-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Always generate a new key pair if the private key doesn't exist #598
Always generate a new key pair if the private key doesn't exist #598
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR! The code change looks good to me. Could you please add a changelog fragment? Thanks.
10fbdd3
to
4577c21
Compare
Done! Thanks for the pointer @felixfontein. I actually added two fragments for the two different commits, but I'm not sure if that's overkill; I can certainly remove one or combine them if you want. Sorry I missed your comment until now. |
…ble-collections#597) This commit updates `KeypairBackend._should_generate()` to first check if the original private key named by the `path` argument exists, and return True if it does not. This brings the code in line with the documentation, which says that a new key will always be generated if the key file doesn't already exist. As an alternative to the approach implemented here, I also considered only modifying the condition in the `fail` branch of the if statement, but I thought that would not map as cleanly to the behavior specified in the documentation, so doing it the way I did should make it easier to check that the code is doing the right thing just by looking at it. I also considered doing something to make the logic more similar to `PrivateKeyBackend.needs_regeneration()` (the openssl version of this functionality), because the two are supposed to be acting the same way, but I thought that'd be going beyond the scope of just fixing this bug. If it'd be useful to make both methods work the same way, someone can refactor the code in a future commit.
This commit changes the test task that generates new keys to use each of the different values for the `regenerate` argument, which will ensure that the module is capable of generating a key when no previous key exists regardless of the value of `regenerate`. Previously, the task would always run with the `partial_idempotence` value, and that obscured a bug (ansible-collections#597) that would occur when it was set to `fail`. The bug was fixed in the previous commit.
87c304c
to
d88c323
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@diazona thanks a lot for fixing this! |
Backport to stable-1: 💚 backport PR created✅ Backport PR branch: Backported as #599 🤖 @patchback |
* Always generate a new key pair if the private key doesn't exist (#597) This commit updates `KeypairBackend._should_generate()` to first check if the original private key named by the `path` argument exists, and return True if it does not. This brings the code in line with the documentation, which says that a new key will always be generated if the key file doesn't already exist. As an alternative to the approach implemented here, I also considered only modifying the condition in the `fail` branch of the if statement, but I thought that would not map as cleanly to the behavior specified in the documentation, so doing it the way I did should make it easier to check that the code is doing the right thing just by looking at it. I also considered doing something to make the logic more similar to `PrivateKeyBackend.needs_regeneration()` (the openssl version of this functionality), because the two are supposed to be acting the same way, but I thought that'd be going beyond the scope of just fixing this bug. If it'd be useful to make both methods work the same way, someone can refactor the code in a future commit. * Test different regenerate values with nonexistent keys This commit changes the test task that generates new keys to use each of the different values for the `regenerate` argument, which will ensure that the module is capable of generating a key when no previous key exists regardless of the value of `regenerate`. Previously, the task would always run with the `partial_idempotence` value, and that obscured a bug (#597) that would occur when it was set to `fail`. The bug was fixed in the previous commit. (cherry picked from commit ce3299f)
#599) * Always generate a new key pair if the private key doesn't exist (#597) This commit updates `KeypairBackend._should_generate()` to first check if the original private key named by the `path` argument exists, and return True if it does not. This brings the code in line with the documentation, which says that a new key will always be generated if the key file doesn't already exist. As an alternative to the approach implemented here, I also considered only modifying the condition in the `fail` branch of the if statement, but I thought that would not map as cleanly to the behavior specified in the documentation, so doing it the way I did should make it easier to check that the code is doing the right thing just by looking at it. I also considered doing something to make the logic more similar to `PrivateKeyBackend.needs_regeneration()` (the openssl version of this functionality), because the two are supposed to be acting the same way, but I thought that'd be going beyond the scope of just fixing this bug. If it'd be useful to make both methods work the same way, someone can refactor the code in a future commit. * Test different regenerate values with nonexistent keys This commit changes the test task that generates new keys to use each of the different values for the `regenerate` argument, which will ensure that the module is capable of generating a key when no previous key exists regardless of the value of `regenerate`. Previously, the task would always run with the `partial_idempotence` value, and that obscured a bug (#597) that would occur when it was set to `fail`. The bug was fixed in the previous commit. (cherry picked from commit ce3299f) Co-authored-by: David Zaslavsky <[email protected]>
And thank you for making the contribution process so smooth! 😄 |
SUMMARY
This PR updates
KeypairBackend._should_generate()
to first check if the original private key named by thepath
argument exists, and returnTrue
if it does not. This brings the code in line with the documentation, which says that a new key will always be generated if the key file doesn't already exist. It also modifies the existing tests to check for this bug.Fixes #597
ISSUE TYPE
COMPONENT NAME
openssh_keypair
ADDITIONAL INFORMATION
Before this fix, using the sample playbook from #597:
After the fix:
As an alternative to the approach implemented here, I also considered only modifying the condition in the
fail
branch of the if statement - this was @felixfontein's suggestion in a comment, and it was also my first thought about how to fix this - but I thought doing it the way I did would make it easier to check that the code is doing the right thing just by looking at it. That can certainly be changed if necessary.I also considered doing something to make the logic more similar to
PrivateKeyBackend.needs_regeneration()
(the openssl version of this functionality), because the two are supposed to be acting the same way, but I thought that'd be going beyond the scope of just fixing this bug. If it'd be useful to make both methods work the same way, someone can refactor the code in a future commit.