Merge 7ac665a0aa into 0821768bcb

authorized_key: Allow local path to a key

SUMMARY

Add option to specify an absolute path to file with SSH key(s) for authorized_key

ISSUE TYPE

Feature Pull Request

COMPONENT NAME

authorized_key

ADDITIONAL INFORMATION


Before this change you would need to get key using ansible.builtin.slurp or something like ansible.builtin.command: cat <file> with register
I tried to keep it as simple as possible

# Now this is possible
- name: Set authorized keys taken from path
  ansible.posix.authorized_key:
    user: charlie
    state: present
    key: /home/charlie/.ssh/id_rsa.pub

Reviewed-by: Hideki Saito <saito@fgrep.org>
Reviewed-by: alexander

.azure-pipelines/azure-pipelines.yml

@@ -57,6 +57,21 @@ stages:
               test: units
             - name: Lint
               test: lint
+  - stage: Sanity_2_18
+    displayName: Ansible 2.18 sanity
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          nameFormat: "{0}"
+          testFormat: 2.18/{0}
+          targets:
+            - name: Sanity
+              test: sanity
+            - name: Units
+              test: units
+            - name: Lint
+              test: lint
   - stage: Sanity_2_17
     displayName: Ansible 2.17 sanity
     dependsOn: []
@@ -113,6 +128,20 @@ stages:
               test: ubuntu2204
             - name: Ubuntu 24.04
               test: ubuntu2404
+  - stage: Docker_2_18
+    displayName: Docker devel
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: 2.18/linux/{0}/1
+          targets:
+            - name: Fedora 40
+              test: fedora40
+            - name: Ubuntu 22.04
+              test: ubuntu2204
+            - name: Ubuntu 24.04
+              test: ubuntu2404
   - stage: Docker_2_17
     displayName: Docker 2.17
     dependsOn: []
@@ -176,6 +205,18 @@ stages:
               test: rhel/9.4
             - name: FreeBSD 13.3
               test: freebsd/13.3
+  - stage: Remote_2_18
+    displayName: Remote devel
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: 2.18/{0}/1
+          targets:
+            - name: RHEL 9.4
+              test: rhel/9.4
+            - name: FreeBSD 13.3
+              test: freebsd/13.3
   - stage: Remote_2_17
     displayName: Remote 2.17
     dependsOn: []
@@ -234,8 +275,11 @@ stages:
       - Sanity_2_17
       - Remote_2_17
       - Docker_2_17
+      - Sanity_2_18
+      - Remote_2_18
+      - Docker_2_18
       - Sanity_devel
-      - Remote_devel
+      # - Remote_devel # Wait for test environment release
-      - Docker_devel
+      # - Docker_devel # Wait for test environment release
     jobs:
       - template: templates/coverage.yml

README.md

@@ -74,11 +74,14 @@ None
 
 <!-- List the versions of Ansible the collection has been tested with. Must match what is in galaxy.yml. -->
 
-- ansible-core 2.18 (devel)
+- ansible-core 2.19 (devel)
+- ansible-core 2.18 (stable) *
 - ansible-core 2.17 (stable)
 - ansible-core 2.16 (stable)
 - ansible-core 2.15 (stable)
 
+*Note: For ansible-core 2.18, CI only covers sanity tests and no integration tests will be run until the test environment is released.*
+
 ## Roadmap
 
 <!-- Optional. Include the roadmap for this collection, and the proposed release/versioning strategy so users can anticipate the upgrade/update cycle. -->

changelogs/fragments/568_update_authorized_key.yml

@@ -0,0 +1,3 @@
+---
+minor_changes:
+  - authorized_keys - allow using absolute path to a file as a SSH key(s) source (https://github.com/ansible-collections/ansible.posix/pull/568)

changelogs/fragments/570_nfs4_acl.yml

@@ -0,0 +1,3 @@
+---
+bugfixes:
+  - acl - Fixed to set ACLs on paths mounted with NFS version 4 correctly (https://github.com/ansible-collections/ansible.posix/issues/240).

changelogs/fragments/571_ci_bump_core_version.yml

@@ -0,0 +1,3 @@
+---
+trivial:
+  - Bump ansible-core version to 2.19 of devel branch and add 2.18 to CI.

plugins/modules/acl.py

@@ -75,6 +75,10 @@ options:
   use_nfsv4_acls:
     description:
     - Use NFSv4 ACLs instead of POSIX ACLs.
+    - This feature uses C(nfs4_setfacl) and C(nfs4_getfacl). The behavior depends on those implementation.
+      And currently it only supports C(A) in ACE, so C(D) must be replaced with the appropriate C(A).
+    - Permission is set as optimised ACLs by the system. You can check the actual ACLs that has been set using the return value.
+    - More info C(man nfs4_setfacl)
     type: bool
     default: false
   recalculate_mask:
@@ -179,7 +183,7 @@ def split_entry(entry):
 def build_entry(etype, entity, permissions=None, use_nfsv4_acls=False):
     '''Builds and returns an entry string. Does not include the permissions bit if they are not provided.'''
     if use_nfsv4_acls:
-        return ':'.join([etype, entity, permissions, 'allow'])
+        return ':'.join(['A', 'g' if etype == 'group' else '', entity, permissions + 'tcy'])
 
     if permissions:
         return etype + ':' + entity + ':' + permissions
@@ -187,22 +191,27 @@ def build_entry(etype, entity, permissions=None, use_nfsv4_acls=False):
     return etype + ':' + entity
 
