Fixes #462 notice permission denied on authorized_key module

Ignore pylint errors caused by compatibility checks for six

SUMMARY
Ignore pylint errors caused by compatibility checks for six:

pylint:ansible-bad-import-from

Ansible Core 2.16 supports Python2 environment,  and six is required to maintain compatibility with Python 2.
We plan to continue supporting Ansible Core 2.16 at this time.
Additionally, removing the standalone ansible-lint test because it is already included in ansible-test sanity.
ISSUE TYPE

CI tests Request

COMPONENT NAME

ansible.posix

ADDITIONAL INFORMATION
None

Reviewed-by: Andrew Klychkov <aklychko@redhat.com>
Reviewed-by: Felix Fontein <felix@fontein.de>
Reviewed-by: Hideki Saito <saito@fgrep.org>

.ansible-lint

@@ -4,7 +4,8 @@
 # SPDX-FileCopyrightText: 2024, Ansible Project
 
 skip_list:
-  - meta-runtime[unsupported-version]  # Tis rule doesn't make any sense
+  - meta-runtime[unsupported-version]  # This rule doesn't make any sense
   - fqcn[deep]  # This rule produces false positives for files in tests/unit/plugins/action/fixtures/
+  - sanity[cannot-ignore]  # This rule is skipped to keep backward compatibility with Python 2
 exclude_paths:
   - changelogs/

.azure-pipelines/azure-pipelines.yml

@@ -37,13 +37,13 @@ variables:
 resources:
   containers:
     - container: default
-      image: quay.io/ansible/azure-pipelines-test-container:6.0.0
+      image: quay.io/ansible/azure-pipelines-test-container:7.0.0
 
 pool: Standard
 
 stages:
   - stage: Sanity_devel
-    displayName: Ansible devel sanity
+    displayName: Ansible devel Sanity & Units & Lint
     dependsOn: []
     jobs:
       - template: templates/matrix.yml
@@ -57,8 +57,23 @@ stages:
               test: units
             - name: Lint
               test: lint
+  - stage: Sanity_2_19
+    displayName: Ansible 2.19 Sanity & Units & Lint
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          nameFormat: "{0}"
+          testFormat: 2.19/{0}
+          targets:
+            - name: Sanity
+              test: sanity
+            - name: Units
+              test: units
+            - name: Lint
+              test: lint
   - stage: Sanity_2_18
-    displayName: Ansible 2.18 sanity
+    displayName: Ansible 2.18 Sanity & Units & Lint
     dependsOn: []
     jobs:
       - template: templates/matrix.yml
@@ -73,7 +88,7 @@ stages:
             - name: Lint
               test: lint
   - stage: Sanity_2_17
-    displayName: Ansible 2.17 sanity
+    displayName: Ansible 2.17 Sanity & Units & Lint
     dependsOn: []
     jobs:
       - template: templates/matrix.yml
@@ -88,7 +103,7 @@ stages:
             - name: Lint
               test: lint
   - stage: Sanity_2_16
-    displayName: Ansible 2.16 sanity
+    displayName: Ansible 2.16 Sanity & Units & Lint
     dependsOn: []
     jobs:
       - template: templates/matrix.yml
@@ -100,19 +115,8 @@ stages:
               test: sanity
             - name: Units
               test: units
-  - stage: Sanity_2_15
-    displayName: Ansible 2.15 sanity
-    dependsOn: []
-    jobs:
-      - template: templates/matrix.yml
-        parameters:
-          nameFormat: "{0}"
-          testFormat: 2.15/{0}
-          targets:
-            - name: Sanity
-              test: sanity
-            - name: Units
-              test: units
+            - name: Lint
+              test: lint
   ## Docker
   - stage: Docker_devel
     displayName: Docker devel
@@ -121,6 +125,20 @@ stages:
       - template: templates/matrix.yml
         parameters:
           testFormat: devel/linux/{0}/1
+          targets:
+            - name: Fedora 42
+              test: fedora42
+            - name: Ubuntu 22.04
+              test: ubuntu2204
+            - name: Ubuntu 24.04
+              test: ubuntu2404
+  - stage: Docker_2_19
+    displayName: Docker 2.19
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: 2.19/linux/{0}/1
           targets:
             - name: Fedora 41
               test: fedora41
@@ -169,23 +187,6 @@ stages:
             - name: Ubuntu 22.04
               test: ubuntu2204
 
