From a773bd7ad54014917dd1e1e70722f9da5a09cc77 Mon Sep 17 00:00:00 2001 From: Yanis Guenane Date: Tue, 28 Nov 2017 09:38:47 +0100 Subject: [PATCH] openssl_publickey: Ensure format OpenSSH is idempotent (#33264) Currently the check() method for idempotence only assumes the public key is under the form of a PEM file when its not always the case. The module openssl_publickey allows one to generate OpenSSH format publickey. This leads to idempotence not being detected. --- lib/ansible/modules/crypto/openssl_publickey.py | 9 +++++++-- .../integration/targets/openssl_publickey/tasks/main.yml | 8 ++++++++ .../targets/openssl_publickey/tests/validate.yml | 6 ++++++ 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/lib/ansible/modules/crypto/openssl_publickey.py b/lib/ansible/modules/crypto/openssl_publickey.py index afc3cc3ca9..e93a7d58a3 100644 --- a/lib/ansible/modules/crypto/openssl_publickey.py +++ b/lib/ansible/modules/crypto/openssl_publickey.py @@ -212,11 +212,16 @@ class PublicKey(crypto_utils.OpenSSLObject): return False try: + publickey_content = open(self.path, 'rb').read() + if self.format == 'OpenSSH': + current_publickey = crypto_serialization.load_ssh_public_key(publickey_content, backend=default_backend()) + publickey_content = current_publickey.public_bytes(crypto_serialization.Encoding.PEM, + crypto_serialization.PublicFormat.SubjectPublicKeyInfo) current_publickey = crypto.dump_publickey( crypto.FILETYPE_ASN1, - crypto.load_publickey(crypto.FILETYPE_PEM, open(self.path, 'rb').read()) + crypto.load_publickey(crypto.FILETYPE_PEM, publickey_content) ) - except crypto.Error: + except (crypto.Error, ValueError): return False desired_publickey = crypto.dump_publickey( diff --git a/test/integration/targets/openssl_publickey/tasks/main.yml b/test/integration/targets/openssl_publickey/tasks/main.yml index 52e0448994..087bdc73b5 100644 --- a/test/integration/targets/openssl_publickey/tasks/main.yml +++ b/test/integration/targets/openssl_publickey/tasks/main.yml @@ -18,6 +18,14 @@ # appeared in version 1.4 of cryptography when: cryptography_version.stdout is version('1.4.0', '>=') + - name: Generate publickey - OpenSSH format - test idempotence (issue 33256) + openssl_publickey: + path: '{{ output_dir }}/publickey-ssh.pub' + privatekey_path: '{{ output_dir }}/privatekey.pem' + format: OpenSSH + when: cryptography_version.stdout|version_compare('1.4.0', '>=') + register: publickey_ssh_idempotence + - name: Generate publickey2 - standard openssl_publickey: path: '{{ output_dir }}/publickey2.pub' diff --git a/test/integration/targets/openssl_publickey/tests/validate.yml b/test/integration/targets/openssl_publickey/tests/validate.yml index b1b2b40d42..c53b69ddc5 100644 --- a/test/integration/targets/openssl_publickey/tests/validate.yml +++ b/test/integration/targets/openssl_publickey/tests/validate.yml @@ -28,6 +28,12 @@ - privatekey_publickey.stdout == '{{ publickey.content|b64decode }}' when: cryptography_version.stdout is version('1.4.0', '>=') +- name: Validate public key - OpenSSH format - test idempotence (issue 33256) + assert: + that: + - not publickey_ssh_idempotence|changed + when: cryptography_version.stdout|version_compare('1.4.0', '>=') + - name: Validate publickey2 (test - Ensure key has been removed) stat: path: '{{ output_dir }}/publickey2.pub'