java_cert: support proxy authentication from https_proxy env var (#11753)

* java_cert: support proxy authentication from https_proxy env var

When https_proxy is set with credentials (USER:PASSWORD@HOST:PORT),
pass the corresponding JVM proxy auth flags to keytool and clear the
JDK 8u111+ Basic auth tunneling restriction.

Fixes https://github.com/ansible-collections/community.general/issues/4126

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* java_cert: add changelog fragment for PR #11753

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* java_cert: fix changelog fragment type to minor_changes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

changelogs/fragments/11753-java-cert-proxy-auth.yml

@@ -0,0 +1,4 @@
+minor_changes:
+  - java_cert - support proxy authentication when ``https_proxy`` environment variable includes credentials
+    (https://github.com/ansible-collections/community.general/issues/4126,
+    https://github.com/ansible-collections/community.general/pull/11753).

plugins/modules/java_cert.py

@@ -205,7 +205,7 @@ cmd:
 import os
 import re
 import tempfile
-from urllib.parse import urlparse
+from urllib.parse import unquote, urlparse
 from urllib.request import getproxies
 
 # import module snippets
@@ -297,28 +297,41 @@ def _export_public_cert_from_pkcs12(module, executable, pkcs_file, alias, passwo
 
 
 def get_proxy_settings(scheme="https"):
-    """Returns a tuple containing (proxy_host, proxy_port). (False, False) if no proxy is found"""
+    """Returns a tuple containing (proxy_host, proxy_port, proxy_user, proxy_pass).
+    (False, False, False, False) if no proxy is found."""
     proxy_url = getproxies().get(scheme, "")
     if not proxy_url:
-        return (False, False)
+        return (False, False, False, False)
+    parsed_url = urlparse(proxy_url)
+    if parsed_url.scheme:
+        proxy_host = parsed_url.hostname
+        proxy_port = parsed_url.port
     else:
-        parsed_url = urlparse(proxy_url)
+        (proxy_host, proxy_port) = parsed_url.path.split(":")
-        if parsed_url.scheme:
+    proxy_user = unquote(parsed_url.username) if parsed_url.username else False
-            (proxy_host, proxy_port) = parsed_url.netloc.split(":")
+    proxy_pass = unquote(parsed_url.password) if parsed_url.password else False
-        else:
+    return (proxy_host, proxy_port, proxy_user, proxy_pass)
-            (proxy_host, proxy_port) = parsed_url.path.split(":")
-        return (proxy_host, proxy_port)
 
 
 def build_proxy_options():
     """Returns list of valid proxy options for keytool"""
-    (proxy_host, proxy_port) = get_proxy_settings()
+    (proxy_host, proxy_port, proxy_user, proxy_pass) = get_proxy_settings()
     no_proxy = os.getenv("no_proxy")
 
     proxy_opts = []
     if proxy_host:
         proxy_opts.extend([f"-J-Dhttps.proxyHost={proxy_host}", f"-J-Dhttps.proxyPort={proxy_port}"])
 
+        if proxy_user and proxy_pass:
+            proxy_opts.extend(
+                [
+                    f"-J-Dhttps.proxyUser={proxy_user}",
+                    f"-J-Dhttps.proxyPassword={proxy_pass}",
+                    # JDK 8u111+ disables Basic auth for HTTPS tunneling by default; clear that restriction.
+                    "-J-Djdk.http.auth.tunneling.disabledSchemes=",
+                ]
+            )
+
         if no_proxy is not None:
             # For Java's nonProxyHosts property, items are separated by '|',
             # and patterns have to start with "*".