-  - stage: Docker_2_15
-    displayName: Docker 2.15
-    dependsOn: []
-    jobs:
-      - template: templates/matrix.yml
-        parameters:
-          testFormat: 2.15/linux/{0}/1
-          targets:
-            - name: CentOS 7
-              test: centos7
-            - name: Fedora 37
-              test: fedora37
-            - name: openSUSE 15 py3
-              test: opensuse15
-            - name: Ubuntu 22.04
-              test: ubuntu2204
-
   ## Remote
   - stage: Remote_devel
     displayName: Remote devel
@@ -195,6 +196,24 @@ stages:
         parameters:
           testFormat: devel/{0}/1
           targets:
+            - name: RHEL 10.0
+              test: rhel/10.0
+            - name: RHEL 9.6
+              test: rhel/9.6
+            - name: FreeBSD 14.3
+              test: freebsd/14.3
+            - name: FreeBSD 13.5
+              test: freebsd/13.5
+  - stage: Remote_2_19
+    displayName: Remote 2.19
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: 2.19/{0}/1
+          targets:
+            - name: RHEL 10.0
+              test: rhel/10.0
             - name: RHEL 9.5
               test: rhel/9.5
             - name: FreeBSD 14.2
@@ -211,8 +230,8 @@ stages:
           targets:
             - name: RHEL 9.4
               test: rhel/9.4
-            - name: FreeBSD 13.3
-              test: freebsd/13.3
+            - name: FreeBSD 13.5
+              test: freebsd/13.5
   - stage: Remote_2_17
     displayName: Remote 2.17
     dependsOn: []
@@ -223,8 +242,8 @@ stages:
           targets:
             - name: RHEL 9.3
               test: rhel/9.3
-            - name: FreeBSD 13.3
-              test: freebsd/13.3
+            - name: FreeBSD 13.5
+              test: freebsd/13.5
   - stage: Remote_2_16
     displayName: Remote 2.16
     dependsOn: []
@@ -238,29 +257,11 @@ stages:
             - name: RHEL 9.2
               test: rhel/9.2
 
-  - stage: Remote_2_15
-    displayName: Remote 2.15
-    dependsOn: []
-    jobs:
-      - template: templates/matrix.yml
-        parameters:
-          testFormat: 2.15/{0}/1
-          targets:
-            - name: RHEL 7.9
-              test: rhel/7.9
-            - name: RHEL 8.7
-              test: rhel/8.7
-            - name: RHEL 9.1
-              test: rhel/9.1
-
   ## Finally
 
   - stage: Summary
     condition: succeededOrFailed()
     dependsOn:
-      - Sanity_2_15
-      - Remote_2_15
-      - Docker_2_15
       - Sanity_2_16
       - Remote_2_16
       - Docker_2_16
@@ -270,6 +271,9 @@ stages:
       - Sanity_2_18
       - Remote_2_18
       - Docker_2_18
+      - Sanity_2_19
+      - Remote_2_19
+      - Docker_2_19
       - Sanity_devel
       - Remote_devel
       - Docker_devel

README.md

@@ -21,7 +21,7 @@ An Ansible Collection of modules and plugins that target POSIX UNIX/Linux and de
 * Python:
   * The Python interpreter version must meet Ansible Core's requirements.
 * Ansible Core:
-  - ansible-core 2.15 or later
+  - ansible-core 2.16 or later
 