 
-def build_command(module, mode, path, follow, default, recursive, recalculate_mask, entry=''):
+def build_command(module, mode, path, follow, default, recursive, recalculate_mask, use_nfsv4_acls, entry=''):
     '''Builds and returns a getfacl/setfacl command.'''
     if mode == 'set':
-        cmd = [module.get_bin_path('setfacl', True)]
+        cmd = [module.get_bin_path('nfs4_setfacl' if use_nfsv4_acls else 'setfacl', True)]
-        cmd.extend(['-m', entry])
+        cmd.extend(['-a' if use_nfsv4_acls else '-m', entry])
     elif mode == 'rm':
-        cmd = [module.get_bin_path('setfacl', True)]
+        cmd = [module.get_bin_path('nfs4_setfacl' if use_nfsv4_acls else 'setfacl', True)]
         cmd.extend(['-x', entry])
     else:  # mode == 'get'
         cmd = [module.get_bin_path('getfacl', True)]
         # prevents absolute path warnings and removes headers
         if platform.system().lower() == 'linux':
+            if use_nfsv4_acls:
+                # use nfs4_getfacl instead of getfacl if use_nfsv4_acls is True
+                cmd = [module.get_bin_path('nfs4_getfacl', True)]
+            else:
+                cmd = [module.get_bin_path('getfacl', True)]
+                cmd.append('--absolute-names')
             cmd.append('--omit-header')
-            cmd.append('--absolute-names')
 
-    if recursive:
+    if recursive and not use_nfsv4_acls:
         cmd.append('--recursive')
 
     if recalculate_mask == 'mask' and mode in ['set', 'rm']:
@@ -210,7 +219,7 @@ def build_command(module, mode, path, follow, default, recursive, recalculate_ma
     elif recalculate_mask == 'no_mask' and mode in ['set', 'rm']:
         cmd.append('--no-mask')
 
-    if not follow:
+    if not follow and not use_nfsv4_acls:
         if platform.system().lower() == 'linux':
             cmd.append('--physical')
         elif platform.system().lower() == 'freebsd':
@@ -223,24 +232,34 @@ def build_command(module, mode, path, follow, default, recursive, recalculate_ma
     return cmd
 
 
-def acl_changed(module, cmd):
+def acl_changed(module, cmd, entry, use_nfsv4_acls=False):
     '''Returns true if the provided command affects the existing ACLs, false otherwise.'''
-    # FreeBSD do not have a --test flag, so by default, it is safer to always say "true"
+    # To check the ACL changes, use the output of setfacl or nfs4_setfacl with '--test'.
+    # FreeBSD do not have a --test flag, so by default, it is safer to always say "true".
     if platform.system().lower() == 'freebsd':
         return True
 
     cmd = cmd[:]  # lists are mutables so cmd would be overwritten without this
     cmd.insert(1, '--test')
     lines = run_acl(module, cmd)
-
+    counter = 0
     for line in lines:
-        if not line.endswith('*,*'):
+        if line.endswith('*,*') and not use_nfsv4_acls:
-            return True
+            return False
-    return False
+        # if use_nfsv4_acls and entry is listed
+        if use_nfsv4_acls and entry == line:
+            counter += 1
+
+    # The current 'nfs4_setfacl --test' lists a new entry,
+    #  which will be added at the top of list, followed by the existing entries.
+    # So if the entry has already been registered, the entry should be find twice.
+    if counter == 2:
+        return False
+    return True
 
 
 def run_acl(module, cmd, check_rc=True):
-
+    '''Runs the provided command and returns the output as a list of lines.'''
     try:
         (rc, out, err) = module.run_command(cmd, check_rc=check_rc)
     except Exception as e:
@@ -313,7 +332,7 @@ def main():
             module.fail_json(msg="'recalculate_mask' MUST NOT be set to 'mask' or 'no_mask' when 'state=query'.")
 
     if not entry:
-        if state == 'absent' and permissions:
+        if state == 'absent' and permissions and not use_nfsv4_acls:
             module.fail_json(msg="'permissions' MUST NOT be set when 'state=absent'.")
 
