authorized_key 29891 use os.path.realpath to follow keyfile symlinks (#40417)

* 29891 use os.path.realpath to follow keyfile symlinks * 29891 add parameter follow * updated changelog fragment * add documentation and set default to false
6 years ago · 21066410be
parent 688ffa4cee
commit 21066410be
2 changed files with 22 additions and 2 deletions
--- a/changelogs/fragments/authorized_key_symlinks.yaml
+++ b/changelogs/fragments/authorized_key_symlinks.yaml
@ -0,0 +1,4 @@
+---
+bugfixes:
+- authorized_key now have an option for following symlinks,
+  default behaviour (False) can be changed by setting follow True/False
--- a/lib/ansible/modules/system/authorized_key.py
+++ b/lib/ansible/modules/system/authorized_key.py
@ -78,6 +78,12 @@ options:
        cases such as fetching it from GitHub or GitLab.
      - If no comment is specified, the existing comment will be kept.
    version_added: "2.4"
+  follow:
+    description:
+      - Follow path symlink instead of replacing it
+    type: bool
+    default: 'no'
+    version_added: "2.7"
 author: "Ansible Core Team"
 '''

@ -284,7 +290,7 @@ class keydict(dict):
        return [item[1] for item in self.items()]


-def keyfile(module, user, write=False, path=None, manage_dir=True):
+def keyfile(module, user, write=False, path=None, manage_dir=True, follow=False):
    """
    Calculate name of authorized keys file, optionally creating the
    directories and file, properly setting permissions.
@ -293,11 +299,16 @@ def keyfile(module, user, write=False, path=None, manage_dir=True):
    :param bool write: if True, write changes to authorized_keys file (creating directories if needed)
    :param str path: if not None, use provided path rather than default of '~user/.ssh/authorized_keys'
    :param bool manage_dir: if True, create and set ownership of the parent dir of the authorized_keys file
+    :param bool follow: if True symlinks will be followed and not replaced
    :return: full path string to authorized_keys for user
    """

    if module.check_mode and path is not None:
        keysfile = path
+
+        if follow:
+            return os.path.realpath(keysfile)
+
        return keysfile

    try:
@ -314,6 +325,9 @@ def keyfile(module, user, write=False, path=None, manage_dir=True):
        sshdir = os.path.dirname(path)
        keysfile = path

+    if follow:
+        keysfile = os.path.realpath(keysfile)
+
    if not write:
        return keysfile

@ -518,6 +532,7 @@ def enforce_state(module, params):
    key_options = params.get("key_options", None)
    exclusive = params.get("exclusive", False)
    comment = params.get("comment", None)
+    follow = params.get('follow', False)
    error_msg = "Error getting key from: %s"

    # if the key is a url, request it and use it as key source
@ -613,7 +628,7 @@ def enforce_state(module, params):
            do_write = True

    if do_write:
-        filename = keyfile(module, user, do_write, path, manage_dir)
+        filename = keyfile(module, user, do_write, path, manage_dir, follow)
        new_content = serialize(existing_keys)

        diff = None
@ -650,6 +665,7 @@ def main():
            exclusive=dict(default=False, type='bool'),
            comment=dict(required=False, default=None, type='str'),
            validate_certs=dict(default=True, type='bool'),
+            follow=dict(default=False, type='bool')
        ),
        supports_check_mode=True
    )