openssh_keypair: bugfix make regenerating keypairs via force possible… (#57801)
* openssh_keypair: bugfix make regenerating keypairs via force possible / add invalid file handling
* openssh_keypair: change permissions of read-only file instead of deleting it for regeneration; add changelog fragment
* address review feedbak, refactor
* add integration tests for bigfixes
* linter: fix indent
* fixup integration tests: use force when regenerating an invalid file
* linter: fix indent
* openssh_keypair: address review feedback
* openssh_keypair: fixup, remove backtick
* openssh_keypair: address review feedback
* Only pass 'y' into stdin of ssh-keygen when file exists.
(cherry picked from commit 547a29805e
)
This commit is contained in:
parent
7a9fe9ea7b
commit
5d3eebb610
4 changed files with 74 additions and 2 deletions
|
@ -0,0 +1,2 @@
|
|||
bugfixes:
|
||||
- openssh_keypair - make regeneration of valid keypairs with the ``force`` option possible, add better handling for invalid files
|
|
@ -116,6 +116,7 @@ public_key:
|
|||
'''
|
||||
|
||||
import os
|
||||
import stat
|
||||
import errno
|
||||
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
|
@ -180,8 +181,13 @@ class Keypair(object):
|
|||
args.extend(['-C', ""])
|
||||
|
||||
try:
|
||||
if os.path.exists(self.path) and not os.access(self.path, os.W_OK):
|
||||
os.chmod(self.path, stat.S_IWUSR + stat.S_IRUSR)
|
||||
self.changed = True
|
||||
module.run_command(args)
|
||||
stdin_data = None
|
||||
if os.path.exists(self.path):
|
||||
stdin_data = 'y'
|
||||
module.run_command(args, data=stdin_data)
|
||||
proc = module.run_command([module.get_bin_path('ssh-keygen', True), '-lf', self.path])
|
||||
self.fingerprint = proc[1].split()
|
||||
pubkey = module.run_command([module.get_bin_path('ssh-keygen', True), '-yf', self.path])
|
||||
|
@ -201,7 +207,13 @@ class Keypair(object):
|
|||
return os.path.exists(self.path)
|
||||
|
||||
if _check_state():
|
||||
proc = module.run_command([module.get_bin_path('ssh-keygen', True), '-lf', self.path])
|
||||
proc = module.run_command([module.get_bin_path('ssh-keygen', True), '-lf', self.path], check_rc=False)
|
||||
if not proc[0] == 0:
|
||||
if os.path.isdir(self.path):
|
||||
module.fail_json(msg='%s is a directory. Please specify a path to a file.' % (self.path))
|
||||
|
||||
return False
|
||||
|
||||
fingerprint = proc[1].split()
|
||||
pubkey = module.run_command([module.get_bin_path('ssh-keygen', True), '-yf', self.path])
|
||||
pubkey = pubkey[1].strip('\n')
|
||||
|
|
|
@ -28,4 +28,44 @@
|
|||
path: '{{ output_dir }}/privatekey5'
|
||||
register: publickey_gen
|
||||
|
||||
- name: Generate privatekey6
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey6'
|
||||
type: rsa
|
||||
|
||||
- name: Regenerate privatekey6 via force
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey6'
|
||||
type: rsa
|
||||
force: yes
|
||||
register: output_regenerated_via_force
|
||||
|
||||
- name: Create broken key
|
||||
copy:
|
||||
dest: '{{ item }}'
|
||||
content: ''
|
||||
mode: '0700'
|
||||
loop:
|
||||
- '{{ output_dir }}/privatekeybroken'
|
||||
- '{{ output_dir }}/privatekeybroken.pub'
|
||||
|
||||
- name: Regenerate broken key
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekeybroken'
|
||||
type: rsa
|
||||
register: output_broken
|
||||
|
||||
- name: Generate read-only private key
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekeyreadonly'
|
||||
type: rsa
|
||||
mode: '0200'
|
||||
|
||||
- name: Regenerate read-only private key via force
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekeyreadonly'
|
||||
type: rsa
|
||||
force: yes
|
||||
register: output_read_only
|
||||
|
||||
- import_tasks: ../tests/validate.yml
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
---
|
||||
- name: Log privatekey1 return values
|
||||
debug:
|
||||
var: privatekey1_result
|
||||
|
@ -73,3 +74,20 @@
|
|||
assert:
|
||||
that:
|
||||
- "publickey_gen.public_key == lookup('file', output_dir ~ '/privatekey5.pub').strip('\n')"
|
||||
|
||||
- name: Verify that privatekey6 will be regenerated via force
|
||||
assert:
|
||||
that:
|
||||
- output_regenerated_via_force is changed
|
||||
|
||||
|
||||
- name: Verify that broken key will be regenerated
|
||||
assert:
|
||||
that:
|
||||
- output_broken is changed
|
||||
|
||||
|
||||
- name: Verify that read-only key will be regenerated
|
||||
assert:
|
||||
that:
|
||||
- output_read_only is changed
|
Loading…
Reference in a new issue