search

PowerDNS / dnsdist-ansible

An ansible role for dnsdist
MIT License
30 stars 32 forks source link

Task extracting console encryption key from configuration confused by Lua comment #122

Open joel-ling opened 8 months ago

joel-ling commented 8 months ago

This issue pertains to the following task:

https://github.com/PowerDNS/dnsdist-ansible/blob/ca381db91c2b0fbd3084e2b14497a23da3dba1ee/tasks/main.yml#L20-L32

Using fgrep and sed, it aims to extract and register the argument of setKey() as dnsdist_grepkey_cmd.stdout.

Problem

Since the playbook installs DNSdist in the preceding task, the default config file distributed with DNSdist (link) is read as input, resulting in the following phenomenon.

fgrep setKey in Line 29 matches the following comment in Line 15 of the default config file:

-- setKey("please generate a fresh private key with makeKey()")

Running the command in Line 29 against the default config file gives the following output:

$ set -o pipefail && fgrep setKey dnsdistconf.lua | sed 's/setKey("\(.*\)")/\1/'
-- please generate a fresh private key with makeKey()

(The leading double hyphen -- happens to be preserved because it is not captured by the sed expression.)

The above output ends up as the value of fact dnsdist_setkey:

https://github.com/PowerDNS/dnsdist-ansible/blob/ca381db91c2b0fbd3084e2b14497a23da3dba1ee/tasks/main.yml#L47-L50

This becomes the encryption key when dnsdist.conf.j2 is expanded by another task to generate the new config file:

https://github.com/PowerDNS/dnsdist-ansible/blob/ca381db91c2b0fbd3084e2b14497a23da3dba1ee/templates/dnsdist.conf.j2#L21-L26

Workaround

Truncate the automatically-generated DNSdist config file and re-run the playbook. This causes the command in Line 29 to fail with exit code 1, hence triggering the subsequent task that generates an encryption key from scratch:

https://github.com/PowerDNS/dnsdist-ansible/blob/ca381db91c2b0fbd3084e2b14497a23da3dba1ee/tasks/main.yml#L34-L41

Possible Solution

Consider replacing fgrep setKey with grep ^setKey (or possibly grep '^\s*setKey' if indentation is to be expected), to avoid matching lines where the setKey() invocation is prefixed.

The regular expression in the sed script should also be prefixed and suffixed with .* to remove leading and trailing characters around the function:

s/.*setKey("\(.*\)").*/\1/
joel-ling commented 8 months ago

Tangentially related to #119 as it pertains to the same line in the playbook, despite no overlap in cause nor effect.