2020-03-09 10:11:07 +01:00
|
|
|
#!/usr/bin/python
|
2021-08-08 10:40:22 +02:00
|
|
|
# -*- coding: utf-8 -*-
|
2020-03-09 10:11:07 +01:00
|
|
|
|
2022-08-05 12:28:29 +02:00
|
|
|
# Copyright Ansible Project
|
|
|
|
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
2020-03-09 10:11:07 +01:00
|
|
|
|
|
|
|
from __future__ import absolute_import, division, print_function
|
|
|
|
__metaclass__ = type
|
|
|
|
|
|
|
|
|
|
|
|
DOCUMENTATION = '''
|
|
|
|
module: github_key
|
2022-11-09 07:18:40 +01:00
|
|
|
short_description: Manage GitHub access keys
|
2020-03-09 10:11:07 +01:00
|
|
|
description:
|
2023-02-20 17:26:28 +01:00
|
|
|
- Creates, removes, or updates GitHub access keys.
|
|
|
|
extends_documentation_fragment:
|
|
|
|
- community.general.attributes
|
|
|
|
attributes:
|
|
|
|
check_mode:
|
|
|
|
support: full
|
|
|
|
diff_mode:
|
|
|
|
support: none
|
2020-03-09 10:11:07 +01:00
|
|
|
options:
|
|
|
|
token:
|
|
|
|
description:
|
|
|
|
- GitHub Access Token with permission to list and create public keys.
|
|
|
|
required: true
|
2021-02-25 09:39:48 +01:00
|
|
|
type: str
|
2020-03-09 10:11:07 +01:00
|
|
|
name:
|
|
|
|
description:
|
|
|
|
- SSH key name
|
|
|
|
required: true
|
2021-02-25 09:39:48 +01:00
|
|
|
type: str
|
2020-03-09 10:11:07 +01:00
|
|
|
pubkey:
|
|
|
|
description:
|
2023-06-15 15:46:44 +02:00
|
|
|
- SSH public key value. Required when O(state=present).
|
2021-02-25 09:39:48 +01:00
|
|
|
type: str
|
2020-03-09 10:11:07 +01:00
|
|
|
state:
|
|
|
|
description:
|
|
|
|
- Whether to remove a key, ensure that it exists, or update its value.
|
|
|
|
choices: ['present', 'absent']
|
|
|
|
default: 'present'
|
2021-02-25 09:39:48 +01:00
|
|
|
type: str
|
2020-03-09 10:11:07 +01:00
|
|
|
force:
|
|
|
|
description:
|
2023-06-15 15:46:44 +02:00
|
|
|
- The default is V(true), which will replace the existing remote key
|
|
|
|
if it is different than O(pubkey). If V(false), the key will only be
|
|
|
|
set if no key with the given O(name) exists.
|
2020-03-09 10:11:07 +01:00
|
|
|
type: bool
|
2022-08-24 19:59:56 +02:00
|
|
|
default: true
|
2020-03-09 10:11:07 +01:00
|
|
|
|
|
|
|
author: Robert Estelle (@erydo)
|
|
|
|
'''
|
|
|
|
|
|
|
|
RETURN = '''
|
|
|
|
deleted_keys:
|
|
|
|
description: An array of key objects that were deleted. Only present on state=absent
|
|
|
|
type: list
|
|
|
|
returned: When state=absent
|
2022-09-06 20:42:17 +02:00
|
|
|
sample: [{'id': 0, 'key': 'BASE64 encoded key', 'url': 'http://example.com/github key', 'created_at': 'YYYY-MM-DDTHH:MM:SZ', 'read_only': false}]
|
2020-03-09 10:11:07 +01:00
|
|
|
matching_keys:
|
|
|
|
description: An array of keys matching the specified name. Only present on state=present
|
|
|
|
type: list
|
|
|
|
returned: When state=present
|
2022-09-06 20:42:17 +02:00
|
|
|
sample: [{'id': 0, 'key': 'BASE64 encoded key', 'url': 'http://example.com/github key', 'created_at': 'YYYY-MM-DDTHH:MM:SZ', 'read_only': false}]
|
2020-03-09 10:11:07 +01:00
|
|
|
key:
|
|
|
|
description: Metadata about the key just created. Only present on state=present
|
|
|
|
type: dict
|
|
|
|
returned: success
|
2022-09-06 20:42:17 +02:00
|
|
|
sample: {'id': 0, 'key': 'BASE64 encoded key', 'url': 'http://example.com/github key', 'created_at': 'YYYY-MM-DDTHH:MM:SZ', 'read_only': false}
|
2020-03-09 10:11:07 +01:00
