ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-04-25 11:51:26 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

In the git module let ssh do its own host checking

Browse source 
There are too many possible special cases for Ansible to be able to
precheck known_hosts files without introducing all kinds of false
failures.

* Alternative known_hosts paths
* Alternative host name aliases
* ssh host certificates
* SSHFP + DNSSEC

Fixes #24860
This commit is contained in:
Andreas Olsson 2017-06-25 19:05:16 +02:00 committed by Toshio Kuratomi
parent 5d28d76277
commit 05dc76f3b2
3 changed files with 15 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

20
lib/ansible/module_utils/known_hosts.py
View file

@ -43,26 +43,6 @@ except ImportError:
HASHED_KEY_MAGIC = "|1|" HASHED_KEY_MAGIC = "|1|"
def add_git_host_key(module, url, accept_hostkey=True, create_dir=True):
""" idempotently add a git url hostkey """
if is_ssh_url(url):
fqdn, port = get_fqdn_and_port(url)
if fqdn:
known_host = check_hostkey(module, fqdn)
if not known_host:
if accept_hostkey:
rc, out, err = add_host_key(module, fqdn, port=port, create_dir=create_dir)
if rc != 0:
module.fail_json(msg="failed to add %s hostkey: %s" % (fqdn, out + err))
else:
module.fail_json(msg="%s has an unknown hostkey. Set accept_hostkey to True "
"or manually add the hostkey prior to running the git module" % fqdn)
def is_ssh_url(url): def is_ssh_url(url):
""" check if url is ssh """ """ check if url is ssh """

33
lib/ansible/modules/source_control/git.py
View file

@ -60,9 +60,8 @@ options:
choices: [ "yes", "no" ] choices: [ "yes", "no" ]
version_added: "1.5" version_added: "1.5"
description: description:
- if C(yes), adds the hostkey for the repo url if not already - if C(yes), ensure that "-o StrictHostKeyChecking=no" is
added. If ssh_opts contains "-o StrictHostKeyChecking=no", present as an ssh options.
this parameter is ignored.
ssh_opts: ssh_opts:
required: false required: false
default: None default: None
@ -281,7 +280,6 @@ from distutils.version import LooseVersion
from ansible.module_utils.basic import AnsibleModule, get_module_path from ansible.module_utils.basic import AnsibleModule, get_module_path
from ansible.module_utils.basic import get_exception from ansible.module_utils.basic import get_exception
from ansible.module_utils.known_hosts import add_git_host_key
from ansible.module_utils.six import b, string_types from ansible.module_utils.six import b, string_types
from ansible.module_utils._text import to_native from ansible.module_utils._text import to_native
@ -368,6 +366,9 @@ else
BASEOPTS=$GIT_SSH_OPTS BASEOPTS=$GIT_SSH_OPTS
fi fi
# Let ssh fail rather than prompt
BASEOPTS="$BASEOPTS -o BatchMode=yes"
if [ -z "$GIT_KEY" ]; then if [ -z "$GIT_KEY" ]; then
ssh $BASEOPTS "$@" ssh $BASEOPTS "$@"
else else
@ -777,15 +778,6 @@ def submodules_fetch(git_path, module, remote, track_submodules, dest):
if not os.path.exists(os.path.join(dest, path, '.git')): if not os.path.exists(os.path.join(dest, path, '.git')):
changed = True changed = True
# add the submodule repo's hostkey
if line.strip().startswith('url'):
repo = line.split('=', 1)[1].strip()
if module.params['ssh_opts'] is not None:
if "-o StrictHostKeyChecking=no" not in module.params['ssh_opts']:
add_git_host_key(module, repo, accept_hostkey=module.params['accept_hostkey'])
else:
add_git_host_key(module, repo, accept_hostkey=module.params['accept_hostkey'])
# Check for updates to existing modules # Check for updates to existing modules
if not changed: if not changed:
# Fetch updates # Fetch updates
@ -1031,6 +1023,13 @@ def main():
result = dict(changed=False, warnings=list()) result = dict(changed=False, warnings=list())
if module.params['accept_hostkey']:
if ssh_opts is not None:
if "-o StrictHostKeyChecking=no" not in ssh_opts:
ssh_opts += " -o StrictHostKeyChecking=no"
else:
ssh_opts = "-o StrictHostKeyChecking=no"
# evaluate and set the umask before doing anything else # evaluate and set the umask before doing anything else
if umask is not None: if umask is not None:
if not isinstance(umask, string_types): if not isinstance(umask, string_types):
@ -1064,18 +1063,10 @@ def main():
# create a wrapper script and export # create a wrapper script and export
# GIT_SSH=<path> as an environment variable # GIT_SSH=<path> as an environment variable
# for git to use the wrapper script # for git to use the wrapper script
ssh_wrapper = None
if key_file or ssh_opts:
ssh_wrapper = write_ssh_wrapper() ssh_wrapper = write_ssh_wrapper()
set_git_ssh(ssh_wrapper, key_file, ssh_opts) set_git_ssh(ssh_wrapper, key_file, ssh_opts)
module.add_cleanup_file(path=ssh_wrapper) module.add_cleanup_file(path=ssh_wrapper)
# add the git repo's hostkey
if module.params['ssh_opts'] is not None:
if "-o StrictHostKeyChecking=no" not in module.params['ssh_opts']:
add_git_host_key(module, repo, accept_hostkey=module.params['accept_hostkey'])
else:
add_git_host_key(module, repo, accept_hostkey=module.params['accept_hostkey'])
git_version_used = git_version(git_path, module) git_version_used = git_version(git_path, module)
if depth is not None and git_version_used < LooseVersion('1.9.1'): if depth is not None and git_version_used < LooseVersion('1.9.1'):

1
test/integration/targets/git/tasks/missing_hostkey.yml
View file

@ -16,7 +16,6 @@
- assert: - assert:
that: that:
- 'git_result.failed' - 'git_result.failed'
- 'git_result.msg == "github.com has an unknown hostkey. Set accept_hostkey to True or manually add the hostkey prior to running the git module"'
- name: checkout git@github.com repo with accept_hostkey (expected pass) - name: checkout git@github.com repo with accept_hostkey (expected pass)
git: git: