From 862c849cdfbda776438afb81ea5e9399032707ac Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Nov 02 2016 17:10:35 +0000
Subject: Fix some BuildRequires to work on all branches.


---

diff --git a/18296.patch b/18296.patch
new file mode 100644
index 0000000..d32ca6e
--- /dev/null
+++ b/18296.patch
@@ -0,0 +1,108 @@
+From 96541c0e3f55b233ac9eaf8710235fa40057f977 Mon Sep 17 00:00:00 2001
+From: Patrick Uiterwijk <puiterwijk@redhat.com>
+Date: Wed, 2 Nov 2016 01:59:25 +0000
+Subject: [PATCH] Fix adding the same trusted certificates multiple times
+
+If there is an intermittent network failure, we might be trying to reach
+an URL multiple times. Without this patch, we would be re-adding the same
+certificate to the OpenSSL default context multiple times.
+Normally, this is no big issue, as OpenSSL will just silently ignore them,
+after registering the error in its own error stack.
+However, when python-cryptography initializes, it verifies that the current
+error stack of the default OpenSSL context is empty, which it no longer is
+due to us adding the certificates multiple times.
+This results in cryptography throwing an Unknown OpenSSL Error with details:
+
+OpenSSLErrorWithText(code=185057381L, lib=11, func=124, reason=101,
+reason_text='error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table'),
+
+Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
+---
+ lib/ansible/module_utils/urls.py | 35 ++++++++++++++++++++++++++++-------
+ 1 file changed, 28 insertions(+), 7 deletions(-)
+
+diff --git a/lib/ansible/module_utils/urls.py b/lib/ansible/module_utils/urls.py
+index bef950f..c4a13bf 100644
+--- a/lib/ansible/module_utils/urls.py
++++ b/lib/ansible/module_utils/urls.py
+@@ -182,6 +182,8 @@
+         del libssl
+ 
+ 
++LOADED_VERIFY_LOCATIONS = set()
++
+ HAS_MATCH_HOSTNAME = True
+ try:
+     from ssl import match_hostname, CertificateError
+@@ -590,6 +592,8 @@ def get_ca_certs(self):
+         paths_checked.append('/etc/ansible')
+ 
+         tmp_fd, tmp_path = tempfile.mkstemp()
++        to_add_fd, to_add_path = tempfile.mkstemp()
++        to_add = False
+ 
+         # Write the dummy ca cert if we are running on Mac OS X
+         if system == 'Darwin':
+@@ -608,13 +612,21 @@ def get_ca_certs(self):
+                     if os.path.isfile(full_path) and os.path.splitext(f)[1] in ('.crt','.pem'):
+                         try:
+                             cert_file = open(full_path, 'rb')
+-                            os.write(tmp_fd, cert_file.read())
+-                            os.write(tmp_fd, b('\n'))
++                            cert = cert_file.read()
+                             cert_file.close()
++                            os.write(tmp_fd, cert)
++                            os.write(tmp_fd, b('\n'))
++                            if full_path not in LOADED_VERIFY_LOCATIONS:
++                                to_add = True
++                                os.write(to_add_fd, cert)
++                                os.write(to_add_fd, b('\n'))
++                                LOADED_VERIFY_LOCATIONS.add(full_path)
+                         except (OSError, IOError):
+                             pass
+ 
+-        return (tmp_path, paths_checked)
++        if not to_add:
++            to_add_path = None
++        return (tmp_path, to_add_path, paths_checked)
+ 
+     def validate_proxy_response(self, response, valid_codes=[200]):
+         '''
+@@ -643,17 +655,18 @@ def detect_no_proxy(self, url):
+                     return False
+         return True
+ 
+-    def _make_context(self, tmp_ca_cert_path):
++    def _make_context(self, to_add_ca_cert_path):
+         context = create_default_context()
+-        context.load_verify_locations(tmp_ca_cert_path)
++        if to_add_ca_cert_path:
++            context.load_verify_locations(to_add_ca_cert_path)
+         return context
+ 
+     def http_request(self, req):
+-        tmp_ca_cert_path, paths_checked = self.get_ca_certs()
++        tmp_ca_cert_path, to_add_ca_cert_path, paths_checked = self.get_ca_certs()
+         https_proxy = os.environ.get('https_proxy')
+         context = None
+         if HAS_SSLCONTEXT:
+-            context = self._make_context(tmp_ca_cert_path)
++            context = self._make_context(to_add_ca_cert_path)
+ 
+         # Detect if 'no_proxy' environment variable is set and if our URL is included
+         use_proxy = self.detect_no_proxy(req.get_full_url())
+@@ -719,6 +732,14 @@ def http_request(self, req):
+         except:
+             pass
+ 
++        try:
++            # cleanup the temp file created, don't worry
++            # if it fails for some reason
++            if to_add_ca_cert_path:
++                os.remove(to_add_ca_cert_path)
++        except:
++            pass
++
+         return req
+ 
+     https_request = http_request
diff --git a/ansible.spec b/ansible.spec
index 602f7ae..cdb1f8c 100644
--- a/ansible.spec
+++ b/ansible.spec
@@ -14,7 +14,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
 Name: ansible
 Summary: SSH-based configuration management, deployment, and task execution system
 Version: 2.2.0.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 
 Group: Development/Libraries
 License: GPLv3+
@@ -31,6 +31,14 @@ Source100: get-unittests.sh
 # Upstream issue: https://github.com/ansible/ansible/issues/11536
 Patch0: ansible-2.1.0.0-control_path.patch
 