 ## Installation
 
@@ -46,10 +46,10 @@ To upgrade the collection to the latest available version, run the following com
 ansible-galaxy collection install ansible.posix --upgrade
 ```
 
-You can also install a specific version of the collection, for example, if you need to downgrade when something is broken in the latest version (please report an issue in this repository). Use the following syntax to install version 1.0.0:
+You can also install a specific version of the collection, for example, if you need to downgrade when something is broken in the latest version (please report an issue in this repository). Use the following syntax to install version 2.0.0:
 
 ```shell
-ansible-galaxy collection install ansible.posix:==1.0.0
+ansible-galaxy collection install ansible.posix:==2.0.0
 ```
 
 See [using Ansible collections](https://docs.ansible.com/ansible/devel/user_guide/collections_using.html) for more details.
@@ -78,11 +78,10 @@ ansible-doc -t callback ansible.posix.profile_tasks
 
 The following ansible-core versions have been tested with this collection:
 
-- ansible-core 2.19 (devel)
-- ansible-core 2.18 (stable) *
+- ansible-core 2.20 (devel)
+- ansible-core 2.19 (stable) *
+- ansible-core 2.18 (stable)
 - ansible-core 2.17 (stable)
-- ansible-core 2.16 (stable)
-- ansible-core 2.15 (stable)
 
 ## Contributing
 

changelogs/fragments/639_fix_authorized_key.yml

@@ -0,0 +1,3 @@
+---
+bugfixes:
+  - ansible.posix.authorized_key - fixes error on permission denied in authorized_key module (https://github.com/ansible-collections/ansible.posix/issues/462).

changelogs/fragments/642_ci_add_rhel10.yml

@@ -0,0 +1,2 @@
+trivial:
+  - Add Red Hat Enterprise Linux 10.0 to the CI matrix (https://github.com/ansible-collections/ansible.posix/issues/642).

changelogs/fragments/650-profile_tasks_roles.yml

@@ -0,0 +1,2 @@
+minor_changes:
+  - "profile_tasks and profile_roles callback plugins - avoid deleted/deprecated callback functions, instead use modern interface that was introduced a longer time ago (https://github.com/ansible-collections/ansible.posix/issues/650)."

changelogs/fragments/654_ci_bump_core_version.yml

@@ -0,0 +1,3 @@
+---
+trivial:
+  - Bump ansible-core version to 2.20 of devel branch and add 2.19 to CI

changelogs/fragments/660_ci_azp_syntax.yml

@@ -0,0 +1,2 @@
+trivial:
+  - AZP - fixed syntax error in CI test.

changelogs/fragments/665_update_readme_20250728.yml

@@ -0,0 +1,3 @@
+---
+trivial:
+  - README - Update README to reflect Ansible Core 2.19 release.

changelogs/fragments/666_azp_update_20250728.yml

@@ -0,0 +1,3 @@
+---
+trivial:
+  - AZP - Update AZP matrix to follow ansible-test changes.

changelogs/fragments/670-deprecations.yml

@@ -0,0 +1,3 @@
+bugfixes:
+  - "firewalld_info - stop returning warnings as return values; this has been deprecated by ansible-core (https://github.com/ansible-collections/ansible.posix/pull/670)."
+  - "mount - stop returning warnings as return values; this has been deprecated by ansible-core (https://github.com/ansible-collections/ansible.posix/pull/670)."

changelogs/fragments/673_update_ci_20250805.yml

@@ -0,0 +1,2 @@
+trivial:
+  - Update AZP CI matrix (https://github.com/ansible-collections/ansible.posix/issues/673).

changelogs/fragments/682_update_ci_20250929.yml

@@ -0,0 +1,4 @@
+trivial:
+  - Updatng AZP CI matrix to ignore ansible-bad-import-from on six(https://github.com/ansible-collections/ansible.posix/pull/682).
+  - Skipped sanity[cannot-ignore] to keep backward compatibility with Python2.
+  - Consolidate all ansible-lint option locations into .ansible-lint file.

meta/runtime.yml

@@ -1,2 +1,2 @@
 ---
-requires_ansible: ">=2.15.0"
