Commit graph

45 commits

Author SHA1 Message Date
Matt Clay
04666c9fa1
Clean up unit tests to assist with migration. (#67875)
* Split out cache plugin unit tests.

* Rename unit tests to match code under test.

* Relocate unit test code to match code under test.

* Another rename.

* Update sanity ignores.
2020-02-28 20:29:41 -08:00
Sato Kenta
a4b59d0213 pamd: Fix AttributeError when removing the first or last rule (#66398) 2020-01-23 14:08:42 -05:00
Hans Jerry Illikainen
a0b8b85fa5 ufw: add support for interface_in and interface_out (#65382)
* ufw: escalate privileges in integration tests

A few of the integration tests for the UFW module forgot to `become`.
This is problematic if the test suite is executed as a non-privileged
user.  This commit amends that by adding `become` when appropriate.

* ufw: add unit tests for direction and interface

Extend the unit tests for the UFW module to test the `direction` and
`interface` parameters.  This will help in the implementation of a fix
for issue #63903.

* ufw: add support for interface_in and interface_out

The UFW module has support for specifying `direction` and `interface`
for UFW rules.  Rules with these parameters are built such that
per-interface filtering only apply to a single direction based on the
value of `direction`.

Not being able to specify multiple interfaces complicates things for
`routed` rules where one might want to apply filtering only for a
specific combination of `in` and `out` interfaces.

This commit introduces two new parameters to the UFW module:
`interface_in` and `interface_out`.  These rules are mutually exclusive
with the old `direction` and `interface` parameter because of the
ambiguity of having e.g.:

    direction: XXX
    interface: foo
    interface_XXX: bar

Fixes #63903
2019-12-02 08:01:44 +01:00
Andrea Scarpino
8f843bbaa5 iptables: support wait parameter (#47877)
Version 1.4.20 doesn't support 'wait' at all
Version 1.6.0 requires an argument for it
2019-10-19 22:27:45 +05:30
Andrey Klychkov
32de51adac Unit tests: remove unused imports (#59740) 2019-07-29 22:10:13 +02:00
Alvaro Olmedo Rodriguez
a1dcba63b3 java_keystore - Prefer SHA256 and solve SHA256 keytool in java11 version (#57302) 2019-07-15 12:44:30 -04:00
Łukasz Szczęsny
bcdd1dc951 pamd: fix idempotence issue when removing rules (#54105) 2019-04-01 10:18:33 -04:00
MonsieurBon
eb790cd3c6 Added support for iptables module iprange (#53732) (#53732) 2019-03-18 13:05:04 +00:00
Olivier Bourdon
668f014b3c Add more tests for method option change (#52228) 2019-03-15 09:53:32 +00:00
Abhijeet Kasurde
8d4343b94c
iptables: implement log_level parameter (#52880)
Fixes: #25100

Based upon https://github.com/ansible/ansible/pull/25118

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
2019-03-13 18:10:59 +05:30
Abhijeet Kasurde
f0ef4dae05
iptables: Add support for gateway parameter (#53465)
When user specifies the JUMP value to 'tee', gateway is required.
This fix adds new parameter 'gateway' to support this functionality.

Fixes: #53170

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
2019-03-13 17:47:44 +05:30
Jérôme BAROTIN
b99de25f32 Enable changed var with ufw check mode (#49948)
* Enable 'changed' var with ufw check mode

* Fix from comment of the PR + Unit Test

* Fix on ufw module after the second review

- delete rules change works in check mode
- simplify execute def & use it on every call process
- improved regexp
- rename vars defaults to current_default_values

* Add ignore error to execute() and use it in get_current_rules()

* Update after third code review (introduce change in changed status)

* Adjust tests and fix some problems (#1)

* 'active' also appears in 'inactive'.

* 'reject' is also a valid option here.

* For example for reloaded, changed will be set back to False here.

* Improve and adjust tests.

