carroarmato0/ansible.posix
1
0
Fork 0
mirror of https://github.com/ansible-collections/ansible.posix.git synced 2026-01-10 14:45:28 +01:00
Code Issues Projects Releases Packages Wiki Activity

Fixes #462 notice permission denied on authorized_key module

Browse source
This commit is contained in:
Klaas Demter 2025-05-16 16:39:51 +02:00
parent 9343c6f56f
commit 413ab782a8
4 changed files with 61 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
changelogs/fragments/639_fix_authorized_key.yml Normal file
View file

@ -0,0 +1,3 @@
---
bugfixes:
- ansible.posix.authorized_key - fixes error on permission denied in authorized_key module (https://github.com/ansible-collections/ansible.posix/issues/462).

24
plugins/modules/authorized_key.py
View file

@ -225,6 +225,8 @@ import os.path
import tempfile import tempfile
import re import re
import shlex import shlex
import errno
import traceback
from operator import itemgetter from operator import itemgetter
from ansible.module_utils._text import to_native from ansible.module_utils._text import to_native
@ -475,16 +477,18 @@ def parsekey(module, raw_key, rank=None):
return (key, key_type, options, comment, rank) return (key, key_type, options, comment, rank)
def readfile(filename): def readfile(module, filename):
if not os.path.isfile(filename):
return ''
f = open(filename)
try: try:
return f.read() with open(filename, 'r') as f:
finally: return f.read()
f.close() except IOError as e:
if e.errno == errno.EACCES:
module.fail_json(msg="Permission denied on file or path for authorized keys file: %s" % filename,
exception=traceback.format_exc())
elif e.errno == errno.ENOENT:
return ''
else:
raise
def parsekeys(module, lines): def parsekeys(module, lines):
@ -597,7 +601,7 @@ def enforce_state(module, params):
# check current state -- just get the filename, don't create file # check current state -- just get the filename, don't create file
do_write = False do_write = False
params["keyfile"] = keyfile(module, user, do_write, path, manage_dir) params["keyfile"] = keyfile(module, user, do_write, path, manage_dir)
existing_content = readfile(params["keyfile"]) existing_content = readfile(module, params["keyfile"])
existing_keys = parsekeys(module, existing_content) existing_keys = parsekeys(module, existing_content)
# Add a place holder for keys that should exist in the state=present and # Add a place holder for keys that should exist in the state=present and

41
tests/integration/targets/authorized_key/tasks/check_permissions.yml Normal file
View file

@ -0,0 +1,41 @@
---
# -------------------------------------------------------------
# check permissions
- name: Create a file that is not accessible
ansible.builtin.file:
state: touch
path: "{{ output_dir | expanduser }}/file_permissions"
owner: root
mode: '0000'
- name: Create unprivileged user
ansible.builtin.user:
name: nopriv
create_home: true
- name: Try to delete a key from an unreadable file
become: true
become_user: nopriv
ansible.posix.authorized_key:
user: root
key: "{{ dss_key_basic }}"
state: absent
path: "{{ output_dir | expanduser }}/file_permissions"
register: result
ignore_errors: true
- name: Assert that the key deletion has failed
ansible.builtin.assert:
that:
- result.failed == True
- name: Remove the file
ansible.builtin.file:
state: absent
path: "{{ output_dir | expanduser }}/file_permissions"
- name: Remove the user
ansible.builtin.user:
name: nopriv
state: absent

3
tests/integration/targets/authorized_key/tasks/main.yml
View file

@ -34,3 +34,6 @@
- name: Test for specifying key as a path - name: Test for specifying key as a path
ansible.builtin.import_tasks: check_path.yml ansible.builtin.import_tasks: check_path.yml
- name: Test for permission denied files
ansible.builtin.import_tasks: check_permissions.yml