mirror of
				https://github.com/ansible-collections/community.general.git
				synced 2025-10-25 05:23:58 -07:00 
			
		
		
		
	Fixing some parsing issues in authorized_key module
Also adds an integration test for authorized_key for future validation. Fixes #6700
This commit is contained in:
		
					parent
					
						
							
								5795796546
							
						
					
				
			
			
				commit
				
					
						684d46b170
					
				
			
		
					 5 changed files with 277 additions and 29 deletions
				
			
		|  | @ -199,33 +199,19 @@ def parseoptions(module, options): | ||||||
|     ''' |     ''' | ||||||
|     options_dict = keydict() #ordered dict |     options_dict = keydict() #ordered dict | ||||||
|     if options: |     if options: | ||||||
|         token_exp = [ |         try: | ||||||
|             # matches separator |             # the following regex will split on commas while | ||||||
|             (r',+', False), |             # ignoring those commas that fall within quotes | ||||||
|             # matches option with value, e.g. from="x,y" |             regex = re.compile(r'''((?:[^,"']|"[^"]*"|'[^']*')+)''') | ||||||
|             (r'([a-z0-9-]+)="((?:[^"\\]|\\.)*)"', True), |             parts = regex.split(options)[1:-1] | ||||||
|             # matches single option, e.g. no-agent-forwarding  |             for part in parts: | ||||||
|             (r'[a-z0-9-]+', True) |                 if "=" in part: | ||||||
|         ] |                     (key, value) = part.split("=", 1) | ||||||
| 
 |                     options_dict[key] = value | ||||||
|         pos = 0 |                 elif part != ",": | ||||||
|         while pos < len(options): |                     options_dict[part] = None | ||||||
|             match = None |         except: | ||||||
|             for pattern, is_valid_option in token_exp: |             module.fail_json(msg="invalid option string: %s" % options) | ||||||
|                 regex = re.compile(pattern, re.IGNORECASE) |  | ||||||
|                 match = regex.match(options, pos) |  | ||||||
|                 if match: |  | ||||||
|                     text = match.group(0) |  | ||||||
|                     if is_valid_option: |  | ||||||
|                         if len(match.groups()) == 2: |  | ||||||
|                             options_dict[match.group(1)] = match.group(2) |  | ||||||
|                         else: |  | ||||||
|                             options_dict[text] = None |  | ||||||
|                     break |  | ||||||
|             if not match: |  | ||||||
|                 module.fail_json(msg="invalid option string: %s" % options) |  | ||||||
|             else: |  | ||||||
|                 pos = match.end(0) |  | ||||||
| 
 | 
 | ||||||
|     return options_dict |     return options_dict | ||||||
| 
 | 
 | ||||||
|  | @ -254,7 +240,7 @@ def parsekey(module, raw_key): | ||||||
| 
 | 
 | ||||||
|     # split key safely |     # split key safely | ||||||
|     lex = shlex.shlex(raw_key) |     lex = shlex.shlex(raw_key) | ||||||
|     lex.quotes = ["'", '"'] |     lex.quotes = [] | ||||||
|     lex.commenters = '' #keep comment hashes |     lex.commenters = '' #keep comment hashes | ||||||
|     lex.whitespace_split = True |     lex.whitespace_split = True | ||||||
|     key_parts = list(lex) |     key_parts = list(lex) | ||||||
|  | @ -315,7 +301,7 @@ def writekeys(module, filename, keys): | ||||||
|                     option_strings = [] |                     option_strings = [] | ||||||
|                     for option_key in options.keys(): |                     for option_key in options.keys(): | ||||||
|                         if options[option_key]: |                         if options[option_key]: | ||||||
|                             option_strings.append("%s=\"%s\"" % (option_key, options[option_key])) |                             option_strings.append("%s=%s" % (option_key, options[option_key])) | ||||||
|                         else: |                         else: | ||||||
|                             option_strings.append("%s" % option_key) |                             option_strings.append("%s" % option_key) | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -36,3 +36,4 @@ | ||||||
|     - { role: test_command_shell, tags: test_command_shell } |     - { role: test_command_shell, tags: test_command_shell } | ||||||
|     - { role: test_failed_when, tags: test_failed_when } |     - { role: test_failed_when, tags: test_failed_when } | ||||||
|     - { role: test_script, tags: test_script } |     - { role: test_script, tags: test_script } | ||||||
|  |     - { role: test_authorized_key, tags: test_authorized_key } | ||||||
|  |  | ||||||
							
								
								