* Fix after merging integration test

* handle "disabled" on default routed

* Add /var/lib/ufw/.. rules files

* add unit test

* Fix pep8 formatting error

* Separate ipv6 and ipv4 rules process from checkmode

* fix non-ascii error on ci

* Some change after review

* Add unit test with sub network mask

* rename is_match function by is_starting

* add changelog fragment
2019-02-11 11:05:35 +00:00
Olivier Bourdon
cf3483e752 Add tests filters (#43221)
This will allow tests to be carried out condtionally if necessary
using regexp include and/or exclude filters
Reorganize imports into alphabetical order for easier insertion
2018-11-13 11:16:49 +00:00
Jocelyn Jaubert
4352a4e54d interfaces_file: Add test for pre-up/post-up with inet/inet6 2018-10-22 20:51:59 +02:00
Jocelyn Jaubert
bd7001cdb6 interfaces_file: Add test for changing ipv4 or ipv6 address through address_family 2018-10-22 20:51:59 +02:00
Jocelyn Jaubert
a4916e848d interfaces_file: Add test for multiple address_family for same iface 2018-10-22 20:51:59 +02:00
Matt Clay
37b013aca3
Enable additional pylint rules and resolve issues found. (#47221)
* Resolve unneeded-not.
* Resolve global-at-module-level.
* Resolve useless-import-alias.
* Resolve bad-whitespace.
* Resolve global-variable-not-assigned.
* Resolve logging-not-lazy.
* Resolve comparison-with-itself.
2018-10-18 13:38:08 -07:00
Matt Clay
3033fd96b0
Move unit test compat code out of lib/ansible/. (#46996)
* Move ansible.compat.tests to test/units/compat/.
* Fix unit test references to ansible.compat.tests.
* Move builtins compat to separate file.
* Fix classification of test/units/compat/ dir.
2018-10-12 20:01:14 -07:00
Matt Clay
0686450cae
Fix unit tests which modify the source tree. (#45763)
* Fix CNOS unit test log usage.
* Use temp dir for Galaxy unit tests.
* Write to temp files in interfaces_file unit test.
* Fix log placement in netapp_e_ldap unit test.
2018-09-17 20:27:14 -07:00
Gregory Hellings
6f007c35c1 Improved the documentation of known_hosts
The documentation for the key parameter was lacking in specificity and
also lacking in testing. These parts are both remedied herein.

Fixes #43157
2018-07-24 09:25:12 -04:00
Yanis Guenane
42c2fd72ae Fix test_create_jks_success failing on SELinux machine (#42001)
Currently TestCreateJavaKeystore::test_create_jks_success is failing on
a machine with SELinux because set_context_if_different is not mocked
and hence tries to access a file that doesn't exist because it has been
mocked previously.

Also, changing path to a path that won't exist for sure.
2018-06-27 11:43:31 -04:00
Guillaume Grossetie
5ffa1a1b2a Add a module to create a java key store (jks) from a certificate (#35273)
* Add a module to create a java key store (jks) from a certificate
* Create a jks from a certificate and a private key (secured by a password)
* Add an option to recreate the jks (useful when you want to update the jks password)
* If the certificate changed, recreate the jks
* Version added is now 2.7
2018-05-30 13:53:09 +05:30
Adam Miller
bc7ff83cd9 parted module not idempotent for esp flag and name (#40547)
* parted module not idempotent for esp flag and name

Fixes #40452

Currently the parted module doesn't take into account names with
spaces in them which leads to non-idempotent transactions on the
state of the system because the name comparison will never succeed.

Also, when the esp flag is set, parted infers the boot flag and the
parted module did not previously account for this. This lead to
non-idempotent transactions as well.

