cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

openssh_keypair: make sure public key has same permissions as private key (#61658)

Browse source 
* Make sure public key has same permissions as private key.

* Add changelog.

* Text, not binary.
This commit is contained in:
Felix Fontein 2019-09-10 06:44:04 +02:00 committed by GitHub
parent c77ab11051
commit c19cea9b03
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 16 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
changelogs/fragments/61658-openssh_keypair-public-key-permissions.yml Normal file
View file

@ -0,0 +1,2 @@
bugfixes:
- "openssh_keypair - public key's file attributes (permissions, owner, group, etc.) are now set to the same values as the private key."

15
lib/ansible/modules/crypto/openssh_keypair.py
View file

@ -202,7 +202,7 @@ class Keypair(object):
self.remove() self.remove()
module.fail_json(msg="%s" % to_native(e)) module.fail_json(msg="%s" % to_native(e))
elif not self.isPublicKeyValid(module): elif not self.isPublicKeyValid(module, perms_required=False):
pubkey = module.run_command([module.get_bin_path('ssh-keygen', True), '-yf', self.path]) pubkey = module.run_command([module.get_bin_path('ssh-keygen', True), '-yf', self.path])
pubkey = pubkey[1].strip('\n') pubkey = pubkey[1].strip('\n')
try: try:
@ -230,6 +230,9 @@ class Keypair(object):
file_args = module.load_file_common_arguments(module.params) file_args = module.load_file_common_arguments(module.params)
if module.set_fs_attributes_if_different(file_args, False): if module.set_fs_attributes_if_different(file_args, False):
self.changed = True self.changed = True
file_args['path'] = file_args['path'] + '.pub'
if module.set_fs_attributes_if_different(file_args, False):
self.changed = True
def isPrivateKeyValid(self, module, perms_required=True): def isPrivateKeyValid(self, module, perms_required=True):
@ -268,7 +271,7 @@ class Keypair(object):
return _check_state() and _check_perms(module) and _check_type() and _check_size() return _check_state() and _check_perms(module) and _check_type() and _check_size()
def isPublicKeyValid(self, module): def isPublicKeyValid(self, module, perms_required=True):
def _get_pubkey_content(): def _get_pubkey_content():
if os.path.exists(self.path + ".pub"): if os.path.exists(self.path + ".pub"):
@ -296,6 +299,11 @@ class Keypair(object):
return pubkey_parts[2] == self.comment return pubkey_parts[2] == self.comment
return False return False
def _check_perms(module):
file_args = module.load_file_common_arguments(module.params)
file_args['path'] = file_args['path'] + '.pub'
return not module.set_fs_attributes_if_different(file_args, False)
pubkey = module.run_command([module.get_bin_path('ssh-keygen', True), '-yf', self.path]) pubkey = module.run_command([module.get_bin_path('ssh-keygen', True), '-yf', self.path])
pubkey = pubkey[1].strip('\n') pubkey = pubkey[1].strip('\n')
pubkey_parts = _parse_pubkey() pubkey_parts = _parse_pubkey()
@ -305,8 +313,11 @@ class Keypair(object):
if not self.comment: if not self.comment:
return _pubkey_valid(pubkey) return _pubkey_valid(pubkey)
if not perms_required:
return _pubkey_valid(pubkey) and _comment_valid() return _pubkey_valid(pubkey) and _comment_valid()
return _pubkey_valid(pubkey) and _comment_valid() and _check_perms(module)
def dump(self): def dump(self):
# return result as a dict # return result as a dict