Merge c4ff0545f1 into b39ee97ccc

Merge pull request #677 from shenxianpeng/patch-1
docs: fix broken badge and restore coverage badge SUMMARY Replaced the outdated Shippable badge and active Codecov coverage badge, like other repos in ansible-collections org ISSUE TYPE Docs Pull Request COMPONENT NAME ADDITIONAL INFORMATION Reviewed-by: Hideki Saito <saito@fgrep.org>
2026-01-11 15:15:26 +01:00 · 2025-12-04 15:38:45 +01:00 · 2025-11-28 07:14:56 +00:00 · 2025-11-28 03:25:21 +00:00 · 2025-10-22 08:29:46 +02:00 · 2025-10-21 10:00:12 +02:00
9 changed files with 258 additions and 15 deletions
--- a/README.md
+++ b/README.md
@ -2,7 +2,7 @@
 <!-- Add CI and code coverage badges here. Samples included below. -->
 [![Build Status](
 https://dev.azure.com/ansible/ansible.posix/_apis/build/status/CI?branchName=main)](https://dev.azure.com/ansible/ansible.posix/_build?definitionId=26)
-[![Run Status](https://api.shippable.com/projects/5e669aaf8b17a60007e4d18d/badge?branch=main)]() <!--[![Codecov](https://img.shields.io/codecov/c/github/ansible-collections/ansible.posix)](https://codecov.io/gh/ansible-collections/ansible.posix)-->
+[![Codecov](https://img.shields.io/codecov/c/github/ansible-collections/ansible.posix)](https://codecov.io/gh/ansible-collections/ansible.posix)
 ## Communication
--- a/changelogs/fragments/639_fix_authorized_key.yml
+++ b/changelogs/fragments/639_fix_authorized_key.yml
@ -0,0 +1,3 @@
 ---
 bugfixes:
  - ansible.posix.authorized_key - fixes error on permission denied in authorized_key module (https://github.com/ansible-collections/ansible.posix/issues/462).
--- a/plugins/modules/authorized_key.py
+++ b/plugins/modules/authorized_key.py
@ -225,6 +225,8 @@ import os.path
 import tempfile
 import re
 import shlex
 import errno
 import traceback
 from operator import itemgetter
 from ansible.module_utils._text import to_native
@ -475,16 +477,18 @@ def parsekey(module, raw_key, rank=None):
    return (key, key_type, options, comment, rank)
-def readfile(filename):
+def readfile(module, filename):
    if not os.path.isfile(filename):
        return ''
    f = open(filename)
    try:
-        return f.read()
+        with open(filename, 'r') as f:
-    finally:
+            return f.read()
-        f.close()
+    except IOError as e:
        if e.errno == errno.EACCES:
            module.fail_json(msg="Permission denied on file or path for authorized keys file: %s" % filename,
                             exception=traceback.format_exc())
        elif e.errno == errno.ENOENT:
            return ''
        else:
            raise
 def parsekeys(module, lines):
@ -597,7 +601,7 @@ def enforce_state(module, params):
    # check current state -- just get the filename, don't create file
    do_write = False
    params["keyfile"] = keyfile(module, user, do_write, path, manage_dir)
-    existing_content = readfile(params["keyfile"])
+    existing_content = readfile(module, params["keyfile"])
    existing_keys = parsekeys(module, existing_content)
    # Add a place holder for keys that should exist in the state=present and
--- a/plugins/modules/firewalld.py
+++ b/plugins/modules/firewalld.py
@ -28,6 +28,11 @@ options:
      - Name of a port or port range to add/remove to/from firewalld.
      - Must be in the form PORT/PROTOCOL or PORT-PORT/PROTOCOL for port ranges.
    type: str
  source_port:
    description:
      - Name of a source port or port range to add/remove to/from firewalld.
      - Must be in the form PORT/PROTOCOL or PORT-PORT/PROTOCOL for port ranges.
    type: str
  port_forward:
    description:
      - Port and protocol to forward using firewalld.