Signed-off-by: Adam Miller <admiller@redhat.com>

* fix unit tests, expected command changed in the patch

Signed-off-by: Adam Miller <admiller@redhat.com>
2018-05-23 11:06:26 -04:00
Ken Evensen
fabce98104 Pamd++ (#35709)
* Cleaner, more pythonic, shorter, easier to maintain

* Added validation
2018-05-23 08:24:54 -05:00
Sam Doran
c9d3bb59a4 Do not join flag parameters in iptables module (#36658)
* Do not join flag parameters

This put a comma between every character of the tcp flag parameters, resulting in a bad iptables command.

Fixes #36490

* Use suboptions to ensure tcp_flags options are lists

* Add unit tests for tcp_flags

* Add example of how to use tcp_flags
2018-05-17 13:53:51 -04:00
Olivier Bourdon
a3f2e99864 Fix for changing method only on specified interface (#39015)
Test added for interface method change
2018-04-27 05:18:19 -04:00
Olivier Bourdon
612d0d6634 Fix interfaces_file for proper file contents (#37818)
The generated file was completely unusable by the system
therefore the fix which ensures that diffing the file
prior to changes and after only shows diffs

Furthermore the code did not work for Python 3.6
>       f.writelines(to_bytes(lines, errors='surrogate_or_strict'))
E       TypeError: a bytes-like object is required, not 'int'

The other modifications (lambda variable renaming) is to
comply with default flake8 rules
2018-03-28 10:21:43 +01:00
Ken Evensen
5cce0249f3 Fixes #35629 (#35668) 2018-02-05 15:47:14 -06:00
Aron Szekely
943730b70c Update pamd.py to allow module path with slashes (#32197) 2018-01-18 09:57:12 +05:30
David Kretch
98260f9884 Fix pamd error when inserting a new rule at the end. Fixes #28487 (#28488)
* When inserting a new rule in `insert_after_rule`, check if the old rule is
the last rule, to avoid a list index out of range error when attempting to
access the next rule.
* Add a test for inserting a new rule after the last rule.
2017-12-13 15:31:20 -06:00
R. Francis Smith
e957760d52 updated pamd rule args regexp to match file paths also (#33432)
* Added . and / to rule args regexp

Things like pam_echo.so file=/etc/foo.txt weren't being matched and
causing incorrect change counts.  Adding / and . fixed that.

Fixes #33351

* pamd: test argument with value

Relates #33351
2017-11-30 15:32:02 -05:00
Pilou
a5c9726502 Unit tests: share common code (#31456)
* move set_module_args to units.modules.utils
* unit tests: reuse set_module_args
* unit tests: mock exit/fail_json in module.utils.ModuleTestCase
* unit tests: use module.utils.ModuleTestCase
* unit tests: fix 'import shadowed by loop variable'
2017-11-17 09:17:07 -08:00
Sébastien DA ROCHA
bc4ba6b638 Iptables unit tests (#30762)
* Add some tests for iptables

* Fix remove bug (calls 2 times check to remove a chain)

* Add me as maintainer

* Fix PEP8

* Doc: Give more information on issue #18988

* Fix #18988 and test it

* Fix doc (thanks Pillou)

* enable PEP8 check for iptables
2017-11-01 12:08:57 +01:00
Ken Evensen
8724ff3eae pamd: fix issue with trailing commas in module_arguments 2017-10-30 08:24:21 +01:00
Matt Clay
442af3744e Miscellaneous pylint fixes.
The following rules are no longer disabled:

- bad-format-string
- duplicate-key
- lost-exception
- trailing-newlines
- unexpected-keyword-arg
- useless-suppression
- using-constant-test
2017-09-13 01:53:08 -07:00
Kai
3251aecd95 Fix leading slashes being stripped from mount src (#24013)
* Tidy mount module for testing

Fix spelling mistakes in comments. I *think* the example for omitting parents
root has the wrong parent ID.

Make mountinfo file a parameter for testing.

* Don't strip leading slash from mounts

The current code does not follow the example, it produces src=tmp/aaa instead
of src=/tmp/aaa. This causes problems with bind mounts under /rootfs.