+#
+# fix issue with openssl and python-cryptography that breaks tests
+# If python-cryptography is pulled in and openssl is 1.0.x one of the tests will
+# leave things in an error state due to no network access in koji and cause a later
+# test to completely fail due to this.
+#
+Patch1: https://patch-diff.githubusercontent.com/raw/ansible/ansible/pull/18296.patch
+
 # Patch to utilize a newer jinja2 package on epel6
 # Non-upstreamable as it creates a dependency on a specific version of jinja.
 # This is desirable for us as we have packages for that version but not for
@@ -55,6 +63,8 @@ BuildRequires: python2-devel
 BuildRequires: python-setuptools
 
 # For tests
+# We don't run tests on epel6, so don't bother pulling these in there.
+%if (0%{?fedora} ||  0%{?rhel} > 6)
 BuildRequires: PyYAML
 BuildRequires: python-paramiko
 BuildRequires: python-keyczar
@@ -64,10 +74,11 @@ BuildRequires: python-six
 BuildRequires: python-nose
 BuildRequires: python-coverage
 BuildRequires: python-mock
-BuildRequires: python2-boto3
-BuildRequires: python2-botocore
+BuildRequires: python-boto3
+BuildRequires: python-botocore
 BuildRequires: docker
 BuildRequires: python-passlib
+%endif
 
 %if (0%{?rhel} && 0%{?rhel} <= 6)
 # Ansible will work with the jinja2 shipped with RHEL6 but users can gain
@@ -133,6 +144,8 @@ are transferred to managed machines automatically.
 %patch0 -p1
 %endif
 
+%patch1 -p1
+
 %if 0%{?rhel} == 6
 %patch100 -p1
 %endif
@@ -172,6 +185,9 @@ rm -rf $RPM_BUILD_ROOT
 %doc %{_mandir}/man1/ansible*
 
 %changelog
+* Tue Nov 01 2016 Kevin Fenzi <kevin@scrye.com> - 2.2.0.0-2
+- Fix some BuildRequires to work on all branches.
+
 * Tue Nov 01 2016 Kevin Fenzi <kevin@scrye.com> - 2.2.0.0-1
 - Update to 2.2.0. Fixes #1390564 #1388531 #1387621 #1381538 #1388113 #1390646 #1388038 #1390650
 - Fixes for CVE-2016-8628 CVE-2016-8614 CVE-2016-8628 CVE-2016-8614