/master

Skip SSL host verification
jhaals · May 4, 2017 · 6ebca57 · 6ebca57
2 parents 4a0ef00 + 652d295
commit 6ebca57
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -25,8 +25,14 @@ Python 2.7.9.
     export VAULT_CAPATH=/etc/ssl/localCA
 
 The Vault address, CA certificate, and path can also be set via the Ansible
-variables `vault_addr`, `vault_cacert`, and `vault_capath`, respectively. For
-more information on setting variables in Ansible, see the
+variables `vault_addr`, `vault_cacert`, and `vault_capath`, respectively. 
+
+    export VAULT_CAHOSTVERIFY="no"
+
+This avoid the hostname check for Vault certificate (useful with self-signed certicates). 
+This option can also be set via the Ansible variable `vault_cahostverify`.
+
+For more information on setting variables in Ansible, see the
 [variables docs](http://docs.ansible.com/ansible/playbooks_variables.html).
 
 The Vault token intentionally can **not** be set via an Ansible variable, as

diff --git a/vault.py b/vault.py
@@ -52,7 +52,6 @@ def run(self, terms, inject=None, variables=None, **kwargs):
 
         try:
             parameters = term_split[1]
-
             parameters = parameters.split(' ')
 
             parameter_bag = {}
@@ -98,21 +97,26 @@ def run(self, terms, inject=None, variables=None, **kwargs):
 
         cafile = os.getenv('VAULT_CACERT') or (variables or inject).get('vault_cacert')
         capath = os.getenv('VAULT_CAPATH') or (variables or inject).get('vault_capath')
+        cahostverify = os.getenv('VAULT_CAHOSTVERIFY') or (variables or inject).get('vault_cahostverify') or 'yes'
 
         if _use_vault_cache and key in _vault_cache:
             result = _vault_cache[key]
         else:
-            result = self._fetch_remotely(cafile, capath, data, key, token, url)
+            result = self._fetch_remotely(cafile, capath, data, key, token, url, cahostverify)
             if _use_vault_cache:
                 _vault_cache[key] = result
 
         return [result['data'][field]] if field is not None else [result['data']]
 
-    def _fetch_remotely(self, cafile, capath, data, key, token, url):
+    def _fetch_remotely(self, cafile, capath, data, key, token, url, cahostverify):
         try:
             context = None
             if cafile or capath:
                 context = ssl.create_default_context(cafile=cafile, capath=capath)
+                if cahostverify == 'no':
+                    context.check_hostname = False
+                else:
+                    context.check_hostname = True
             request_url = urljoin(url, "v1/%s" % (key))
             req = urllib2.Request(request_url, data)
             req.add_header('X-Vault-Token', token)