* Use dictionary to store mounts by ID

Instead of looping over each one to check if the ID matches. This does not
preserve the order of the output on < Python3.6, but that is not necessary.

* Make linux_mounts a dict

Always accessed by 'dst', so avoid looping by just making it a key.

* Add test case for get_linux_mounts
2017-08-29 15:16:53 +02:00
Roman Belyakovsky
42039cd436 New module: manage debian network interfaces file /etc/network/interfaces (system/interfaces_file) (#25295)
* Added new module interfaces_file

* interfaces_file: added unit tests

* interfaces_file: added golden files for unit tests

* interfaces_file: moved to system modules

* interfaces_file: fixed code formatting and convention issues
2017-08-01 12:11:43 -06:00
Guillaume Coré
42ca1ef040 Add unit tests for parted module (#24164)
* Add unit tests for parted module

Test the current expected behavior of the module:
- mock parted() and get_device_info()
- Use some of the examples and test the 'script' passed to parted.
- mock check_parted_label() to return false, as if parted version is > 3.1
- assert get_device_info output is correct

Current implementation of the module runs parted several time while going
through all parameters (flags, name, ...). Between calls it uses get_device_info
to update the dictionary. Use check_mode for some of the tests to force module
to go through all the parameters even is dictionary is not updated.

* test_parted.py: add "name" param into expected results

since 78fff751ab, parse_partition_info
fetch the partition name. This commit adds 'name' key and value into
the expected results.
2017-07-17 21:11:10 -07:00
Adrian Likins
0fc0b6f059 Mv AnsibleFactCollector back to module_utils (#26150)
It was in lib/ansible/modules/system/setup.py since it
was the only thing using it, but move it back to module_utils
and add a ansible_collector.get_ansible_collector() to build
a facts collector just like the one used by setup.py

mv test_setup.py -> test_ansible_collector.py
All the code it was testing is now in ansible_collector

rm code to create 'ansible_facts' subkey from namespace

Just leave it up to the caller to do, and just return a
flat dictionary from AnsibleFactCollector.collect()
2017-07-11 10:44:22 -04:00
Ken Evensen
f31d3ddeb7 Pamd Updates (#25817)
* Fix for #25522
Fix for #25855
Fix for #23963

* Minor fix

* Updates per bcoca.  Fix in regex for silvinux.
2017-07-10 11:41:01 -04:00
Adrian Likins
45a9f96774 Facts Refresh (2.4 roadmap) (#23012)
Facts Refresh (2.4 roadmap)

This commit implements most of the 2.4 roadmap 'Facts Refresh'
- move facts.py to facts/__init__.py
- move facts Distribution() to its own class
- add a facts/utils.py
- move get_file_content and get_uname_version to facts/utils.py
- move Facts() class from facts/__init__ to facts/facts.py
- mv get_file_lines to facts/utils.py
- mv Ohai()/Facter() class to facts/ohai.py and facter.py
- Start moving fact Hardware() classes to facts/hardware/*.py
- mv HPUX() hardware class to facts/hardware/hpux.py
- move SunOSHardware() fact class to facts/hardware/sunos.py
- move OpenBSDHardware() class to facts/hardware/openbsd.py
- mv FreeBsdHardware() and DragonFlyHardware() to facts/hardware/
- mv NetBSDHardware() to facts/hardware/netbsd.py
- mv Darwin() hardware class to facts/hardware/darwin.py
- pep8/etc cleanups on facts/hardware/*.py
- Mv network facts classes to facts/network/*.py
- mv Virtual fact classes to facts/virtual
- mv Hardware.get_sysctl to facts/sysctl.py:get_sysctl

- Also mv get_uname_version from facts/utils.py -> distribution.py
  since distribution.py is the only thing using it.

