From 13aff08748167b761c1a61fbd517032e7ac1511c Mon Sep 17 00:00:00 2001
From: Sam Doran <sdoran@redhat.com>
Date: Thu, 17 May 2018 13:53:40 -0400
Subject: [PATCH] Add better error messages and checking to known_hosts
 (#38307)

---
 lib/ansible/modules/system/known_hosts.py     |  7 +++-
 .../targets/known_hosts/tasks/main.yml        | 34 ++++++++++++++++++-
 2 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/lib/ansible/modules/system/known_hosts.py b/lib/ansible/modules/system/known_hosts.py
index 5721ad32064..38688d59c11 100644
--- a/lib/ansible/modules/system/known_hosts.py
+++ b/lib/ansible/modules/system/known_hosts.py
@@ -174,6 +174,11 @@ def sanity_check(module, host, key, sshkeygen):
 
     # The approach is to write the key to a temporary file,
     # and then attempt to look up the specified host in that file.
+
+    if re.search(r'\S+(\s+)?,(\s+)?', host):
+        module.fail_json(msg="Comma separated list of names is not supported. "
+                             "Please pass a single name to lookup in the known_hosts file.")
+
     try:
         outf = tempfile.NamedTemporaryFile(mode='w+')
         outf.write(key)
@@ -183,7 +188,7 @@ def sanity_check(module, host, key, sshkeygen):
                              (outf.name, to_native(e)))
 
     sshkeygen_command = [sshkeygen, '-F', host, '-f', outf.name]
-    rc, stdout, stderr = module.run_command(sshkeygen_command, check_rc=True)
+    rc, stdout, stderr = module.run_command(sshkeygen_command)
     try:
         outf.close()
     except:
diff --git a/test/integration/targets/known_hosts/tasks/main.yml b/test/integration/targets/known_hosts/tasks/main.yml
index 607f534b9bd..cac0f5580bc 100644
--- a/test/integration/targets/known_hosts/tasks/main.yml
+++ b/test/integration/targets/known_hosts/tasks/main.yml
@@ -17,7 +17,9 @@
 # along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
 
 - name: copy an existing file in place
-  copy: src=existing_known_hosts dest="{{output_dir|expanduser}}/known_hosts"
+  copy:
+    src: existing_known_hosts
+    dest: "{{ output_dir | expanduser }}/known_hosts"
 
 # test addition
 
@@ -167,3 +169,33 @@
     - 'not result.changed'
     - 'result.diff.before == result.diff.after'
     - 'known_hosts_v3.stdout == known_hosts_v4.stdout'
+
+# test errors
+
+- name: Try using a comma separated list of hosts
+  known_hosts:
+    name: example.org,acme.com
+    key: "{{ example_org_rsa_key }}"
+    path: "{{output_dir|expanduser}}/known_hosts"
+  ignore_errors: yes
+  register: result
+
+- name: Assert that error message was displayed
+  assert:
+    that:
+      - result is failed
+      - result.msg == 'Comma separated list of names is not supported. Please pass a single name to lookup in the known_hosts file.'
+
+- name: Try using a name that does not match the key
+  known_hosts:
+    name: example.com
+    key: "{{ example_org_rsa_key }}"
+    path: "{{output_dir|expanduser}}/known_hosts"
+  ignore_errors: yes
+  register: result
+
+- name: Assert that name checking failed with error message
+  assert:
+    that:
+      - result is failed
+      - result.msg == 'Host parameter does not match hashed host field in supplied key'