									
										15
									
								
								test/integration/roles/test_authorized_key/defaults/main.yml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										15
									
								
								test/integration/roles/test_authorized_key/defaults/main.yml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,15 @@ | ||||||
|  | --- | ||||||
|  | dss_key_basic: > | ||||||
|  |   ssh-dss DATA_BASIC root@testing | ||||||
|  | dss_key_unquoted_option: > | ||||||
|  |   idle-timeout=5m ssh-dss DATA_UNQUOTED_OPTION root@testing | ||||||
|  | dss_key_command: > | ||||||
|  |   command="/bin/true" ssh-dss DATA_COMMAND root@testing | ||||||
|  | dss_key_complex_command: > | ||||||
|  |   command="echo foo 'bar baz'" ssh-dss DATA_COMPLEX_COMMAND root@testing | ||||||
|  | dss_key_command_single_option: > | ||||||
|  |   no-port-forwarding,command="/bin/true" ssh-dss DATA_COMMAND_SINGLE_OPTIONS root@testing | ||||||
|  | dss_key_command_multiple_options: > | ||||||
|  |   no-port-forwarding,idle-timeout=5m,command="/bin/true" ssh-dss DATA_COMMAND_MULTIPLE_OPTIONS root@testing | ||||||
|  | dss_key_trailing: > | ||||||
|  |   ssh-dss DATA_TRAILING root@testing foo bar baz | ||||||
							
								
								
									
										2
									
								
								test/integration/roles/test_authorized_key/meta/main.yml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								test/integration/roles/test_authorized_key/meta/main.yml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,2 @@ | ||||||
|  | dependencies:  | ||||||
|  |   - prepare_tests | ||||||
							
								
								
									
										244
									
								
								test/integration/roles/test_authorized_key/tasks/main.yml
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										244
									