@ -185,6 +190,13 @@ EXAMPLES = r'''
    permanent: true
    state: enabled
 - name: Permit traffic in home zone from port 20561/udp
  ansible.posix.firewalld:
    source_port: 20561/udp
    zone: home
    permanent: true
    state: enabled
 - name: Permit traffic in dmz zone on http service
  ansible.posix.firewalld:
    zone: dmz
@ -552,6 +564,43 @@ class PortTransaction(FirewallTransaction):
        self.update_fw_settings(fw_zone, fw_settings)
 class SourcePortTransaction(FirewallTransaction):
    """
    SourcePortTransaction
    """
    def __init__(self, module, action_args=None, zone=None, desired_state=None, permanent=False, immediate=False):
        super(SourcePortTransaction, self).__init__(
            module, action_args=action_args, desired_state=desired_state, zone=zone, permanent=permanent, immediate=immediate
        )
    def get_enabled_immediate(self, port, protocol, timeout):
        if self.fw_offline:
            dummy, fw_settings = self.get_fw_zone_settings()
            return fw_settings.querySourcePort(port=port, protocol=protocol)
        return self.fw.querySourcePort(zone=self.zone, port=port, protocol=protocol)
    def get_enabled_permanent(self, port, protocol, timeout):
        dummy, fw_settings = self.get_fw_zone_settings()
        return fw_settings.querySourcePort(port=port, protocol=protocol)
    def set_enabled_immediate(self, port, protocol, timeout):
        self.fw.addSourcePort(zone=self.zone, port=port, protocol=protocol, timeout=timeout)
    def set_enabled_permanent(self, port, protocol, timeout):
        fw_zone, fw_settings = self.get_fw_zone_settings()
        fw_settings.addSourcePort(port=port, protocol=protocol)
        self.update_fw_settings(fw_zone, fw_settings)
    def set_disabled_immediate(self, port, protocol, timeout):
        self.fw.removeSourcePort(zone=self.zone, port=port, protocol=protocol)
    def set_disabled_permanent(self, port, protocol, timeout):
        fw_zone, fw_settings = self.get_fw_zone_settings()
        fw_settings.removeSourcePort(port=port, protocol=protocol)
        self.update_fw_settings(fw_zone, fw_settings)
 class InterfaceTransaction(FirewallTransaction):
    """
    InterfaceTransaction
@ -879,6 +928,7 @@ def main():
            service=dict(type='str'),
            protocol=dict(type='str'),
            port=dict(type='str'),
            source_port=dict(type='str'),
            port_forward=dict(type='list', elements='dict'),
            rich_rule=dict(type='str'),
            zone=dict(type='str'),
@ -900,8 +950,8 @@ def main():
            source=('permanent',),
        ),
        mutually_exclusive=[
-            ['icmp_block', 'icmp_block_inversion', 'service', 'protocol', 'port', 'port_forward', 'rich_rule',
+            ['icmp_block', 'icmp_block_inversion', 'service', 'protocol', 'port', 'source_port', 'port_forward',
-             'interface', 'forward', 'masquerade', 'source', 'target']
+             'rich_rule', 'interface', 'forward', 'masquerade', 'source', 'target']
        ],
    )
@ -957,6 +1007,17 @@ def main():
    else:
        port_protocol = None
    source_port = None
    if module.params['source_port'] is not None:
        if '/' in module.params['source_port']:
            source_port, source_port_protocol = module.params['source_port'].strip().split('/')
        else:
            source_port_protocol = None
        if not source_port_protocol:
            module.fail_json(msg='improper source_port format (missing protocol?)')
