Fixing accelerated connection plugin

2025-07-26 14:41:23 -07:00 · 2015-10-02 00:35:22 -04:00 · 2015-10-02 00:35:22 -04:00 · 8ef78b1cf8
commit 8ef78b1cf8
parent 00b8a24299
4 changed files with 229 additions and 186 deletions
--- a/lib/ansible/utils/encrypt.py
+++ b/lib/ansible/utils/encrypt.py
@ -18,6 +18,11 @@ from __future__ import (absolute_import, division, print_function)
 __metaclass__ = type


+import os
+import stat
+import time
+import warnings
+
 PASSLIB_AVAILABLE = False
 try:
    import passlib.hash
@ -25,6 +30,34 @@ try:
 except:
    pass

+KEYCZAR_AVAILABLE=False
+try:
+    try:
+        # some versions of pycrypto may not have this?
+        from Crypto.pct_warnings import PowmInsecureWarning
+    except ImportError:
+        PowmInsecureWarning = RuntimeWarning
+
+    with warnings.catch_warnings(record=True) as warning_handler:
+        warnings.simplefilter("error", PowmInsecureWarning)
+        try:
+            import keyczar.errors as key_errors
+            from keyczar.keys import AesKey
+        except PowmInsecureWarning:
+            system_warning(
+                "The version of gmp you have installed has a known issue regarding " + \
+                "timing vulnerabilities when used with pycrypto. " + \
+                "If possible, you should update it (i.e. yum update gmp)."
+            )
+            warnings.resetwarnings()
+            warnings.simplefilter("ignore")
+            import keyczar.errors as key_errors
+            from keyczar.keys import AesKey
+        KEYCZAR_AVAILABLE=True
+except ImportError:
+    pass
+
+from ansible import constants as C
 from ansible.errors import AnsibleError

 __all__ = ['do_encrypt']
@ -47,3 +80,47 @@ def do_encrypt(result, encrypt, salt_size=None, salt=None):

    return result

+def key_for_hostname(hostname):
+    # fireball mode is an implementation of ansible firing up zeromq via SSH
+    # to use no persistent daemons or key management
+
+    if not KEYCZAR_AVAILABLE:
+        raise AnsibleError("python-keyczar must be installed on the control machine to use accelerated modes")
+
+    key_path = os.path.expanduser(C.ACCELERATE_KEYS_DIR)
+    if not os.path.exists(key_path):
+        os.makedirs(key_path, mode=0700)
+        os.chmod(key_path, int(C.ACCELERATE_KEYS_DIR_PERMS, 8))
+    elif not os.path.isdir(key_path):
+        raise AnsibleError('ACCELERATE_KEYS_DIR is not a directory.')
+
+    if stat.S_IMODE(os.stat(key_path).st_mode) != int(C.ACCELERATE_KEYS_DIR_PERMS, 8):
+        raise AnsibleError('Incorrect permissions on the private key directory. Use `chmod 0%o %s` to correct this issue, and make sure any of the keys files contained within that directory are set to 0%o' % (int(C.ACCELERATE_KEYS_DIR_PERMS, 8), C.ACCELERATE_KEYS_DIR, int(C.ACCELERATE_KEYS_FILE_PERMS, 8)))
+
+    key_path = os.path.join(key_path, hostname)
+
+    # use new AES keys every 2 hours, which means fireball must not allow running for longer either
+    if not os.path.exists(key_path) or (time.time() - os.path.getmtime(key_path) > 60*60*2):
+        key = AesKey.Generate(size=256)
+        fd = os.open(key_path, os.O_WRONLY | os.O_CREAT, int(C.ACCELERATE_KEYS_FILE_PERMS, 8))
+        fh = os.fdopen(fd, 'w')
+        fh.write(str(key))
+        fh.close()
+        return key
+    else:
+        if stat.S_IMODE(os.stat(key_path).st_mode) != int(C.ACCELERATE_KEYS_FILE_PERMS, 8):
+            raise AnsibleError('Incorrect permissions on the key file for this host. Use `chmod 0%o %s` to correct this issue.' % (int(C.ACCELERATE_KEYS_FILE_PERMS, 8), key_path))
+        fh = open(key_path)
+        key = AesKey.Read(fh.read())
+        fh.close()
+        return key
+
+def keyczar_encrypt(key, msg):
+    return key.Encrypt(msg.encode('utf-8'))
+
+def keyczar_decrypt(key, msg):
+    try:
+        return key.Decrypt(msg)
+    except key_errors.InvalidSignatureError:
+        raise AnsibleError("decryption failed")
+