Do fail instead of regenerate for password protected and invalid keys. (#65638)
This commit is contained in:
parent
d6fb9da8ed
commit
8f10db8552
4 changed files with 43 additions and 9 deletions
|
@ -1,2 +1,4 @@
|
|||
bugfixes:
|
||||
- openssh_keypair - add logic to handle password protected or broken key
|
||||
- openssh_keypair - add logic to avoid breaking password protected keys.
|
||||
minor_changes:
|
||||
- openssh_keypair - instead of regenerating some broken or password protected keys, fail the module. Keys can still be regenerated by calling the module with ``force=yes``.
|
||||
|
|
|
@ -64,7 +64,7 @@ options:
|
|||
type: str
|
||||
version_added: "2.9"
|
||||
notes:
|
||||
- In case the ssh key is broken or password protected, it will be regenerated.
|
||||
- In case the ssh key is broken or password protected, the module will fail. Set the I(force) option to C(yes) if you want to regenerate the keypair.
|
||||
|
||||
extends_documentation_fragment: files
|
||||
'''
|
||||
|
@ -245,13 +245,16 @@ class Keypair(object):
|
|||
def _check_pass_protected_or_broken_key():
|
||||
key_state = module.run_command([module.get_bin_path('ssh-keygen', True),
|
||||
'-P', '', '-yf', self.path], check_rc=False)
|
||||
if key_state[0] == 255 or 'is not a public key file' in key_state[2]:
|
||||
return True
|
||||
if 'incorrect passphrase' in key_state[2] or 'load failed' in key_state[2]:
|
||||
return True
|
||||
return False
|
||||
|
||||
if _check_state():
|
||||
if _check_pass_protected_or_broken_key():
|
||||
return False
|
||||
module.fail_json(msg='Unable to read the key. The key is protected with a passphrase or broken.'
|
||||
' Will not proceed. To force regeneration, call the module with `force=yes`.')
|
||||
|
||||
proc = module.run_command([module.get_bin_path('ssh-keygen', True), '-lf', self.path], check_rc=False)
|
||||
if not proc[0] == 0:
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
---
|
||||
- name: Generate privatekey1 - standard
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey1'
|
||||
|
@ -53,11 +54,19 @@
|
|||
- '{{ output_dir }}/privatekeybroken'
|
||||
- '{{ output_dir }}/privatekeybroken.pub'
|
||||
|
||||
- name: Regenerate broken key
|
||||
- name: Regenerate broken key - should fail
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekeybroken'
|
||||
type: rsa
|
||||
register: output_broken
|
||||
ignore_errors: yes
|
||||
|
||||
- name: Regenerate broken key with force
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekeybroken'
|
||||
type: rsa
|
||||
force: yes
|
||||
register: output_broken_force
|
||||
|
||||
- name: Generate read-only private key
|
||||
openssh_keypair:
|
||||
|
@ -87,9 +96,16 @@
|
|||
- name: Generate password protected key
|
||||
command: 'ssh-keygen -f {{ output_dir }}/privatekey8 -N password'
|
||||
|
||||
- name: Try to modify the password protected key - should be overridden
|
||||
- name: Try to modify the password protected key - should fail
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey8'
|
||||
register: privatekey8_result
|
||||
ignore_errors: yes
|
||||
|
||||
- name: Try to modify the password protected key with force=yes
|
||||
openssh_keypair:
|
||||
path: '{{ output_dir }}/privatekey8'
|
||||
force: yes
|
||||
register: privatekey8_result_force
|
||||
|
||||
- import_tasks: ../tests/validate.yml
|
||||
|
|
|
@ -86,10 +86,17 @@
|
|||
- output_regenerated_via_force is changed
|
||||
|
||||
|
||||
- name: Verify that broken key will be regenerated
|
||||
- name: Verify that broken key will cause failure
|
||||
assert:
|
||||
that:
|
||||
- output_broken is changed
|
||||
- output_broken is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken.' in output_broken.msg"
|
||||
|
||||
|
||||
- name: Verify that broken key will be regenerated if force=yes is specified
|
||||
assert:
|
||||
that:
|
||||
- output_broken_force is changed
|
||||
|
||||
|
||||
- name: Verify that read-only key will be regenerated
|
||||
|
@ -113,7 +120,13 @@
|
|||
that:
|
||||
- privatekey7_modified_result.comment == 'test_modified@privatekey7'
|
||||
|
||||
- name: Check that password protected key has been regenerated
|
||||
- name: Check that password protected key made module fail
|
||||
assert:
|
||||
that:
|
||||
- privatekey8_result is changed
|
||||
- privatekey8_result is failed
|
||||
- "'Unable to read the key. The key is protected with a passphrase or broken.' in privatekey8_result.msg"
|
||||
|
||||
- name: Check that password protected key was regenerated with force=yes
|
||||
assert:
|
||||
that:
|
||||
- privatekey8_result_force is changed
|
||||
|
|
Loading…
Reference in a new issue