+requires_ansible: ">=2.16.0"

plugins/callback/profile_roles.py

@@ -124,10 +124,7 @@ class CallbackModule(CallbackBase):
     def v2_playbook_on_handler_task_start(self, task):
         self._record_task(task)
 
-    def playbook_on_setup(self):
-        self._display_tasktime()
-
-    def playbook_on_stats(self, stats):
+    def v2_playbook_on_stats(self, stats):
         # Align summary report header with other callback plugin summary
         self._display.banner("ROLES RECAP")
 

plugins/callback/profile_tasks.py

@@ -209,10 +209,7 @@ class CallbackModule(CallbackBase):
     def v2_playbook_on_handler_task_start(self, task):
         self._record_task(task)
 
-    def playbook_on_setup(self):
-        self._display_tasktime()
-
-    def playbook_on_stats(self, stats):
+    def v2_playbook_on_stats(self, stats):
         # Align summary report header with other callback plugin summary
         self._display.banner("TASKS RECAP")
 

plugins/modules/authorized_key.py

@@ -225,6 +225,8 @@ import os.path
 import tempfile
 import re
 import shlex
+import errno
+import traceback
 from operator import itemgetter
 
 from ansible.module_utils._text import to_native
@@ -475,16 +477,18 @@ def parsekey(module, raw_key, rank=None):
     return (key, key_type, options, comment, rank)
 
 
-def readfile(filename):
-
-    if not os.path.isfile(filename):
-        return ''
-
-    f = open(filename)
+def readfile(module, filename):
     try:
-        return f.read()
-    finally:
-        f.close()
+        with open(filename, 'r') as f:
+            return f.read()
+    except IOError as e:
+        if e.errno == errno.EACCES:
+            module.fail_json(msg="Permission denied on file or path for authorized keys file: %s" % filename,
+                             exception=traceback.format_exc())
+        elif e.errno == errno.ENOENT:
+            return ''
+        else:
+            raise
 
 
 def parsekeys(module, lines):
@@ -597,7 +601,7 @@ def enforce_state(module, params):
     # check current state -- just get the filename, don't create file
     do_write = False
     params["keyfile"] = keyfile(module, user, do_write, path, manage_dir)
-    existing_content = readfile(params["keyfile"])
+    existing_content = readfile(module, params["keyfile"])
     existing_keys = parsekeys(module, existing_content)
 
     # Add a place holder for keys that should exist in the state=present and

plugins/modules/firewalld_info.py

@@ -319,7 +319,6 @@ def main():
         active_zones=module.params['active_zones'],
         collected_zones=list(),
         undefined_zones=list(),
-        warnings=list(),
     )
 
     # Exit with failure message if requirements modules are not installed.

plugins/modules/mount.py

@@ -279,7 +279,7 @@ def _set_mount_save_old(module, args):
     old_lines = []
     exists = False
     changed = False
-    escaped_args = dict([(k, _escape_fstab(v)) for k, v in iteritems(args) if k != 'warnings'])
+    escaped_args = dict([(k, _escape_fstab(v)) for k, v in iteritems(args)])
     new_line = '%(src)s %(name)s %(fstype)s %(opts)s %(dump)s %(passno)s\n'
 
     if platform.system() == 'SunOS':
@@ -804,7 +804,6 @@ def main():
             passno='-',
             fstab=module.params['fstab'],
             boot='yes' if module.params['boot'] else 'no',
-            warnings=[]
         )
         if args['fstab'] is None:
             args['fstab'] = '/etc/vfstab'
@@ -816,7 +815,6 @@ def main():
             passno='0',
             fstab=module.params['fstab'],
             boot='yes',
-            warnings=[]
         )
         if args['fstab'] is None:
             args['fstab'] = '/etc/fstab'
@@ -834,8 +832,7 @@ def main():