         if state == 'absent' and not entity:
@@ -350,21 +369,24 @@ def main():
         entry = build_entry(etype, entity, permissions, use_nfsv4_acls)
         command = build_command(
             module, 'set', path, follow,
-            default, recursive, recalculate_mask, entry
+            default, recursive, recalculate_mask, use_nfsv4_acls, entry
         )
-        changed = acl_changed(module, command)
+        changed = acl_changed(module, command, entry, use_nfsv4_acls)
 
         if changed and not module.check_mode:
             run_acl(module, command)
         msg = "%s is present" % entry
 
     elif state == 'absent':
-        entry = build_entry(etype, entity, use_nfsv4_acls)
+        if use_nfsv4_acls:
+            entry = build_entry(etype, entity, permissions, use_nfsv4_acls)
+        else:
+            entry = build_entry(etype, entity, use_nfsv4_acls)
         command = build_command(
             module, 'rm', path, follow,
-            default, recursive, recalculate_mask, entry
+            default, recursive, recalculate_mask, use_nfsv4_acls, entry
         )
-        changed = acl_changed(module, command)
+        changed = acl_changed(module, command, entry, use_nfsv4_acls)
 
         if changed and not module.check_mode:
             run_acl(module, command, False)
@@ -375,7 +397,10 @@ def main():
 
     acl = run_acl(
         module,
-        build_command(module, 'get', path, follow, default, recursive, recalculate_mask)
+        build_command(
+            module, 'get', path, follow, default, recursive,
+            recalculate_mask, use_nfsv4_acls
+        )
     )
 
     module.exit_json(changed=changed, msg=msg, acl=acl)

plugins/modules/authorized_key.py

@@ -24,6 +24,7 @@ options:
   key:
     description:
       - The SSH public key(s), as a string or (since Ansible 1.9) url (https://github.com/username.keys).
+      - You can also use V(file://) prefix to search remote for a file with SSH key(s).
     type: str
     required: true
   path:
@@ -96,6 +97,12 @@ EXAMPLES = r'''
     state: present
     key: https://github.com/charlie.keys
 
+- name: Set authorized keys taken from path on controller node
+  ansible.posix.authorized_key:
+    user: charlie
+    state: present
+    key: file:///home/charlie/.ssh/id_rsa.pub
+
 - name: Set authorized keys taken from url using lookup
   ansible.posix.authorized_key:
     user: charlie
@@ -223,6 +230,7 @@ from operator import itemgetter
 from ansible.module_utils._text import to_native
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.urls import fetch_url
+from ansible.module_utils.six.moves.urllib.parse import urlparse
 
 
 class keydict(dict):
@@ -556,7 +564,7 @@ def enforce_state(module, params):
     follow = params.get('follow', False)
     error_msg = "Error getting key from: %s"
 
-    # if the key is a url, request it and use it as key source
+    # if the key is a url or file, request it and use it as key source
     if key.startswith("http"):
         try:
             resp, info = fetch_url(module, key)
@@ -570,6 +578,19 @@ def enforce_state(module, params):
         # resp.read gives bytes on python3, convert to native string type
         key = to_native(key, errors='surrogate_or_strict')
 
+    if key.startswith("file"):
+        # if the key is an absolute path, check for existense and use it as a key source
+        key_path = urlparse(key).path
+        if not os.path.exists(key_path):
+            module.fail_json(msg="Path to a key file not found: %s" % key_path)
+        if not os.path.isfile(key_path):
+            module.fail_json(msg="Path to a key is a directory and must be a file: %s" % key_path)
+        try:
+            with open(key_path, 'r') as source_fh:
+                key = source_fh.read()
+        except OSError as e:
+            module.fail_json(msg="Failed to read key file %s : %s" % (key_path, to_native(e)))
+
     # extract individual keys into an array, skipping blank lines and comments
     new_keys = [s for s in key.splitlines() if s and not s.startswith('#')]
 

tests/integration/targets/authorized_key/defaults/main.yml

@@ -35,3 +35,5 @@ multiple_keys_comments: |
   ssh-rsa DATA_BASIC 1@testing
   # I like adding comments yo-dude-this-is-not-a-key INVALID_DATA 2@testing
   ecdsa-sha2-nistp521 ECDSA_DATA 4@testing
+
+key_path: /tmp/id_rsa.pub

tests/integration/targets/authorized_key/tasks/check_path.yml

@@ -0,0 +1,32 @@
+---
+- name: Create key file for test
+  ansible.builtin.copy:
+    dest: "{{ key_path }}"
+    content: "{{ rsa_key_basic }}"
+    mode: "0600"
+
+- name: Add key using path
+  ansible.posix.authorized_key:
+    user: root
+    key: file://{{ key_path }}
+    state: present
+    path: "{{ output_dir | expanduser }}/authorized_keys"
+  register: result
+
+- name: Assert that the key was added
+  ansible.builtin.assert:
+    that:
+      - result.changed == true
+
+- name: Add key using path again
+  ansible.posix.authorized_key:
+    user: root
+    key: file://{{ key_path }}
+    state: present
+    path: "{{ output_dir | expanduser }}/authorized_keys"
+  register: result
+
+- name: Assert that no changes were applied
+  ansible.builtin.assert:
+    that:
+      - result.changed == false

tests/integration/targets/authorized_key/tasks/main.yml

@@ -31,3 +31,6 @@
 
 - name: Test for the management of comments with key
   ansible.builtin.import_tasks: comments.yml
+
+- name: Test for specifying key as a path
+  ansible.builtin.import_tasks: check_path.yml

tests/sanity/ignore-2.19.txt

@@ -0,0 +1 @@
+tests/utils/shippable/timing.py shebang