1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

Ensure ssh hostkey checks respect server port (#20840)

* Add tests for `get_fqdn_and_port` method.

Currently tests verify original behavior - returning default `ssh-keyscan` port
Add test around `add_host_key` to verify underlying command arguments
Add some new expectations for `get_fqdn_and_port`
Test that non-standard port is passed to `ssh-keyscan` command

* Ensure ssh hostkey checks respect server port

ssh-keyscan will default to getting the host key for port 22.
If the ssh service is running on a different port, ssh-keyscan
will need to know this.

Tidy up minor flake8 issues

* Update known_hosts tests for port being None

Ensure that git urls don't try and set port when a path
is specified

Update known_hosts tests to meet flake8

* Fix stdin swap context for test_known_hosts

Move test_known_hosts from under basic, as it is its own library.
Remove module_utils.known_hosts from pep8 legacy files list
This commit is contained in:
Will Thames 2017-02-16 05:47:57 +10:00 committed by Toshio Kuratomi
parent e4a80965de
commit 103ede26df
4 changed files with 139 additions and 78 deletions

View file

@ -28,6 +28,7 @@
import os import os
import hmac import hmac
import re
try: try:
import urlparse import urlparse
@ -41,23 +42,26 @@ except ImportError:
HASHED_KEY_MAGIC = "|1|" HASHED_KEY_MAGIC = "|1|"
def add_git_host_key(module, url, accept_hostkey=True, create_dir=True): def add_git_host_key(module, url, accept_hostkey=True, create_dir=True):
""" idempotently add a git url hostkey """ """ idempotently add a git url hostkey """
if is_ssh_url(url): if is_ssh_url(url):
fqdn = get_fqdn(url) fqdn, port = get_fqdn_and_port(url)
if fqdn: if fqdn:
known_host = check_hostkey(module, fqdn) known_host = check_hostkey(module, fqdn)
if not known_host: if not known_host:
if accept_hostkey: if accept_hostkey:
rc, out, err = add_host_key(module, fqdn, create_dir=create_dir) rc, out, err = add_host_key(module, fqdn, port=port, create_dir=create_dir)
if rc != 0: if rc != 0:
module.fail_json(msg="failed to add %s hostkey: %s" % (fqdn, out + err)) module.fail_json(msg="failed to add %s hostkey: %s" % (fqdn, out + err))
else: else:
module.fail_json(msg="%s has an unknown hostkey. Set accept_hostkey to True or manually add the hostkey prior to running the git module" % fqdn) module.fail_json(msg="%s has an unknown hostkey. Set accept_hostkey to True "
"or manually add the hostkey prior to running the git module" % fqdn)
def is_ssh_url(url): def is_ssh_url(url):
@ -70,45 +74,51 @@ def is_ssh_url(url):
return True return True
return False return False
def get_fqdn(repo_url):
""" chop the hostname out of a url """ def get_fqdn_and_port(repo_url):
result = None """ chop the hostname and port out of a url """
fqdn = None
port = None
ipv6_re = re.compile('(\[[^]]*\])(?::([0-9]+))?')
if "@" in repo_url and "://" not in repo_url: if "@" in repo_url and "://" not in repo_url:
# most likely an user@host:path or user@host/path type URL # most likely an user@host:path or user@host/path type URL
repo_url = repo_url.split("@", 1)[1] repo_url = repo_url.split("@", 1)[1]
if repo_url.startswith('['): match = ipv6_re.match(repo_url)
result = repo_url.split(']', 1)[0] + ']' # For this type of URL, colon specifies the path, not the port
if match:
fqdn, path = match.groups()
elif ":" in repo_url: elif ":" in repo_url:
result = repo_url.split(":")[0] fqdn = repo_url.split(":")[0]
elif "/" in repo_url: elif "/" in repo_url:
result = repo_url.split("/")[0] fqdn = repo_url.split("/")[0]
elif "://" in repo_url: elif "://" in repo_url:
# this should be something we can parse with urlparse # this should be something we can parse with urlparse
parts = urlparse.urlparse(repo_url) parts = urlparse.urlparse(repo_url)
# parts[1] will be empty on python2.4 on ssh:// or git:// urls, so # parts[1] will be empty on python2.4 on ssh:// or git:// urls, so
# ensure we actually have a parts[1] before continuing. # ensure we actually have a parts[1] before continuing.
if parts[1] != '': if parts[1] != '':
result = parts[1] fqdn = parts[1]
if "@" in result: if "@" in fqdn:
result = result.split("@", 1)[1] fqdn = fqdn.split("@", 1)[1]
match = ipv6_re.match(fqdn)
if match:
fqdn, port = match.groups()
elif ":" in fqdn:
fqdn, port = fqdn.split(":")[0:2]
return fqdn, port
if result[0].startswith('['):
result = result.split(']', 1)[0] + ']'
elif ":" in result:
result = result.split(":")[0]
return result
def check_hostkey(module, fqdn): def check_hostkey(module, fqdn):
return not not_in_host_file(module, fqdn) return not not_in_host_file(module, fqdn)
# this is a variant of code found in connection_plugins/paramiko.py and we should modify # this is a variant of code found in connection_plugins/paramiko.py and we should modify
# the paramiko code to import and use this. # the paramiko code to import and use this.
def not_in_host_file(self, host): def not_in_host_file(self, host):
if 'USER' in os.environ: if 'USER' in os.environ:
user_host_file = os.path.expandvars("~${USER}/.ssh/known_hosts") user_host_file = os.path.expandvars("~${USER}/.ssh/known_hosts")
else: else:
@ -159,7 +169,7 @@ def not_in_host_file(self, host):
return True return True
def add_host_key(module, fqdn, key_type="rsa", create_dir=False): def add_host_key(module, fqdn, port=22, key_type="rsa", create_dir=False):
""" use ssh-keyscan to add the hostkey """ """ use ssh-keyscan to add the hostkey """
@ -184,7 +194,10 @@ def add_host_key(module, fqdn, key_type="rsa", create_dir=False):
elif not os.path.isdir(user_ssh_dir): elif not os.path.isdir(user_ssh_dir):
module.fail_json(msg="%s is not a directory" % user_ssh_dir) module.fail_json(msg="%s is not a directory" % user_ssh_dir)
this_cmd = "%s -t %s %s" % (keyscan_cmd, key_type, fqdn) if port:
this_cmd = "%s -t %s -p %s %s" % (keyscan_cmd, key_type, port, fqdn)
else:
this_cmd = "%s -t %s %s" % (keyscan_cmd, key_type, fqdn)
rc, out, err = module.run_command(this_cmd) rc, out, err = module.run_command(this_cmd)
# ssh-keyscan gives a 0 exit code and prints nothins on timeout # ssh-keyscan gives a 0 exit code and prints nothins on timeout
@ -193,4 +206,3 @@ def add_host_key(module, fqdn, key_type="rsa", create_dir=False):
module.append_to_file(user_host_file, out) module.append_to_file(user_host_file, out)
return rc, out, err return rc, out, err