- add collector.py with new BaseFactCollector
- add a subclass for AnsibleFactCollector
- hook up dict key munging FactNamespaces
- add some test cases for testing the names of facts
- mv timeout stuff to facts.timeout

- rm ansible_facts()/get_all_facts() etc

- Instead of calling facts.ansible_facts(), fact collection
  api used by setup.py is now to create an AnsibleFactCollector()
  and call it's collect method.

- replace Facts.get_user_facts with UserFactCollector
- add a 'systems' facts package, mv UserFactCollector there
- mv get_dns_facts to DnsFactCollector
- mv get_env_facts to EnvFactCollector
- include the timeout length in exception message

- modules and module_utils that use AnsibleFactCollector
  can now theoretically set the 'valid_subsets'

  May be useful for network facts module that currently have
  to reimplement a good chunk of facts.py to get gather_subsets
  to work.

- get_local_facts -> system/LocalFactCollector
- get_date_time -> system/date_time.py
- get_fips_facts -> system/fips.py
- get_caps_facts() -> system/caps.py
- get_apparmor_facts -> system/apparmor.py
- get_selinux_facts -> system/selinux.py
- get_lsb_facts -> system/lsb.py
- get_service_mgr_facts -> system/service_mgr.py
- Facts.is_systemd_managed ->  system/service_mgr.py
- get_pkg_mgr_facts -> system/pkg_mgr.py
- Facts()._get_mount_size_facts() -> facts.utils.get_mount_size()

- add unit test for EnvFactCollector
- add a test case for minimal gather_subsets
- add test case for collect_ids
- Make gather_subset match existing behavior or '!all'

    If 'gather_subset' is provided as '!all', the existing behavior
    (in 2.2/2.3) is that means 'dont collect any facts except those
    from the Facts() class'. So 'skip everything except
    'apparmor', 'caps', 'date_time', 'env', 'fips', 'local', 'lsb',
    'pkg_mgr', 'python', 'selinux', 'service_mgr', 'user', 'platform', etc.

    The new facts setup was making '!all' mean no facts at all, since
    it can add/exclude at a finer granularity. Since that makes more
    sense for the ansible collector, and the set of minimal facts to
    collect is really more up to setup.py to decide we do just that.

    So if setup.py needs to always collect some gather_subset, even
    on !all, setup.py needs to have the that subset added to the
    list it passes as minimal_gather_subset.

    This should fix some intg tests that assume '!all' means that
    some facts are still collected (user info and env for example).

    If we want to make setup.py collect a more minimal set, we can do that.

- force facts_dicts.keys() to a list so py3 works
- split fact collector tests to test_collectors.py

- convert Facter(Facts) -> other/facter.py:FacterFactCollector

- add FactCollector.collect_with_namespace()

    regular .collect() will return a dict with the key names
    using the base names ('ip_address', 'service_mgr' etc)

    .collect_with_namespace() will return a dict where the key names
    have been transformed with the collectors namespace, if there is
    one. For most, this means a namespace that adds 'ansible_' to the
    start of the key name.

    For 'FacterFactCollector', the namespace transforms the key to
    'facter_*'.

- add test cases for collect_with_namespace

- move all the concrete 'which facts does setup.py' stuff to setup.py

    The caller of AnsibleFactCollector.from_gather_subset() needs to
    pass in the list of collector classes now.

- update system/setup.py to import all of the fact classes and pass
  in that list.
- split the Distribution fact class up a bit

    extracted the 'distro release' file handling (ie, linux
    boxes with /etc/release, /etc/os-release etc) into its
    own class.
- extract get_cmdline_facts -> cmdline.py
- extract get_public_ssh_host_keys -> system/ssh_pub_keys.py
- extract get_platform_facts -> system/platform.py

  platform.py may be a good candidate for further splitting.

- rm test for plain Facts() base class
- let the base class for Collector unit tests provide collected_facts

    some Collectors and/or their migrated Facts() subsclasses need
    to look at facts collected by other modules ('ansible_architecture'
    the main one...).