								
								test/integration/roles/test_authorized_key/tasks/main.yml
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,244 @@ | ||||||
|  | # test code for the authorized_key module | ||||||
|  | # (c) 2014, James Cammarata <jcammarata@ansible.com> | ||||||
|  | 
 | ||||||
|  | # This file is part of Ansible | ||||||
|  | # | ||||||
|  | # Ansible is free software: you can redistribute it and/or modify | ||||||
|  | # it under the terms of the GNU General Public License as published by | ||||||
|  | # the Free Software Foundation, either version 3 of the License, or | ||||||
|  | # (at your option) any later version. | ||||||
|  | # | ||||||
|  | # Ansible is distributed in the hope that it will be useful, | ||||||
|  | # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||||
|  | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the | ||||||
|  | # GNU General Public License for more details. | ||||||
|  | # | ||||||
|  | # You should have received a copy of the GNU General Public License | ||||||
|  | # along with Ansible.  If not, see <http://www.gnu.org/licenses/>. | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | # ------------------------------------------------------------- | ||||||
|  | # Setup steps | ||||||
|  | 
 | ||||||
|  | - name: touch the authorized_keys file | ||||||
|  |   file: dest="{{output_dir}}/authorized_keys" state=touch | ||||||
|  |   register: result | ||||||
|  | 
 | ||||||
|  | - name: assert that the authorized_keys file was created | ||||||
|  |   assert: | ||||||
|  |     that: | ||||||
|  |     - ['result.changed == True'] | ||||||
|  |     - ['result.state == "file"'] | ||||||
|  | 
 | ||||||
|  | # ------------------------------------------------------------- | ||||||
|  | # basic ssh-dss key | ||||||
|  | 
 | ||||||
|  | - name: add basic ssh-dss key | ||||||
|  |   authorized_key: user=root key="{{ dss_key_basic }}" state=present path="{{output_dir|expanduser}}/authorized_keys" | ||||||
|  |   register: result | ||||||
|  | 
 | ||||||
|  | - name: assert that the key was added | ||||||
|  |   assert: | ||||||
|  |     that: | ||||||
|  |     - ['result.changed == True'] | ||||||
|  |     - ['result.key == dss_key_basic'] | ||||||
|  |     - ['result.key_options == None'] | ||||||
|  | 
 | ||||||
|  | - name: re-add basic ssh-dss key | ||||||
|  |   authorized_key: user=root key="{{ dss_key_basic }}" state=present path="{{output_dir|expanduser}}/authorized_keys" | ||||||
|  |   register: result | ||||||
|  | 
 | ||||||
|  | - name: assert that nothing changed | ||||||
|  |   assert: | ||||||
|  |     that: | ||||||
|  |     - ['result.changed == False'] | ||||||
|  | 
 | ||||||
|  | # ------------------------------------------------------------- | ||||||
|  | # ssh-dss key with an unquoted option | ||||||
|  | 
 | ||||||
|  | - name: add ssh-dss key with an unquoted option | ||||||
|  |   authorized_key:  | ||||||
|  |     user: root | ||||||
|  |     key: "{{ dss_key_unquoted_option }}" | ||||||
|  |     state: present | ||||||
|  |     path: "{{output_dir|expanduser}}/authorized_keys" | ||||||
|  |   register: result | ||||||
|  | 
 | ||||||
|  | - name: assert that the key was added | ||||||
|  |   assert: | ||||||
|  |     that: | ||||||
|  |     - ['result.changed == True'] | ||||||
|  |     - ['result.key == dss_key_unquoted_option'] | ||||||
|  |     - ['result.key_options == None'] | ||||||
|  | 
 | ||||||
|  | - name: re-add ssh-dss key with an unquoted option | ||||||
|  |   authorized_key: | ||||||
|  |     user: root | ||||||
|  |     key: "{{ dss_key_unquoted_option }}" | ||||||
|  |     state: present | ||||||
|  |     path: "{{output_dir|expanduser}}/authorized_keys" | ||||||
|  |   register: result | ||||||
|  | 
 | ||||||
|  | - name: assert that nothing changed | ||||||
|  |   assert: | ||||||
|  |     that: | ||||||
|  |     - ['result.changed == False'] | ||||||
|  | 
 | ||||||
|  | # ------------------------------------------------------------- | ||||||
|  | # ssh-dss key with a leading command="/bin/foo" | ||||||
|  | 
 | ||||||
|  | - name: add ssh-dss key with a leading command | ||||||
|  |   authorized_key:  | ||||||
|  |     user: root | ||||||
|  |     key: "{{ dss_key_command }}" | ||||||
|  |     state: present | ||||||
|  |     path: "{{output_dir|expanduser}}/authorized_keys" | ||||||
|  |   register: result | ||||||
|  | 
 | ||||||
|  | - name: assert that the key was added | ||||||
|  |   assert: | ||||||
|  |     that: | ||||||
|  |     - ['result.changed == True'] | ||||||
|  |     - ['result.key == dss_key_command'] | ||||||
|  |     - ['result.key_options == None'] | ||||||
|  | 
 | ||||||
|  | - name: re-add ssh-dss key with a leading command | ||||||
|  |   authorized_key: | ||||||
|  |     user: root | ||||||
|  |     key: "{{ dss_key_command }}" | ||||||
|  |     state: present | ||||||
|  |     path: "{{output_dir|expanduser}}/authorized_keys" | ||||||
|  |   register: result | ||||||
|  | 
 | ||||||
|  | - name: assert that nothing changed | ||||||
|  |   assert: | ||||||
|  |     that: | ||||||
|  |     - ['result.changed == False'] | ||||||
|  | 
 | ||||||
|  | # ------------------------------------------------------------- | ||||||
