From 5d5a21fddf89d77434d559228568efd5b24fb4bb Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Thu, 7 Dec 2023 22:26:04 +0100
Subject: [PATCH] Directly handle unexpected non-JSON results. (#682)

---
 changelogs/fragments/682-acme-errors.yml |  2 ++
 plugins/module_utils/acme/account.py     | 14 +++++++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/fragments/682-acme-errors.yml

diff --git a/changelogs/fragments/682-acme-errors.yml b/changelogs/fragments/682-acme-errors.yml
new file mode 100644
index 00000000..305953ec
--- /dev/null
+++ b/changelogs/fragments/682-acme-errors.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - "acme_* modules - directly react on bad return data for account creation/retrieval/updating requests (https://github.com/ansible-collections/community.crypto/pull/682)."
diff --git a/plugins/module_utils/acme/account.py b/plugins/module_utils/acme/account.py
index 04eac056..0ad58e92 100644
--- a/plugins/module_utils/acme/account.py
+++ b/plugins/module_utils/acme/account.py
@@ -9,6 +9,8 @@ from __future__ import absolute_import, division, print_function
 __metaclass__ = type
 
 
+from ansible.module_utils.common._collections_compat import Mapping
+
 from ansible_collections.community.crypto.plugins.module_utils.acme.errors import (
     ACMEProtocolException,
     ModuleFailException,
@@ -96,6 +98,9 @@ class ACMEAccount(object):
                 )
 
         result, info = self.client.send_signed_request(url, new_reg, fail_on_error=False)
+        if not isinstance(result, Mapping):
+            raise ACMEProtocolException(
+                self.client.module, msg='Invalid account creation reply from ACME server', info=info, content=result)
 
         if info['status'] in ([200, 201] if self.client.version == 1 else [201]):
             # Account did not exist
@@ -156,6 +161,9 @@ class ACMEAccount(object):
                 # retry as a regular POST (with no changed data) for pre-draft-15 ACME servers
                 data = {}
                 result, info = self.client.send_signed_request(self.client.account_uri, data, fail_on_error=False)
+        if not isinstance(result, Mapping):
+            raise ACMEProtocolException(
+                self.client.module, msg='Invalid account data retrieved from ACME server', info=info, content=result)
         if info['status'] in (400, 403) and result.get('type') == 'urn:ietf:params:acme:error:unauthorized':
             # Returned when account is deactivated
             return None
@@ -250,5 +258,9 @@ class ACMEAccount(object):
         else:
             if self.client.version == 1:
                 update_request['resource'] = 'reg'
-            account_data, dummy = self.client.send_signed_request(self.client.account_uri, update_request)
+            account_data, info = self.client.send_signed_request(self.client.account_uri, update_request)
+            if not isinstance(account_data, Mapping):
+                raise ACMEProtocolException(
+                    self.client.module, msg='Invalid account updating reply from ACME server', info=info, content=account_data)
+
         return True, account_data