    else:
        source_port_protocol = None
    port_forward_toaddr = ''
    port_forward = None
    if module.params['port_forward'] is not None:
@ -973,7 +1034,7 @@ def main():
            port_forward_toaddr = port_forward['toaddr']
    modification = False
-    if any([icmp_block, icmp_block_inversion, service, protocol, port, port_forward, rich_rule,
+    if any([icmp_block, icmp_block_inversion, service, protocol, port, source_port, port_forward, rich_rule,
            interface, forward, masquerade, source, target]):
        modification = True
    if modification and desired_state in ['absent', 'present'] and target is None:
@ -1079,6 +1140,26 @@ def main():
                )
            )
    if source_port is not None:
        transaction = SourcePortTransaction(
            module,
            action_args=(source_port, source_port_protocol, timeout),
            zone=zone,
            desired_state=desired_state,
            permanent=permanent,
            immediate=immediate,
        )
        changed, transaction_msgs = transaction.run()
        msgs = msgs + transaction_msgs
        if changed is True:
            msgs.append(
                "Changed source_port %s to %s" % (
                    "%s/%s" % (source_port, source_port_protocol), desired_state
                )
            )
    if port_forward is not None:
        transaction = ForwardPortTransaction(
            module,
--- a/tests/integration/targets/authorized_key/tasks/check_permissions.yml
+++ b/tests/integration/targets/authorized_key/tasks/check_permissions.yml
@ -0,0 +1,41 @@
 ---
 # -------------------------------------------------------------
 # check permissions
 - name: Create a file that is not accessible
  ansible.builtin.file:
    state: touch
    path: "{{ output_dir | expanduser }}/file_permissions"
    owner: root
    mode: '0000'
 - name: Create unprivileged user
  ansible.builtin.user:
    name: nopriv
    create_home: true
 - name: Try to delete a key from an unreadable file
  become: true
  become_user: nopriv
  ansible.posix.authorized_key:
    user: root
    key: "{{ dss_key_basic }}"
    state: absent
    path: "{{ output_dir | expanduser }}/file_permissions"
  register: result
  ignore_errors: true
 - name: Assert that the key deletion has failed
  ansible.builtin.assert:
    that:
      - result is failed
 - name: Remove the file
  ansible.builtin.file:
    state: absent
    path: "{{ output_dir | expanduser }}/file_permissions"
 - name: Remove the user
  ansible.builtin.user:
    name: nopriv
    state: absent
--- a/tests/integration/targets/authorized_key/tasks/main.yml
+++ b/tests/integration/targets/authorized_key/tasks/main.yml
@ -34,3 +34,6 @@
 - name: Test for specifying key as a path
  ansible.builtin.import_tasks: check_path.yml
 - name: Test for permission denied files
  ansible.builtin.import_tasks: check_permissions.yml
--- a/tests/integration/targets/firewalld/tasks/run_all_tests.yml
+++ b/tests/integration/targets/firewalld/tasks/run_all_tests.yml
@ -21,6 +21,10 @@
 - name: Include port test cases for firewalld module
  ansible.builtin.include_tasks: port_test_cases.yml
 # firewalld source_port operation test cases
 - name: Include source_port test cases for firewalld module
  ansible.builtin.include_tasks: source_port_test_cases.yml
 # firewalld source operation test cases
 - name: Include source test cases for firewalld module
  ansible.builtin.include_tasks: source_test_cases.yml
--- a/tests/integration/targets/firewalld/tasks/source_port_test_cases.yml
+++ b/tests/integration/targets/firewalld/tasks/source_port_test_cases.yml
@ -0,0 +1,107 @@
 ---
 # Test playbook for the firewalld module - source_port operations
 - name: Firewalld source_port range test permanent enabled
  ansible.posix.firewalld:
    source_port: 5500-6850/tcp
    permanent: true
    state: enabled
  register: result
 - name: Assert firewalld source_port range test permanent enabled worked
  ansible.builtin.assert:
    that:
      - result is changed
 - name: Firewalld source_port range test permanent enabled rerun (verify not changed)
  ansible.posix.firewalld:
    source_port: 5500-6850/tcp
    permanent: true
    state: enabled
  register: result
 - name: Assert firewalld source_port range test permanent enabled rerun worked (verify not changed)
  ansible.builtin.assert:
    that:
      - result is not changed
 - name: Firewalld source_port test permanent enabled
  ansible.posix.firewalld:
    source_port: 6900/tcp
    permanent: true
    state: enabled
  register: result
