Add SNI support via pip

Some Linux distribution releases, such as CentOS 7 and Xenial, have
trouble validating SSL certificates when using get_url with servers
that use Server Name Indication (SNI).

This patch adds packages for those distributions that allow Python
to validate connections with servers using SNI.

Change-Id: Idcf773e16d62d2ad76d9341177dd4d6c3e410af3
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>

defaults/main.yml

@@ -23,14 +23,23 @@ pip_fallback_url: https://raw.githubusercontent.com/pypa/get-pip/master/get-pip.
 pip_offline_install: false
 pip_tmp_packages: /tmp/pip_install
 
+# Allow the deployer to enable binary installation of pip using a distro package
+pip_binary_install: true
+
 # Additional options that you might want to pass to "get-pip.py" when installing pip.
 # Default `pip_get_pip_options` is an empty string.
 pip_get_pip_options: ""
+pip_source_install_options: ""
 
 # This list var can be used to specify specific versions of pip, setuptools,
 # wheel and any other packages which must be installed when pip installs.
 pip_packages: []
 
+pip_required_packages:
+  - pyOpenSSL # SSL SNI support
+  - pyasn1 # SSL SNI support
+  - ndg-httpsclient # SSL SNI support
+
 # Validate Certificates when downloading pip. May be set to "no" when proxy server
 # is intercepting the certificates.
 pip_validate_certs: "yes"

tasks/install.yml

@@ -0,0 +1,28 @@
+---
+# Copyright 2016, Logan Vig <logan2211@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- include: install_online.yml
+  when:
+    - not pip_offline_install | bool
+    - not pip_binary_install | bool
+
+- include: install_offline.yml
+  when:
+    - pip_offline_install | bool
+    - not pip_binary_install | bool
+
+- include: install_binary.yml
+  when:
+    - pip_binary_install | bool

tasks/install_binary.yml

@@ -0,0 +1,46 @@
+---
+# Copyright 2014, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Install python-pip (yum)
+  yum:
+    pkg: "{{ python_pip_package }}"
+    state: "latest"
+  register: install_packages
+  until: install_packages|success
+  retries: 5
+  delay: 2
+  when:
+    - ansible_pkg_mgr == 'yum'
+
+- name: Install python-pip (apt)
+  apt:
+    pkg: "{{ python_pip_package }}"
+    state: "latest"
+  register: install_packages
+  until: install_packages|success
+  retries: 5
+  delay: 2
+  when:
+    - ansible_pkg_mgr == 'apt'
+
+- name: Install required pip packages
+  pip:
+    name: "{{ pip_packages | map('quote') | join (' ') }} {{ pip_required_packages | map('quote') | join(' ') }}"
+    state: latest
+    extra_args: "--upgrade --force-reinstall"
+  register: install_packages
+  until: install_packages|success
+  retries: 5
+  delay: 2

tasks/install_offline.yml

@@ -58,7 +58,8 @@
     - pip-install-local
 
 - name: pip cache install files locally
-  local_action: shell python /tmp/get-pip.py -d '{{ pip_tmp_packages | quote }}' {{ pip_get_pip_options }} {{ pip_packages | map('quote') | join (' ') }}
+  local_action: >
+    shell python /tmp/get-pip.py -d '{{ pip_tmp_packages | quote }}' {{ pip_get_pip_options }} {{ pip_packages | map('quote') | join (' ') }}
   register: pip_local_cache
   until: pip_local_cache | success
   retries: 3
@@ -80,22 +81,6 @@
     - pip-install-cache-distribute
     - pip-install
 
-- name: Install PIP
-  shell: "python /opt/get-pip.py --no-index --find-links={{ pip_tmp_packages | quote }} {{ pip_get_pip_options }} {{ pip_packages | map('quote') | join (' ') }}"
-  ignore_errors: true
-  register: pip_install
-  until: pip_install | success
-  retries: 3
-  delay: 2
-
-- name: Install PIP (fall back mode)
-  shell: "python /opt/get-pip.py --isolated --no-index --find-links={{ pip_tmp_packages | quote }} {{ pip_get_pip_options }} {{ pip_packages | map('quote') | join (' ') }}"
-  when: pip_install.rc != 0
-  register: pip_install_fall_back
-  until: pip_install_fall_back | success
-  retries: 3
-  delay: 2
-
 - name: Clean up local get-pip.py
   local_action:
     module: file
@@ -114,9 +99,8 @@
   tags:
     - pip-install-cleanup
 