View file

@ -13,7 +13,6 @@ lib/ansible/inventory/script.py
lib/ansible/module_utils/basic.py lib/ansible/module_utils/basic.py
lib/ansible/module_utils/ec2.py lib/ansible/module_utils/ec2.py
lib/ansible/module_utils/facts.py lib/ansible/module_utils/facts.py
lib/ansible/module_utils/known_hosts.py
lib/ansible/module_utils/mysql.py lib/ansible/module_utils/mysql.py
lib/ansible/modules/cloud/amazon/_ec2_vpc.py lib/ansible/modules/cloud/amazon/_ec2_vpc.py
lib/ansible/modules/cloud/amazon/aws_kms.py lib/ansible/modules/cloud/amazon/aws_kms.py

View file

@ -1,55 +0,0 @@
# -*- coding: utf-8 -*-
# (c) 2015, Michael Scherer <mscherer@redhat.com>
#
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
from ansible.compat.tests import unittest
from ansible.module_utils import known_hosts
class TestAnsibleModuleKnownHosts(unittest.TestCase):
urls = {
'ssh://one.example.org/example.git':
{'is_ssh_url': True, 'get_fqdn': 'one.example.org'},
'ssh+git://two.example.org/example.git':
{'is_ssh_url': True, 'get_fqdn': 'two.example.org'},
'rsync://three.example.org/user/example.git':
{'is_ssh_url': False, 'get_fqdn': 'three.example.org'},
'git@four.example.org:user/example.git':
{'is_ssh_url': True, 'get_fqdn': 'four.example.org'},
'git+ssh://five.example.org/example.git':
{'is_ssh_url': True, 'get_fqdn': 'five.example.org'},
'ssh://six.example.org:21/example.org':
{'is_ssh_url': True, 'get_fqdn': 'six.example.org'},
'ssh://[2001:DB8::abcd:abcd]/example.git':
{'is_ssh_url': True, 'get_fqdn': '[2001:DB8::abcd:abcd]'},
'ssh://[2001:DB8::abcd:abcd]:22/example.git':
{'is_ssh_url': True, 'get_fqdn': '[2001:DB8::abcd:abcd]'},
'username@[2001:DB8::abcd:abcd]/example.git':
{'is_ssh_url': True, 'get_fqdn': '[2001:DB8::abcd:abcd]'},
'username@[2001:DB8::abcd:abcd]:22/example.git':
{'is_ssh_url': True, 'get_fqdn': '[2001:DB8::abcd:abcd]'},
}
def test_is_ssh_url(self):
for u in self.urls:
self.assertEqual(known_hosts.is_ssh_url(u), self.urls[u]['is_ssh_url'])
def test_get_fqdn(self):
for u in self.urls:
self.assertEqual(known_hosts.get_fqdn(u), self.urls[u]['get_fqdn'])