 - name: Assert firewalld source_port test permanent enabled worked
  ansible.builtin.assert:
    that:
      - result is changed
 - name: Firewalld source_port test permanent enabled
  ansible.posix.firewalld:
    source_port: 6900/tcp
    permanent: true
    state: enabled
  register: result
 - name: Assert firewalld source_port test permanent enabled worked
  ansible.builtin.assert:
    that:
      - result is not changed
 - name: Firewalld source_port test disabled
  ansible.posix.firewalld:
    source_port: "{{ item }}"
    permanent: true
    state: disabled
  loop:
    - 6900/tcp
    - 5500-6850/tcp
 - name: Firewalld source_port test permanent enabled
  ansible.posix.firewalld:
    source_port: 8081/tcp
    permanent: true
    state: enabled
  register: result
 - name: Assert firewalld source_port test permanent enabled worked
  ansible.builtin.assert:
    that:
      - result is changed
 - name: Firewalld source_port test permanent enabled rerun (verify not changed)
  ansible.posix.firewalld:
    source_port: 8081/tcp
    permanent: true
    state: enabled
  register: result
 - name: Assert firewalld source_port test permanent enabled rerun worked (verify not changed)
  ansible.builtin.assert:
    that:
      - result is not changed
 - name: Firewalld source_port test permanent disabled
  ansible.posix.firewalld:
    source_port: 8081/tcp
    permanent: true
    state: disabled
  register: result
 - name: Assert firewalld source_port test permanent disabled worked
  ansible.builtin.assert:
    that:
      - result is changed
 - name: Firewalld source_port test permanent disabled rerun (verify not changed)
  ansible.posix.firewalld:
    source_port: 8081/tcp
    permanent: true
    state: disabled
  register: result
 - name: Assert firewalld source_port test permanent disabled rerun worked (verify not changed)
  ansible.builtin.assert:
    that:
      - result is not changed
--- a/tests/integration/targets/firewalld/tasks/source_test_cases.yml
+++ b/tests/integration/targets/firewalld/tasks/source_test_cases.yml
@ -85,4 +85,4 @@
      - result is not changed
      - >
        result.msg == 'parameters are mutually exclusive:
-        icmp_block|icmp_block_inversion|service|protocol|port|port_forward|rich_rule|interface|forward|masquerade|source|target'
+        icmp_block|icmp_block_inversion|service|protocol|port|source_port|port_forward|rich_rule|interface|forward|masquerade|source|target'
Author	SHA1	Message	Date
Zhanibek Adilbekov	ca5aa2a019	Merge `c4ff0545f1` into `b39ee97ccc`	2025-12-04 15:38:45 +01:00
softwarefactory-project-zuul[bot]	b39ee97ccc	Merge pull request #677 from shenxianpeng/patch-1 docs: fix broken badge and restore coverage badge SUMMARY Replaced the outdated Shippable badge and active Codecov coverage badge, like other repos in ansible-collections org ISSUE TYPE Docs Pull Request COMPONENT NAME ADDITIONAL INFORMATION Reviewed-by: Hideki Saito <saito@fgrep.org>	2025-11-28 07:14:56 +00:00
softwarefactory-project-zuul[bot]	72a6eb9729	Merge pull request #639 from Klaas-/Klaas-fix_authorized_key Fixes #462 notice permission denied on authorized_key module SUMMARY As of right now the authorized_key module does not notice on an "absent" if a authorized_keys file is simply not readable to the executing user. I am trying to fix that ISSUE TYPE Bugfix Pull Request COMPONENT NAME authorized_key ADDITIONAL INFORMATION Execute as a user that does not have access to the root users authorized keys file - name: Delete key from root user ansible.posix.authorized_key: state: absent user: root key: ssh-rsa xxxxxxxx - name: Delete key from root user become: true ansible.posix.authorized_key: state: absent user: root key: ssh-rsa xxxxxxxx The one without become will succeed before my change and will fail with a permission denied error after my change. The 2nd task will actually remove a key from root user if become privileges are available for the executing user Reviewed-by: Brian Coca Reviewed-by: Klaas Demter Reviewed-by: Felix Fontein <felix@fontein.de> Reviewed-by: Hideki Saito <saito@fgrep.org>	2025-11-28 03:25:21 +00:00
Klaas Demter	9651a19805	change result.failed==True to result is failed in check_permissions.yml Co-authored-by: Felix Fontein <felix@fontein.de>	2025-10-22 08:29:46 +02:00
Klaas Demter	413ab782a8	Fixes #462 notice permission denied on authorized_key module	2025-10-21 10:00:12 +02:00
Xianpeng Shen	cda2e0657f	docs: fix broken badge and restore coverage badge	2025-08-14 14:33:30 +03:00
Zhanibek Adilbekov	c4ff0545f1	Firewalld: Add functionality to set source_port	2025-08-01 14:21:01 +05:00