From d9a2fa9bd9c430969da3a987aa53a2ec42c69c78 Mon Sep 17 00:00:00 2001 From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com> Date: Thu, 9 Apr 2026 06:35:16 +0200 Subject: [PATCH] [PR #11753/c7deda2e backport][stable-12] java_cert: support proxy authentication from https_proxy env var (#11761) java_cert: support proxy authentication from https_proxy env var (#11753) * java_cert: support proxy authentication from https_proxy env var When https_proxy is set with credentials (USER:PASSWORD@HOST:PORT), pass the corresponding JVM proxy auth flags to keytool and clear the JDK 8u111+ Basic auth tunneling restriction. Fixes https://github.com/ansible-collections/community.general/issues/4126 * java_cert: add changelog fragment for PR #11753 * java_cert: fix changelog fragment type to minor_changes --------- (cherry picked from commit c7deda2ec7f62e39a72b27af05cbf3727fddcc2b) Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 --- .../fragments/11753-java-cert-proxy-auth.yml | 4 +++ plugins/modules/java_cert.py | 33 +++++++++++++------ 2 files changed, 27 insertions(+), 10 deletions(-) create mode 100644 changelogs/fragments/11753-java-cert-proxy-auth.yml diff --git a/changelogs/fragments/11753-java-cert-proxy-auth.yml b/changelogs/fragments/11753-java-cert-proxy-auth.yml new file mode 100644 index 0000000000..2afab97fb6 --- /dev/null +++ b/changelogs/fragments/11753-java-cert-proxy-auth.yml @@ -0,0 +1,4 @@ +minor_changes: + - java_cert - support proxy authentication when ``https_proxy`` environment variable includes credentials + (https://github.com/ansible-collections/community.general/issues/4126, + https://github.com/ansible-collections/community.general/pull/11753). diff --git a/plugins/modules/java_cert.py b/plugins/modules/java_cert.py index b4c3e74aca..913a36de10 100644 --- a/plugins/modules/java_cert.py +++ b/plugins/modules/java_cert.py @@ -205,7 +205,7 @@ cmd: import os import re import tempfile -from urllib.parse import urlparse +from urllib.parse import unquote, urlparse from urllib.request import getproxies # import module snippets @@ -297,28 +297,41 @@ def _export_public_cert_from_pkcs12(module, executable, pkcs_file, alias, passwo def get_proxy_settings(scheme="https"): - """Returns a tuple containing (proxy_host, proxy_port). (False, False) if no proxy is found""" + """Returns a tuple containing (proxy_host, proxy_port, proxy_user, proxy_pass). + (False, False, False, False) if no proxy is found.""" proxy_url = getproxies().get(scheme, "") if not proxy_url: - return (False, False) + return (False, False, False, False) + parsed_url = urlparse(proxy_url) + if parsed_url.scheme: + proxy_host = parsed_url.hostname + proxy_port = parsed_url.port else: - parsed_url = urlparse(proxy_url) - if parsed_url.scheme: - (proxy_host, proxy_port) = parsed_url.netloc.split(":") - else: - (proxy_host, proxy_port) = parsed_url.path.split(":") - return (proxy_host, proxy_port) + (proxy_host, proxy_port) = parsed_url.path.split(":") + proxy_user = unquote(parsed_url.username) if parsed_url.username else False + proxy_pass = unquote(parsed_url.password) if parsed_url.password else False + return (proxy_host, proxy_port, proxy_user, proxy_pass) def build_proxy_options(): """Returns list of valid proxy options for keytool""" - (proxy_host, proxy_port) = get_proxy_settings() + (proxy_host, proxy_port, proxy_user, proxy_pass) = get_proxy_settings() no_proxy = os.getenv("no_proxy") proxy_opts = [] if proxy_host: proxy_opts.extend([f"-J-Dhttps.proxyHost={proxy_host}", f"-J-Dhttps.proxyPort={proxy_port}"]) + if proxy_user and proxy_pass: + proxy_opts.extend( + [ + f"-J-Dhttps.proxyUser={proxy_user}", + f"-J-Dhttps.proxyPassword={proxy_pass}", + # JDK 8u111+ disables Basic auth for HTTPS tunneling by default; clear that restriction. + "-J-Djdk.http.auth.tunneling.disabledSchemes=", + ] + ) + if no_proxy is not None: # For Java's nonProxyHosts property, items are separated by '|', # and patterns have to start with "*".