Merge 9a34c897ec into a7e666829e

2 weeks ago · 3e21be03cf
parent a7e666829e 9a34c897ec
commit 3e21be03cf
4 changed files with 58 additions and 2 deletions
--- a/changelogs/fragments/81943-git_ssh-key-as-string-value.yml
+++ b/changelogs/fragments/81943-git_ssh-key-as-string-value.yml
@ -0,0 +1,3 @@
+---
+minor_changes:
+  - git module - Feature to pass a SSH key as a string value
--- a/lib/ansible/modules/git.py
+++ b/lib/ansible/modules/git.py
@ -77,6 +77,11 @@ options:
            - This ensures 'IdentitiesOnly=yes' is present in O(ssh_opts).
        type: path
        version_added: "1.5"
+    key_content:
+        description:
+            - Specify an optional private key string value to use for the checkout.
+        type: str
+        version_added: "2.17"
    reference:
        description:
            - Reference repository (see "git clone --reference ...").
@ -288,6 +293,22 @@ EXAMPLES = '''
    single_branch: yes
    version: master

+- name: Example clone of a single branch using a private key on the target host
+  ansible.builtin.git:
+    repo: https://github.com/ansible/ansible-examples.git
+    dest: /src/ansible-examples
+    key_file: /home/ansible/.ssh/id_ed25519
+    single_branch: yes
+    accept_hostkey: yes
+
+- name: Example clone of a single branch using a private key from the control node
+  ansible.builtin.git:
+    repo: https://github.com/ansible/ansible-examples.git
+    dest: /src/ansible-examples
+    key_content: "{{ lookup('ansible.builtin.env', 'SSH_KEY') }}"
+    single_branch: yes
+    accept_hostkey: yes
+
 - name: Avoid hanging when http(s) password is missing
  ansible.builtin.git:
    repo: https://github.com/ansible/could-be-a-private-repo
@ -340,7 +361,7 @@ import shutil
 import tempfile
 from ansible.module_utils.compat.version import LooseVersion

-from ansible.module_utils.common.text.converters import to_native, to_text
+from ansible.module_utils.common.text.converters import to_native, to_text, to_bytes
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.common.locale import get_best_parsable_locale
 from ansible.module_utils.common.process import get_bin_path
@ -1199,6 +1220,7 @@ def main():
            accept_hostkey=dict(default='no', type='bool'),
            accept_newhostkey=dict(default='no', type='bool'),
            key_file=dict(default=None, type='path', required=False),
+            key_content=dict(default=None, required=False, no_log=True),
            ssh_opts=dict(default=None, required=False),
            executable=dict(default=None, type='path'),
            bare=dict(default='no', type='bool'),
@ -1210,7 +1232,8 @@ def main():
            archive_prefix=dict(),
            separate_git_dir=dict(type='path'),
        ),
-        mutually_exclusive=[('separate_git_dir', 'bare'), ('accept_hostkey', 'accept_newhostkey')],
+        mutually_exclusive=[('separate_git_dir', 'bare'), ('accept_hostkey', 'accept_newhostkey'),
+                            ('key_file', 'key_content')],
        required_by={'archive_prefix': ['archive']},
        supports_check_mode=True
    )
@ -1231,6 +1254,7 @@ def main():
    single_branch = module.params['single_branch']
    git_path = module.params['executable'] or module.get_bin_path('git', True)
    key_file = module.params['key_file']
+    key_content = module.params['key_content']
    ssh_opts = module.params['ssh_opts']
    umask = module.params['umask']
    archive = module.params['archive']
@ -1305,6 +1329,16 @@ def main():
    # iface changes so need it to make decisions
    git_version_used = git_version(git_path, module)

+    if key_content:
+        key_content += "\n" if not key_content.endswith("\n") else ""
+        key = to_bytes(key_content)
+        # tempfile not saved on disk
+        tmpfd, key_file = tempfile.mkstemp(dir=module.tmpdir)
+        module.add_cleanup_file(key_file)
+        tmpfile = os.fdopen(tmpfd, "w+b")
+        tmpfile.write(key)
+        tmpfile.close()
+
    # GIT_SSH=<path> as an environment variable, might create sh wrapper script for older versions.
    set_git_ssh_env(key_file, ssh_opts, git_version_used, module)

--- a/test/integration/targets/git/tasks/main.yml
+++ b/test/integration/targets/git/tasks/main.yml
@ -29,6 +29,7 @@
  - import_tasks: formats.yml
  - import_tasks: missing_hostkey.yml
  - import_tasks: missing_hostkey_acceptnew.yml
+  - import_tasks: private-key.yml
  - import_tasks: no-destination.yml
  - import_tasks: specific-revision.yml
  - import_tasks: submodules.yml
--- a/test/integration/targets/git/tasks/private-key.yml
+++ b/test/integration/targets/git/tasks/private-key.yml
@ -0,0 +1,18 @@
+- name: Try with both src and content to ensure it fails
+  ansible.builtin.git:
+    repo: '{{ repo_format2 }}'
+    dest: '{{ checkout_dir }}'
+    single_branch: yes
+    key_content: "{{ lookup('ansible.builtin.env', 'SSH_KEY', default='nobody') }}"
+    key_file: '{{ github_ssh_private_key }}'
+    accept_hostkey: yes
+  ignore_errors: True
+  register: failed_git
+  when: github_ssh_private_key is defined
+
+- name: Assert that mutually exclusive parameters key_content & key_file failed
+  assert:
+    that:
+      - failed_git is failed
+      - "'mutually exclusive' in failed_git.msg"
+  when: github_ssh_private_key is defined