-- name: Clean up remote install files
-  file:
-    path: "{{ pip_tmp_packages }}"
-    state: absent
-  tags:
-  - pip-install-cleanup
+- name: Set source install pip_get_pip_options
+  set_fact:
+    pip_source_install_options: "--no-index --find-links={{ pip_tmp_packages | quote }}"
+
+- include: install_source.yml

tasks/install_online.yml

@@ -41,18 +41,4 @@
   tags:
     - pip-install-script
 
-- name: Install PIP
-  shell: "python /opt/get-pip.py {{ pip_get_pip_options }} {{ pip_packages | map('quote') | join (' ') }}"
-  ignore_errors: true
-  register: pip_install
-  until: pip_install | success
-  retries: 3
-  delay: 2
-
-- name: Install PIP (fall back mode)
-  shell: "python /opt/get-pip.py --isolated {{ pip_get_pip_options }} {{ pip_packages | map('quote') | join (' ') }}"
-  when: pip_install.rc != 0
-  register: pip_install_fall_back
-  until: pip_install_fall_back | success
-  retries: 3
-  delay: 2
+- include: install_source.yml

tasks/install_source.yml

@@ -0,0 +1,45 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Install PIP
+  shell: |
+    python /opt/get-pip.py {{ pip_source_install_options }} \
+                           {{ pip_get_pip_options }} \
+                           {{ pip_packages | map('quote') | join (' ') }} \
+                           {{ pip_required_packages | map('quote') | join(' ') }}
+  ignore_errors: true
+  register: pip_install
+  until: pip_install | success
+  retries: 3
+  delay: 2
+
+- name: Install PIP (fall back mode)
+  shell: |
+    python /opt/get-pip.py --isolated {{ pip_source_install_options }} \
+                                      {{ pip_get_pip_options }} \
+                                      {{ pip_packages | map('quote') | join (' ') }} \
+                                      {{ pip_required_packages | map('quote') | join(' ') }}
+  when: pip_install.rc != 0
+  register: pip_install_fall_back
+  until: pip_install_fall_back | success
+  retries: 3
+  delay: 2
+
+- name: Clean up remote install files
+  file:
+    path: "{{ pip_tmp_packages }}"
+    state: absent
+  tags:
+  - pip-install-cleanup

tasks/main.yml

@@ -13,6 +13,17 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- name: Gather variables for each operating system
+  include_vars: "{{ item }}"
+  with_first_found:
+    - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
+    - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
+    - "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
+    - "{{ ansible_distribution | lower }}.yml"
+    - "{{ ansible_os_family | lower }}.yml"
+  tags:
+    - always
+
 - include: configure.yml
   tags:
     - pip-configuration
@@ -21,12 +32,6 @@
   when:
     - pip_lock_to_internal_repo | bool
 
-- include: install_online.yml
-  when: not pip_offline_install | bool
+- include: install.yml
   tags:
-    - pip-install
-
-- include: install_offline.yml
-  when: pip_offline_install | bool
-  tags:
-    - pip-install
+    - pip-install

tests/test.yml

@@ -22,10 +22,6 @@
   roles:
     - role: "{{ rolename | basename }}"
   post_tasks:
-    - name: Check get-pip.py file
-      stat:
-        path: /opt/get-pip.py
-      register: get_pip_file
     - name: Check .pip directory
       stat:
         path: "{{ ansible_env.HOME}}/.cache/pip"
@@ -43,7 +39,6 @@
     - name: Check role functions
       assert:
         that:
-          - "get_pip_file.stat.exists"
           - "pip_dir.stat.isdir"
           - "pip_selfcheck_file.stat.exists"
-          - "'pip 8.0.3 ' in pip_version.stdout"
+          - "pip_version.stdout | search('8.0.3')"

vars/debian.yml

@@ -0,0 +1,16 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+python_pip_package: python-pip

vars/redhat.yml

@@ -0,0 +1,16 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+python_pip_package: python-pip