From 20eaebd9b2e86178fc9a4737b9a955fd326b5d2c Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Thu, 10 Jan 2019 17:37:17 +0100
Subject: [PATCH] [2.7] openssl_pkcs12: fix ca_certificates path expansion
 (#50697)

* Expand user and variables in ca_certificates paths.

This is a fix specific for stable-2.7. In devel (and stable-2.8),
this problem is fixed by #48473. That PR adds argument spec
validation for list elements.

* Add changelog.
---
 changelogs/fragments/50697-openssl_pkcs12-ca_certificates.yaml | 2 ++
 lib/ansible/modules/crypto/openssl_pkcs12.py                   | 2 +-
 test/sanity/code-smell/use-argspec-type-path.py                | 1 +
 3 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/fragments/50697-openssl_pkcs12-ca_certificates.yaml

diff --git a/changelogs/fragments/50697-openssl_pkcs12-ca_certificates.yaml b/changelogs/fragments/50697-openssl_pkcs12-ca_certificates.yaml
new file mode 100644
index 0000000000..0a936c18c9
--- /dev/null
+++ b/changelogs/fragments/50697-openssl_pkcs12-ca_certificates.yaml
@@ -0,0 +1,2 @@
+bugfixes:
+- "openssl_pkcs12 - now does proper path expansion for ``ca_certificates``."
diff --git a/lib/ansible/modules/crypto/openssl_pkcs12.py b/lib/ansible/modules/crypto/openssl_pkcs12.py
index 35023cd291..df50e68dbe 100644
--- a/lib/ansible/modules/crypto/openssl_pkcs12.py
+++ b/lib/ansible/modules/crypto/openssl_pkcs12.py
@@ -222,7 +222,7 @@ class Pkcs(crypto_utils.OpenSSLObject):
             module.fail_json(msg=to_native(exc))
 
         if self.ca_certificates:
-            ca_certs = [crypto_utils.load_certificate(ca_cert) for ca_cert
+            ca_certs = [crypto_utils.load_certificate(os.path.expanduser(os.path.expandvars(ca_cert))) for ca_cert
                         in self.ca_certificates]
             self.pkcs12.set_ca_certificates(ca_certs)
 
diff --git a/test/sanity/code-smell/use-argspec-type-path.py b/test/sanity/code-smell/use-argspec-type-path.py
index a052030a38..9efa19671a 100755
--- a/test/sanity/code-smell/use-argspec-type-path.py
+++ b/test/sanity/code-smell/use-argspec-type-path.py
@@ -23,6 +23,7 @@ def main():
         'lib/ansible/modules/web_infrastructure/jenkins_plugin.py',
         'lib/ansible/modules/cloud/vmware/vmware_deploy_ovf.py',
         'lib/ansible/modules/crypto/certificate_complete_chain.py',  # would need something like type=list(path)
+        'lib/ansible/modules/crypto/openssl_pkcs12.py',  # would need something like type=list(path)
         # fix uses of expanduser in the following modules and remove them from the following list
         'lib/ansible/modules/cloud/rackspace/rax.py',
         'lib/ansible/modules/cloud/rackspace/rax_scaling_group.py',