         linux_mounts = get_linux_mounts(module)
 
         if linux_mounts is None:
-            args['warnings'].append('Cannot open file /proc/self/mountinfo.'
-                                    ' Bind mounts might be misinterpreted.')
+            module.warn('Cannot open file /proc/self/mountinfo. Bind mounts might be misinterpreted.')
 
     # Override defaults with user specified params
     for key in ('src', 'fstype', 'passno', 'opts', 'dump', 'fstab'):
@@ -847,7 +844,7 @@ def main():
         # specified in 'opts',  mount module will ignore 'boot'.
         opts = args['opts'].split(',')
         if module.params['boot'] and 'noauto' in opts:
-            args['warnings'].append("Ignore the 'boot' due to 'opts' contains 'noauto'.")
+            module.warn("Ignore the 'boot' due to 'opts' contains 'noauto'.")
         elif not module.params['boot']:
             args['boot'] = 'no'
             opts.append('noauto')

tests/integration/targets/acl/tasks/acl.yml

@@ -46,6 +46,12 @@
     path: "{{ test_dir }}"
     state: directory
     mode: "0755"
+
+- name: Install acl package
+  ansible.builtin.package:
+    name: acl
+    state: present
+
 ##############################################################################
 - name: Grant ansible user read access to a file
   ansible.posix.acl:

tests/integration/targets/authorized_key/tasks/check_permissions.yml

@@ -0,0 +1,30 @@
+---
+# -------------------------------------------------------------
+# check permissions
+
+- name: Create a file that is not accessible
+  ansible.builtin.file:
+    state: touch
+    path: "{{ output_dir | expanduser }}/file_permissions"
+    owner: root
+    group: root
+    mode: '0000'
+
+- name: Try to delete a key from an unreadable file
+  ansible.posix.authorized_key:
+    user: root
+    key: "{{ dss_key_basic }}"
+    state: absent
+    path: "{{ output_dir | expanduser }}/file_permissions"
+  register: result
+  ignore_errors: true
+
+- name: Assert that the key deletion has failed
+  ansible.builtin.assert:
+    that:
+      - result.failed == True
+
+- name: Remove the file
+  ansible.builtin.file:
+    state: absent
+    path: "{{ output_dir | expanduser }}/file_permissions"

tests/integration/targets/authorized_key/tasks/main.yml

@@ -34,3 +34,6 @@
 
 - name: Test for specifying key as a path
   ansible.builtin.import_tasks: check_path.yml
+
+- name: Test for permission denied files
+  ansible.builtin.import_tasks: check_permissions.yml

tests/integration/targets/firewalld/aliases

@@ -1,3 +1,5 @@
+needs/privileged
+needs/root
 destructive
 shippable/posix/group1
 skip/aix

tests/sanity/ignore-2.20.txt

@@ -0,0 +1,10 @@
+tests/utils/shippable/timing.py shebang
+plugins/action/synchronize.py pylint:ansible-bad-import-from
+plugins/callback/cgroup_perf_recap.py pylint:ansible-bad-import-from
+plugins/modules/mount.py pylint:ansible-bad-import-from
+plugins/modules/sysctl.py pylint:ansible-bad-import-from
+plugins/shell/csh.py pylint:ansible-bad-import-from
+plugins/shell/fish.py pylint:ansible-bad-import-from
+tests/unit/mock/procenv.py pylint:ansible-bad-import-from
+tests/unit/mock/yaml_helper.py pylint:ansible-bad-import-from
+tests/unit/modules/conftest.py pylint:ansible-bad-import-from

tests/utils/shippable/lint.sh

@@ -9,6 +9,5 @@ command -v ansible
 pip install --upgrade --user pip
 pip install --upgrade --user ansible-lint
 
-PATH="${PATH/\~/${HOME}}" ansible-lint \
-                                    --exclude changelogs/ \
-                                    --profile=production
+# To specify additional options, you can specify them into .ansible-lint file.
+PATH="${PATH/\~/${HOME}}" ansible-lint