View file

@ -0,0 +1,105 @@
# -*- coding: utf-8 -*-
# (c) 2015, Michael Scherer <mscherer@redhat.com>
#
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
from ansible.compat.tests import unittest
from ansible.module_utils import known_hosts
import json
import ansible.module_utils.basic
from ansible.compat.tests.mock import Mock
from units.mock.procenv import swap_stdin_and_argv
class TestAnsibleModuleKnownHosts(unittest.TestCase):
urls = {
'ssh://one.example.org/example.git':
{'is_ssh_url': True, 'get_fqdn': 'one.example.org',
'add_host_key_cmd': " -t rsa one.example.org",
'port': None},
'ssh+git://two.example.org/example.git':
{'is_ssh_url': True, 'get_fqdn': 'two.example.org',
'add_host_key_cmd': " -t rsa two.example.org",
'port': None},
'rsync://three.example.org/user/example.git':
{'is_ssh_url': False, 'get_fqdn': 'three.example.org',
'add_host_key_cmd': None, # not called for non-ssh urls
'port': None},
'git@four.example.org:user/example.git':
{'is_ssh_url': True, 'get_fqdn': 'four.example.org',
'add_host_key_cmd': " -t rsa four.example.org",
'port': None},
'git+ssh://five.example.org/example.git':
{'is_ssh_url': True, 'get_fqdn': 'five.example.org',
'add_host_key_cmd': " -t rsa five.example.org",
'port': None},
'ssh://six.example.org:21/example.org': # ssh on FTP Port?
{'is_ssh_url': True, 'get_fqdn': 'six.example.org',
'add_host_key_cmd': " -t rsa -p 21 six.example.org",
'port': '21'},
'ssh://[2001:DB8::abcd:abcd]/example.git':
{'is_ssh_url': True, 'get_fqdn': '[2001:DB8::abcd:abcd]',
'add_host_key_cmd': " -t rsa [2001:DB8::abcd:abcd]",
'port': None},
'ssh://[2001:DB8::abcd:abcd]:22/example.git':
{'is_ssh_url': True, 'get_fqdn': '[2001:DB8::abcd:abcd]',
'add_host_key_cmd': " -t rsa -p 22 [2001:DB8::abcd:abcd]",
'port': '22'},
'username@[2001:DB8::abcd:abcd]/example.git':
{'is_ssh_url': True, 'get_fqdn': '[2001:DB8::abcd:abcd]',
'add_host_key_cmd': " -t rsa [2001:DB8::abcd:abcd]",
'port': None},
'username@[2001:DB8::abcd:abcd]:path/example.git':
{'is_ssh_url': True, 'get_fqdn': '[2001:DB8::abcd:abcd]',
'add_host_key_cmd': " -t rsa [2001:DB8::abcd:abcd]",
'port': None},
'ssh://internal.git.server:7999/repos/repo.git':
{'is_ssh_url': True, 'get_fqdn': 'internal.git.server',
'add_host_key_cmd': " -t rsa -p 7999 internal.git.server",
'port': '7999'}
}
def test_is_ssh_url(self):
for u in self.urls:
self.assertEqual(known_hosts.is_ssh_url(u), self.urls[u]['is_ssh_url'])
def test_get_fqdn_and_port(self):
for u in self.urls:
self.assertEqual(known_hosts.get_fqdn_and_port(u), (self.urls[u]['get_fqdn'], self.urls[u]['port']))
def test_add_host_key(self):
# Copied
args = json.dumps(dict(ANSIBLE_MODULE_ARGS={}))
# unittest doesn't have a clean place to use a context manager, so we have to enter/exit manually
with swap_stdin_and_argv(stdin_data=args):
ansible.module_utils.basic._ANSIBLE_ARGS = None
self.module = ansible.module_utils.basic.AnsibleModule(argument_spec=dict())
run_command = Mock()
run_command.return_value = (0, "Needs output, otherwise thinks ssh-keyscan timed out'", "")
self.module.run_command = run_command
get_bin_path = Mock()
get_bin_path.return_value = keyscan_cmd = "/custom/path/ssh-keyscan"
self.module.get_bin_path = get_bin_path
for u in self.urls:
if self.urls[u]['is_ssh_url']:
known_hosts.add_host_key(self.module, self.urls[u]['get_fqdn'], port=self.urls[u]['port'])
run_command.assert_called_with(keyscan_cmd + self.urls[u]['add_host_key_cmd'])