|
|
|
'''
|
|
|
|
|
|
|
|
EXAMPLES = '''
|
|
|
|
- name: Read SSH public key to authorize
|
2020-07-14 17:28:08 +02:00
|
|
|
ansible.builtin.shell: cat /home/foo/.ssh/id_rsa.pub
|
2020-03-09 10:11:07 +01:00
|
|
|
register: ssh_pub_key
|
|
|
|
|
|
|
|
- name: Authorize key with GitHub
|
|
|
|
local_action:
|
|
|
|
module: github_key
|
|
|
|
name: Access Key for Some Machine
|
|
|
|
token: '{{ github_access_token }}'
|
|
|
|
pubkey: '{{ ssh_pub_key.stdout }}'
|
|
|
|
|
2023-07-06 06:23:32 +02:00
|
|
|
# Alternatively, a single task can be used reading a key from a file on the controller
|
|
|
|
- name: Authorize key with GitHub
|
|
|
|
community.general.github_key:
|
|
|
|
name: Access Key for Some Machine
|
|
|
|
token: '{{ github_access_token }}'
|
|
|
|
pubkey: "{{ lookup('ansible.builtin.file', '/home/foo/.ssh/id_rsa.pub') }}"
|
|
|
|
'''
|
2020-03-09 10:11:07 +01:00
|
|
|
|
2024-04-20 09:26:08 +02:00
|
|
|
import datetime
|
2020-03-09 10:11:07 +01:00
|
|
|
import json
|
|
|
|
import re
|
|
|
|
|
|
|
|
from ansible.module_utils.basic import AnsibleModule
|
|
|
|
from ansible.module_utils.urls import fetch_url
|
|
|
|
|
2024-04-20 09:26:08 +02:00
|
|
|
from ansible_collections.community.general.plugins.module_utils.datetime import (
|
|
|
|
now,
|
|
|
|
)
|
|
|
|
|
2020-03-09 10:11:07 +01:00
|
|
|
|
|
|
|
API_BASE = 'https://api.github.com'
|
|
|
|
|
|
|
|
|
|
|
|
class GitHubResponse(object):
|
|
|
|
def __init__(self, response, info):
|
|
|
|
self.content = response.read()
|
|
|
|
self.info = info
|
|
|
|
|
|
|
|
def json(self):
|
|
|
|
return json.loads(self.content)
|
|
|
|
|
|
|
|
def links(self):
|
|
|
|
links = {}
|
|
|
|
if 'link' in self.info:
|
|
|
|
link_header = self.info['link']
|
|
|
|
matches = re.findall('<([^>]+)>; rel="([^"]+)"', link_header)
|
|
|
|
for url, rel in matches:
|
|
|
|
links[rel] = url
|
|
|
|
return links
|
|
|
|
|
|
|
|
|
|
|
|
class GitHubSession(object):
|
|
|
|
def __init__(self, module, token):
|
|
|
|
self.module = module
|
|
|
|
self.token = token
|
|
|
|
|
|
|
|
def request(self, method, url, data=None):
|
|
|
|
headers = {
|
|
|
|
'Authorization': 'token %s' % self.token,
|
|
|
|
'Content-Type': 'application/json',
|
|
|
|
'Accept': 'application/vnd.github.v3+json',
|
|
|
|
}
|
|
|
|
response, info = fetch_url(
|
|
|
|
self.module, url, method=method, data=data, headers=headers)
|
|
|
|
if not (200 <= info['status'] < 400):
|
|
|
|
self.module.fail_json(
|
|
|
|
msg=(" failed to send request %s to %s: %s"
|
|
|
|
% (method, url, info['msg'])))
|
|
|
|
return GitHubResponse(response, info)
|
|
|
|
|
|
|
|
|
|
|
|
def get_all_keys(session):
|
|
|
|
url = API_BASE + '/user/keys'
|
|
|
|
result = []
|
|
|
|
while url:
|
|
|
|
r = session.request('GET', url)
|
|
|
|
result.extend(r.json())
|
|
|
|
url = r.links().get('next')
|
|
|
|
return result
|
|
|
|
|
|
|
|
|
|
|
|
def create_key(session, name, pubkey, check_mode):
|
|
|
|
if check_mode:
|
2024-04-20 09:26:08 +02:00
|
|
|
now_t = now()
|
2020-03-09 10:11:07 +01:00
|
|
|
return {
|
|
|
|
'id': 0,
|
|
|
|
'key': pubkey,
|
|
|
|
'title': name,
|
|
|
|
'url': 'http://example.com/CHECK_MODE_GITHUB_KEY',
|
2024-04-20 09:26:08 +02:00
|
|
|
'created_at': datetime.strftime(now_t, '%Y-%m-%dT%H:%M:%SZ'),
|
2020-03-09 10:11:07 +01:00
|
|
|
'read_only': False,
|
|
|