|  | # ssh-dss key with a complex quoted leading command | ||||||
|  | # ie. command="/bin/echo foo 'bar baz'" | ||||||
|  | 
 | ||||||
|  | - name: add ssh-dss key with a complex quoted leading command | ||||||
|  |   authorized_key: | ||||||
|  |     user: root | ||||||
|  |     key: "{{ dss_key_complex_command }}" | ||||||
|  |     state: present | ||||||
|  |     path: "{{output_dir|expanduser}}/authorized_keys" | ||||||
|  |   register: result | ||||||
|  | 
 | ||||||
|  | - name: assert that the key was added | ||||||
|  |   assert: | ||||||
|  |     that: | ||||||
|  |     - ['result.changed == True'] | ||||||
|  |     - ['result.key == dss_key_complex_command'] | ||||||
|  |     - ['result.key_options == None'] | ||||||
|  | 
 | ||||||
|  | - name: re-add ssh-dss key with a complex quoted leading command | ||||||
|  |   authorized_key: | ||||||
|  |     user: root | ||||||
|  |     key: "{{ dss_key_complex_command }}" | ||||||
|  |     state: present | ||||||
|  |     path: "{{output_dir|expanduser}}/authorized_keys" | ||||||
|  |   register: result | ||||||
|  | 
 | ||||||
|  | - name: assert that nothing changed | ||||||
|  |   assert: | ||||||
|  |     that: | ||||||
|  |     - ['result.changed == False'] | ||||||
|  | 
 | ||||||
|  | # ------------------------------------------------------------- | ||||||
|  | # ssh-dss key with a command and a single option, which are | ||||||
|  | # in a comma-separated list | ||||||
|  | 
 | ||||||
|  | - name: add ssh-dss key with a command and a single option | ||||||
|  |   authorized_key: | ||||||
|  |     user: root | ||||||
|  |     key: "{{ dss_key_command_single_option }}" | ||||||
|  |     state: present | ||||||
|  |     path: "{{output_dir|expanduser}}/authorized_keys" | ||||||
|  |   register: result | ||||||
|  | 
 | ||||||
|  | - name: assert that the key was added | ||||||
|  |   assert: | ||||||
|  |     that: | ||||||
|  |     - ['result.changed == True'] | ||||||
|  |     - ['result.key == dss_key_command_single_option'] | ||||||
|  |     - ['result.key_options == None'] | ||||||
|  | 
 | ||||||
|  | - name: re-add ssh-dss key with a command and a single option | ||||||
|  |   authorized_key: | ||||||
|  |     user: root | ||||||
|  |     key: "{{ dss_key_command_single_option }}" | ||||||
|  |     state: present | ||||||
|  |     path: "{{output_dir|expanduser}}/authorized_keys" | ||||||
|  |   register: result | ||||||
|  | 
 | ||||||
|  | - name: assert that nothing changed | ||||||
|  |   assert: | ||||||
|  |     that: | ||||||
|  |     - ['result.changed == False'] | ||||||
|  | 
 | ||||||
|  | # ------------------------------------------------------------- | ||||||
|  | # ssh-dss key with a command and multiple other options | ||||||
|  | 
 | ||||||
|  | - name: add ssh-dss key with a command and multiple options | ||||||
|  |   authorized_key: | ||||||
|  |     user: root | ||||||
|  |     key: "{{ dss_key_command_multiple_options }}" | ||||||
|  |     state: present | ||||||
|  |     path: "{{output_dir|expanduser}}/authorized_keys" | ||||||
|  |   register: result | ||||||
|  | 
 | ||||||
|  | - name: assert that the key was added | ||||||
|  |   assert: | ||||||
|  |     that: | ||||||
|  |     - ['result.changed == True'] | ||||||
|  |     - ['result.key == dss_key_command_multiple_options'] | ||||||
|  |     - ['result.key_options == None'] | ||||||
|  | 
 | ||||||
|  | - name: re-add ssh-dss key with a command and multiple options | ||||||
|  |   authorized_key: | ||||||
|  |     user: root | ||||||
|  |     key: "{{ dss_key_command_multiple_options }}" | ||||||
|  |     state: present | ||||||
|  |     path: "{{output_dir|expanduser}}/authorized_keys" | ||||||
|  |   register: result | ||||||
|  | 
 | ||||||
|  | - name: assert that nothing changed | ||||||
|  |   assert: | ||||||
|  |     that: | ||||||
|  |     - ['result.changed == False'] | ||||||
|  | 
 | ||||||
|  | # ------------------------------------------------------------- | ||||||
|  | # ssh-dss key with multiple trailing parts, which are space- | ||||||
|  | # separated and not quoted in any way | ||||||
|  | 
 | ||||||
|  | - name: add ssh-dss key with trailing parts | ||||||
|  |   authorized_key: | ||||||
|  |     user: root | ||||||
|  |     key: "{{ dss_key_trailing }}" | ||||||
|  |     state: present | ||||||
|  |     path: "{{output_dir|expanduser}}/authorized_keys" | ||||||
|  |   register: result | ||||||
|  | 
 | ||||||
|  | - name: assert that the key was added | ||||||
|  |   assert: | ||||||
|  |     that: | ||||||
|  |     - ['result.changed == True'] | ||||||
|  |     - ['result.key == dss_key_trailing'] | ||||||
|  |     - ['result.key_options == None'] | ||||||
|  | 
 | ||||||
|  | - name: re-add ssh-dss key with trailing parts | ||||||
|  |   authorized_key: | ||||||
|  |     user: root | ||||||
|  |     key: "{{ dss_key_trailing }}" | ||||||
|  |     state: present | ||||||
|  |     path: "{{output_dir|expanduser}}/authorized_keys" | ||||||
|  |   register: result | ||||||
|  | 
 | ||||||
|  | - name: assert that nothing changed | ||||||
|  |   assert: | ||||||
|  |     that: | ||||||
|  |     - ['result.changed == False'] | ||||||
|  | 
 | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue