Always generate a new key pair if the private key doesn't exist #598
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Thanks for the PR! The code change looks good to me. Could you please add a changelog fragment? Thanks.
diazona
force-pushed
the
597-openssh-keypair-fail/1/dev
branch
from
10fbdd3
to
4577c21
Compare
|
Done! Thanks for the pointer @felixfontein. I actually added two fragments for the two different commits, but I'm not sure if that's overkill; I can certainly remove one or combine them if you want. Sorry I missed your comment until now. |
felixfontein
reviewed
May 1, 2023
…ble-collections#597) This commit updates `KeypairBackend._should_generate()` to first check if the original private key named by the `path` argument exists, and return True if it does not. This brings the code in line with the documentation, which says that a new key will always be generated if the key file doesn't already exist. As an alternative to the approach implemented here, I also considered only modifying the condition in the `fail` branch of the if statement, but I thought that would not map as cleanly to the behavior specified in the documentation, so doing it the way I did should make it easier to check that the code is doing the right thing just by looking at it. I also considered doing something to make the logic more similar to `PrivateKeyBackend.needs_regeneration()` (the openssl version of this functionality), because the two are supposed to be acting the same way, but I thought that'd be going beyond the scope of just fixing this bug. If it'd be useful to make both methods work the same way, someone can refactor the code in a future commit.
This commit changes the test task that generates new keys to use each of the different values for the `regenerate` argument, which will ensure that the module is capable of generating a key when no previous key exists regardless of the value of `regenerate`. Previously, the task would always run with the `partial_idempotence` value, and that obscured a bug (ansible-collections#597) that would occur when it was set to `fail`. The bug was fixed in the previous commit.
diazona
force-pushed
the
597-openssh-keypair-fail/1/dev
branch
from
87c304c
to
d88c323
Compare
felixfontein
approved these changes
May 1, 2023
|
@diazona thanks a lot for fixing this! |
Backport to stable-1: 💚 backport PR created✅ Backport PR branch: Backported as #599 🤖 @patchback |
patchback bot
pushed a commit
that referenced
this pull request
May 1, 2023
* Always generate a new key pair if the private key doesn't exist (#597) This commit updates `KeypairBackend._should_generate()` to first check if the original private key named by the `path` argument exists, and return True if it does not. This brings the code in line with the documentation, which says that a new key will always be generated if the key file doesn't already exist. As an alternative to the approach implemented here, I also considered only modifying the condition in the `fail` branch of the if statement, but I thought that would not map as cleanly to the behavior specified in the documentation, so doing it the way I did should make it easier to check that the code is doing the right thing just by looking at it. I also considered doing something to make the logic more similar to `PrivateKeyBackend.needs_regeneration()` (the openssl version of this functionality), because the two are supposed to be acting the same way, but I thought that'd be going beyond the scope of just fixing this bug. If it'd be useful to make both methods work the same way, someone can refactor the code in a future commit. * Test different regenerate values with nonexistent keys This commit changes the test task that generates new keys to use each of the different values for the `regenerate` argument, which will ensure that the module is capable of generating a key when no previous key exists regardless of the value of `regenerate`. Previously, the task would always run with the `partial_idempotence` value, and that obscured a bug (#597) that would occur when it was set to `fail`. The bug was fixed in the previous commit. (cherry picked from commit ce3299f)
felixfontein
pushed a commit
that referenced
this pull request
May 1, 2023
#599) * Always generate a new key pair if the private key doesn't exist (#597) This commit updates `KeypairBackend._should_generate()` to first check if the original private key named by the `path` argument exists, and return True if it does not. This brings the code in line with the documentation, which says that a new key will always be generated if the key file doesn't already exist. As an alternative to the approach implemented here, I also considered only modifying the condition in the `fail` branch of the if statement, but I thought that would not map as cleanly to the behavior specified in the documentation, so doing it the way I did should make it easier to check that the code is doing the right thing just by looking at it. I also considered doing something to make the logic more similar to `PrivateKeyBackend.needs_regeneration()` (the openssl version of this functionality), because the two are supposed to be acting the same way, but I thought that'd be going beyond the scope of just fixing this bug. If it'd be useful to make both methods work the same way, someone can refactor the code in a future commit. * Test different regenerate values with nonexistent keys This commit changes the test task that generates new keys to use each of the different values for the `regenerate` argument, which will ensure that the module is capable of generating a key when no previous key exists regardless of the value of `regenerate`. Previously, the task would always run with the `partial_idempotence` value, and that obscured a bug (#597) that would occur when it was set to `fail`. The bug was fixed in the previous commit. (cherry picked from commit ce3299f) Co-authored-by: David Zaslavsky <[email protected]>
|
And thank you for making the contribution process so smooth! 😄 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SUMMARY
This PR updates
KeypairBackend._should_generate()to first check if the original private key named by thepathargument exists, and returnTrueif it does not. This brings the code in line with the documentation, which says that a new key will always be generated if the key file doesn't already exist. It also modifies the existing tests to check for this bug.Fixes #597
ISSUE TYPE
COMPONENT NAME
openssh_keypair
ADDITIONAL INFORMATION
Before this fix, using the sample playbook from #597:
After the fix:
As an alternative to the approach implemented here, I also considered only modifying the condition in the
failbranch of the if statement - this was @felixfontein's suggestion in a comment, and it was also my first thought about how to fix this - but I thought doing it the way I did would make it easier to check that the code is doing the right thing just by looking at it. That can certainly be changed if necessary.I also considered doing something to make the logic more similar to
PrivateKeyBackend.needs_regeneration()(the openssl version of this functionality), because the two are supposed to be acting the same way, but I thought that'd be going beyond the scope of just fixing this bug. If it'd be useful to make both methods work the same way, someone can refactor the code in a future commit.