    Collector.collect() has the collected_facts arg for this, so add
    a class variable to BaseFactsTest so we can specify it.

- mv Ohai to other/ohai.py and convert to Collector
- update hardware/*.py to return facts (no side effects)

- mv AnsibleFactCollector to setup.py
- extra collector class gathering to module method in
  facts/__init__.py (collector_classes_from_gather_subset)
- add a CollectorMetaDataCollector collector used to provide
  the 'gather_setup' fact
- add unit test module for 'setup' module
  (test/units/modules/system/setup.py)

- Collector init now doesnt need a module, but collect does

    An instance of a FactCollector() isnt tied to a AnsibleModule
    instance, but the collect() method can be, so optionally pass
    in module to FactCollector.collect() (everywhere)

- add a default_collectors for list of default collectors

  import and use it from setup.py module

  eventually, would like to replace this with a plugin loader
  style class finder/loader

- unit tests for module_utils/facts/__init__.py
- add unit tests for ohai facts collector
- remove self.facts side effect on populate() in hardware/sunos.py
- convert OpenBSDHardware() to rm side effects on self.facts
- try to rm some self.facts side effects in Network()

    plumb in collected_facts from populate() where it is needed.

    stop passing collected_facts into Network() [via cached_facts=,
    where it eventually becomes self.facts]

- nothing provides Fact() cached_facts arg now, rm it

    Facts() should be internal only implementation so nothing
    should be using it.

    Of course, now someone will.

- add a Collector.name attr to build a map of name->_fact_ids

    To properly exclude a gather_subset spec like '!hardware', we
    need to know that 'hardware' also means 'devices', 'dmi', etc.
    Before, '!hardware' would remove the 'hardware' collector name
    but not 'devices'. Since both would end up in id_collector_map,
    we would still end up with the HardwareCollector in the collector
    list. End result being that '!hardware' wouldn't stop hardware
    from being collected.

    So we need to be able to build that map, so add the Collector.name
    attribute that is the primary name (like 'hardware') and let
    Collector._fact_ids be the other fact ids that a collector is
    responsible for.

    Construct the aliases_map of Collector.name -> set of _fact_ids
    in fact/__init__.py get_collector_names, and use it when we are
    populating the exclude set.

- refactor of distribution.py

    make the big OS_FAMILY literal a little easier to read
    Also keys can now be any string instead of python literals

    99% sure the test for 'KDE Neon' was wrong
    I don't see how/where it should or could get 'Neon' instead
    of 'KDE Neon' as provided in os-release NAME=

    Use 'distribution' string for key to OS_MAP

    ie, we dont need to make it a valid python label anymore so dont.

    move _has_dist_file to module as _file_exists
    easier to mock without mucking with os.path

    mv platform.system() calls to within get_distribution_facts() instead
    of Distribution() init.

- remove _json compat module

    The code in here was to support:

      -a 'json' python module that was not the standard one included
      with python since 2.6.

      - potentially fallback to simplejson if 'json' was not available.

    'json' is available for all supported python versions now so
    no longer needed.

- mv get_collector_names -> facts.collector
- mv collector_classes_from_gather_subset -> facts.collector
- mv collector tests from test_facts -> test_collector

- Use six's reduce() in sunos/netbsd hardware facts

- rm extraneous get_uname_version in utils

  only system/distribution.py uses it

- Remove Facts() subclass metaclass usage

  - using fact_id and a platform id for matching collectors

    gut most of Facts() subclasses

    rm Facts() subclasses with weird metaclass

    only add collectors that match the fact_ids and the platform_info
    to the list of collectors used.

    atm, a collectors platform_id will default to 'Generic', and
    any platform matches 'Generic'

    goal is to select collector classes including matching the
    systems platform in collector.py, instead of relying on
    metaclasses in hardware/*. To finish this, the various
    Facts() subclasses will need to be replaced entirely with
    Collector() subclasses.

    use collector classmethod platform_match() to match the platform

    This lets the particular class decide if it is compatible with
    a given platform_info. platform_info is a dict like obj, so it could be
    expanded in the future.