|
'verified': False
|
|
|
|
}
|
|
|
|
else:
|
|
|
|
return session.request(
|
|
|
|
'POST',
|
|
|
|
API_BASE + '/user/keys',
|
|
|
|
data=json.dumps({'title': name, 'key': pubkey})).json()
|
|
|
|
|
|
|
|
|
|
|
|
def delete_keys(session, to_delete, check_mode):
|
|
|
|
if check_mode:
|
|
|
|
return
|
|
|
|
|
|
|
|
for key in to_delete:
|
|
|
|
session.request('DELETE', API_BASE + '/user/keys/%s' % key["id"])
|
|
|
|
|
|
|
|
|
|
|
|
def ensure_key_absent(session, name, check_mode):
|
|
|
|
to_delete = [key for key in get_all_keys(session) if key['title'] == name]
|
|
|
|
delete_keys(session, to_delete, check_mode=check_mode)
|
|
|
|
|
|
|
|
return {'changed': bool(to_delete),
|
|
|
|
'deleted_keys': to_delete}
|
|
|
|
|
|
|
|
|
|
|
|
def ensure_key_present(module, session, name, pubkey, force, check_mode):
|
|
|
|
all_keys = get_all_keys(session)
|
|
|
|
matching_keys = [k for k in all_keys if k['title'] == name]
|
|
|
|
deleted_keys = []
|
|
|
|
|
|
|
|
new_signature = pubkey.split(' ')[1]
|
|
|
|
for key in all_keys:
|
|
|
|
existing_signature = key['key'].split(' ')[1]
|
|
|
|
if new_signature == existing_signature and key['title'] != name:
|
|
|
|
module.fail_json(msg=(
|
|
|
|
"another key with the same content is already registered "
|
|
|
|
"under the name |{0}|").format(key['title']))
|
|
|
|
|
|
|
|
if matching_keys and force and matching_keys[0]['key'].split(' ')[1] != new_signature:
|
|
|
|
delete_keys(session, matching_keys, check_mode=check_mode)
|
|
|
|
(deleted_keys, matching_keys) = (matching_keys, [])
|
|
|
|
|
|
|
|
if not matching_keys:
|
|
|
|
key = create_key(session, name, pubkey, check_mode=check_mode)
|
|
|
|
else:
|
|
|
|
key = matching_keys[0]
|
|
|
|
|
|
|
|
return {
|
|
|
|
'changed': bool(deleted_keys or not matching_keys),
|
|
|
|
'deleted_keys': deleted_keys,
|
|
|
|
'matching_keys': matching_keys,
|
|
|
|
'key': key
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
def main():
|
|
|
|
argument_spec = {
|
|
|
|
'token': {'required': True, 'no_log': True},
|
|
|
|
'name': {'required': True},
|
|
|
|
'pubkey': {},
|
|
|
|
'state': {'choices': ['present', 'absent'], 'default': 'present'},
|
|
|
|
'force': {'default': True, 'type': 'bool'},
|
|
|
|
}
|
|
|
|
module = AnsibleModule(
|
|
|
|
argument_spec=argument_spec,
|
|
|
|
supports_check_mode=True,
|
|
|
|
)
|
|
|
|
|
|
|
|
token = module.params['token']
|
|
|
|
name = module.params['name']
|
|
|
|
state = module.params['state']
|
|
|
|
force = module.params['force']
|
|
|
|
pubkey = module.params.get('pubkey')
|
|
|
|
|
|
|
|
if pubkey:
|
|
|
|
pubkey_parts = pubkey.split(' ')
|
|
|
|
# Keys consist of a protocol, the key data, and an optional comment.
|
|
|
|
if len(pubkey_parts) < 2:
|
|
|
|
module.fail_json(msg='"pubkey" parameter has an invalid format')
|
|
|
|
elif state == 'present':
|
|
|
|
module.fail_json(msg='"pubkey" is required when state=present')
|
|
|
|
|
|
|
|
session = GitHubSession(module, token)
|
|
|
|
if state == 'present':
|
|
|
|
result = ensure_key_present(module, session, name, pubkey, force=force,
|
|
|
|
check_mode=module.check_mode)
|
|
|
|
elif state == 'absent':
|
|
|
|
result = ensure_key_absent(session, name, check_mode=module.check_mode)
|
|
|
|
|
|
|
|
module.exit_json(**result)
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
main()
|