search

ansible-collections / community.general

Ansible Community General Collection
https://galaxy.ansible.com/ui/repo/published/community/general/
GNU General Public License v3.0
832 stars 1.53k forks source link

github_deploy_key exits with 'ok' even though requests returns 422 and no deploy key gets added #6718

Open OlJohnny opened 1 year ago

OlJohnny commented 1 year ago

Summary

Use case: Trying to create a new deploy key for a github repo using the task from below

When the provided ssh key is anything but a valid ssh key the github REST API returns the following:

HTTP/1.1 422 Unprocessable Entity
---
REDACTED
---
{
  "message": "Validation Failed",
  "errors": [
    {
      "resource": "PublicKey",
      "code": "custom",
      "field": "key",
      "message": "key is already in use"
    }
  ],
  "documentation_url": "https://docs.github.com/rest/deploy-keys#create-a-deploy-key"
}

In my opinion the task should fail in this case, as it wasn't able to successfully create a deploy key on github. However the task returns ok: [hostname]

I tested this with a reverse-proxy as a Man-In-The-Middle to obtain the request and response data.

Issue Type

Bug Report

Component Name

github_deploy_key

Ansible Version

$ ansible --version
ansible [core 2.15.0]
  config file = None
  configured module search path = ['/home/johnny/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/johnny/.local/lib/python3.9/site-packages/ansible
  ansible collection location = /home/johnny/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/johnny/.local/bin/ansible
  python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True

Community.general Version

$ ansible-galaxy collection list community.general
# /home/johnny/.local/lib/python3.9/site-packages/ansible_collections
Collection        Version
----------------- -------
community.general 7.0.1

Configuration

$ ansible-config dump --only-changed
CONFIG_FILE() = None

OS / Environment

Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:        11
Codename:       bullseye
Kernel:         5.10.0-22-amd64

Steps to Reproduce

Using this task inside a role or playbook with a valid Personal Access Token (with admin permissions for repos) as token, your github username as owner and an existing repository owned by you as repo. Important to reproduce the error: as key use anything other than a valid ssh public key

   - name: Add ssh key as deploy key to github
     community.general.github_deploy_key:
       owner: OlJohnny
       repo: repo
       name: hostname
       key: asd
       read_only: true
       token: TOKEN

Expected Results

if the key is anything but a valid ssh key, the github API returns 422 AND nothing gets added as a github deploy key

This component/task should exit with an error, as it wasn't able to adda github deploy key

Actual Results

no error gets returned

TASK [../roles/debian_servers : Add ssh key as deploy key to github] *******************************************************
ok: [hostname]

Code of Conduct

ansibullbot commented 1 year ago

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot commented 1 year ago

cc @bincyber @stpierre click here for bot help

OlJohnny commented 1 year ago

This issue apparently occurs as it is assumed that Code 422 means that the key already exists.

felixfontein commented 1 year ago

Potentially the meaning of 422 changed / got extended.

OlJohnny commented 1 year ago

Potentially the meaning of 422 changed / got extended.

Very well could be the case that the API response has been changed.

At the moment 422 means that the validation failed, funnily enough no mention of 'deploy key already exists' which probably was the meaning when this module was written