authorized_key: removal of some empty / comment lines + reordering of content

skwde commented 2 years ago

SUMMARY

Some empty lines / comments are removed + order of line is changed (when a change is done)

ISSUE TYPE

Bug Report

COMPONENT NAME

- name: Ensure user ssh key
  ansible.posix.authorized_key:
    user: user
    state: present
    key: "{{ lookup('file', '$HOME/.ssh/id_rsa.pub') }}"

ANSIBLE VERSION

ansible [core 2.13.2]
  config file = $HOME/ansible-test/ansible.cfg
  configured module search path = ['$HOME/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/miniconda3/envs/ansible/lib/python3.10/site-packages/ansible
  ansible collection location = $HOME//.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/miniconda3/envs/ansible/bin/ansible
  python version = 3.10.5 | packaged by conda-forge | (main, Jun 14 2022, 07:04:59) [GCC 10.3.0]
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

# /opt/miniconda3/envs/ansible/lib/python3.10/site-packages/ansible_collections
Collection    Version
------------- -------
ansible.posix 1.4.0

CONFIGURATION

ANSIBLE_NOCOWS($HOME/ansible-test/ansible.cfg) = True
DEFAULT_MANAGED_STR($HOME/ansible-test/ansible.cfg) = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
DEFAULT_ROLES_PATH($HOME/ansible-test/ansible.cfg) = ['$HOME/.ansible/roles', '/usr/share/ansible/roles', '/etc/ansible/roles', '$HOME/ansible-test/roles']

OS / ENVIRONMENT

$ uname -a
Linux <host> 3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

$ cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

STEPS TO REPRODUCE

Ensure you have a ~/.ssh/authorized_keys with several lines, new lines and (multiline) comments which will be changed by below playbook. Running below playbook will reorder the entries and remove random comment lines / empty lines.

- name: Ensure ssh keys
  hosts: localhost

  tasks:

  - name: Ensure user ssh keys
    block:
      - name: Ensure user ssh key
        ansible.posix.authorized_key:
          user: user
          state: present
          key: "{{ lookup('file', '/home/user/.ssh/id_rsa.pub') }}"

EXPECTED RESULTS

Only the line corresponding to the actual sshkey is touched.

ACTUAL RESULTS

Running

$ ansible-playbook sshkeys-test.yml --ask-become-pass --check --diff

TASK [Ensure user ssh key] ******************************************************************************************
--- before: $HOME/.ssh/authorized_keys
+++ after: $HOME/.ssh/authorized_keys
@@ -1,9 +1,6 @@
-
 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBEIMmFafk0Bx64IajE57//rM3YBsjp3vf8t9k/cywp9lQwfffkNaOQV9wDtt9Q5O/runC3vSJCOajDxror0H7Y= comment
-
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWlMYUA3q3C4mSq30hyzyQPXxNL9VShDcVu+skw6U0PxrvuJr6ZxPjpGarLHXi9zgLS49XvDeDee4GfJ3r7Zzd7AWPBcjyjd9AHLFdjm6DTyzeIKCQnQQrOlH989rzxdJqZ9FvUptL2g7kXQz1rwtfSIV+ac/88SvH217g3Cu6Rdp9u5lRR5YO2cFxNWyKWq7yQn2ZQ/N/u75t3nVVN/AIJEcEQ4YCFPucgGINshQ8g7H4DKt5ljwWE7mt+B+2YW57mprBvneWb6kXujHx89W+tPYG7sb2T/Akr0iXoBisL4885NzPiQ0aphp++3KIGHyBGxKnX2P0jj/mGgoK+kct comment

-#
 #
 # abc
 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBdx818uBefhd/QWIpWJo7S2NqC1cjgx/TblLkY52MUFhqUObGoDiezmBWpB1f3DM3RsxfWzJXXyWnxUMGP7AlE= comment
@@ -11,5 +8,5 @@
 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBASG+5ooEHKz3/MUEi9vUghQNZZd2Q6/KJL2Rfo4TMtYEpzW5pyFoUNHoiFdyiSTG01CrRWT2Na3wHITrnkjFXg= comment
 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNxMRAqt87WOYaHeyAXFho4TQmiY3UxSR88765pUArjhaLrys6+0yoL9GLEApbBVxhid8yKjXMirJDo5Nh2xN5s= comment
 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGh24RhGkW72lSmgYour44VFYowN2wabo/uPcFHzlBGGOVtFhDYD4n8bSXew37/dsFBYtT5tBX7+xse7KjY88XM= comment
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILlhgY5095w6J38fl9B6Yr67cHWDru6z0lsoqdyYWUdm new comment
 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOfHSLw7jt+SPmvMZsokrnjprYo+1XciR//7wqp09SAG2yX9ZpTsVgYagUWCQXmJCuF5UrzDxNMCKgGizV93T0o= comment
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILlhgY5095w6J38fl9B6Yr67cHWDru6z0lsoqdyYWUdm old comment
changed: [localhost]

Amixp commented 1 year ago

+

valerio-bozzolan commented 1 year ago

Thank you for this bug report. I just want to note that here is the related source code, if you want to hack on this:

https://github.com/ansible-collections/ansible.posix/blob/main/plugins/modules/authorized_key.py

skwde commented 1 year ago

Ok, I had another look at this. It turns out, that

duplicate lines (comments / regular public key entries) are removed
(some) empty lines are removed
the order of the handled ssh key is changed, e.g. when changing the comment

valerio-bozzolan commented 1 year ago

Ok, I had another look at this. It turns out, that

* duplicate lines (comments / regular public key entries) are removed

* (some) empty lines are removed

* the order of the handled ssh key is changed, e.g. when changing the comment

Yes there is definitely room for improvement in that Python script. Probably with a bold partial rewrite, without staying too long to understand the original logic that clearly has too many unwanted situations

https://github.com/ansible-collections/ansible.posix/blob/main/plugins/modules/authorized_key.py

The goals are:

do not reorder content
do not remove empty lines (they are usually separation lines - useful for readability)
if the description option was unset, or if we are in "add" more, never remove any comment (keep any "duplicate")

ansible-collections / ansible.posix