    Add a default platform_match to BaseFactCollector that matches
    platform_info['system'] == cls._platform

    They were needed previously to trigger a module
    load on all the collector classes when we import
    facts/hardare so that the Hardware() and related
    classes that used __new__ and find_all_subclasses()
    would work.

    Now that is done in collectors based on platform matching
    at runtime we dont need to do it py module import/parse
    time. So the non empty __init__.pys are no longer needed
    and their is a more flexible mechanism for selection
    platform specific stuff.

    facts/facts.py is no longer used, rm'ed

- if we dont find an implement class for gather spec.. just ignore it.

  Would be useful to add a warn to warn about this case.

- Fix SD-UX typo (should be HP-UX)

- Port fix for #21893 (0 sockets) to this branch

    This readds the change from 8ad182059d
    that got lost in merge/rebase

    Fixes #21893

- port sunos fact locale fix for #24542 to this branch

    based on e558ec19cd

    Fixes #24542

    Solaris fact fix (#24793)

    ensure locale for solaris fact gathering

    fixes issue with locale interfering with proper reading of decimals

- raise exceptions in the air like we just dont care.

    Pretty much ignore any not exit exception in facts
    collection. And add some test cases.

- added new selinux fact to clarify python lib

    the selinux fact is boolean false when the library is not installed,
    a dictionary/hash otherwise, but this is ambigous
    added new fact so we can eventually remove the type dichtomy and normalize it as a dict

    Re-add of devel commit 85c7a7b844 to
    the new code layout, since it got removed in merge/rebase
2017-06-01 11:17:49 -04:00
Dag Wieers
4efec414e7 test/: PEP8 compliancy (#24803)
* test/: PEP8 compliancy

- Make PEP8 compliant

* Python3 chokes on casting int to bytes (#24952)

But if we tell the formatter that the var is a number, it works
2017-05-30 18:05:19 +01:00
Matt Clay
9f56f87770 Fix PEP 8 issue. 2017-04-28 06:51:44 +08:00
Colin Chan
2d9d1762ba Improve parsing of 'systemctl show' output 2017-04-27 11:42:26 -04:00
Marius Gedminas
2efb692cc4 known_hosts: support --diff (#20349)
* known_hosts: support --diff

* known_hosts: support --diff also without --check

* Add unit tests and fix incorrect diff in one corner case

Tests are good!

* Refactor for readability

* Python 3 compat

* More Python 3 compat

* Add an integration test for known_hosts

* Handle ssh-keygen -HF returning non-zero exit code

AFAICT this is a bug in ssh-keygen in some newer OpenSSH versions
(>= 6.4 probably; see commit dd9d5cc670):
when you invoke ssh-keygen with -H and -F <host> options, it always
returns exit code 1.  This is because in ssh-keygen.c there's a function
do_known_hosts() which calls

  exit (find_host && !ctx.found_key);

at the end, and find_host is 1 (because we passed -F on the command line),
but ctx.found_key is always 0.  Why is found_key always 0?  Because the
callback passed to hostkeys_foreach(), which is known_hosts_hash(),
never bothers to set found_key to 1.

* This test does not need root

* Avoid ssh-ed25519 keys in sample known_hosts file

Older versions of OpenSSH do not like them and ssh-keygen -HF
aborts with an error when it sees such keys:

  line 5 invalid key: example.net...
  /root/ansible_testing/known_hosts is not a valid known_hosts file.

* Fix Python 3 errors

Specifically, the default mode of tempfile.NamedTemporaryFile is 'w+b',
which means Python 3 wants us to write bytes objects to it -- but the
keys we have are all unicode strings.
2017-02-08 09:56:03 -05:00