From c19cea9b03f343a6c7da6607ce355ffa409e985a Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Tue, 10 Sep 2019 06:44:04 +0200
Subject: [PATCH] openssh_keypair: make sure public key has same permissions as
 private key (#61658)

* Make sure public key has same permissions as private key.

* Add changelog.

* Text, not binary.
---
 ...8-openssh_keypair-public-key-permissions.yml |  2 ++
 lib/ansible/modules/crypto/openssh_keypair.py   | 17 ++++++++++++++---
 2 files changed, 16 insertions(+), 3 deletions(-)
 create mode 100644 changelogs/fragments/61658-openssh_keypair-public-key-permissions.yml

diff --git a/changelogs/fragments/61658-openssh_keypair-public-key-permissions.yml b/changelogs/fragments/61658-openssh_keypair-public-key-permissions.yml
new file mode 100644
index 00000000000..ad4b9dcc030
--- /dev/null
+++ b/changelogs/fragments/61658-openssh_keypair-public-key-permissions.yml
@@ -0,0 +1,2 @@
+bugfixes:
+- "openssh_keypair - public key's file attributes (permissions, owner, group, etc.) are now set to the same values as the private key."
diff --git a/lib/ansible/modules/crypto/openssh_keypair.py b/lib/ansible/modules/crypto/openssh_keypair.py
index cb5e522060a..63117f91dc7 100644
--- a/lib/ansible/modules/crypto/openssh_keypair.py
+++ b/lib/ansible/modules/crypto/openssh_keypair.py
@@ -202,7 +202,7 @@ class Keypair(object):
                 self.remove()
                 module.fail_json(msg="%s" % to_native(e))
 
-        elif not self.isPublicKeyValid(module):
+        elif not self.isPublicKeyValid(module, perms_required=False):
             pubkey = module.run_command([module.get_bin_path('ssh-keygen', True), '-yf', self.path])
             pubkey = pubkey[1].strip('\n')
             try:
@@ -230,6 +230,9 @@ class Keypair(object):
         file_args = module.load_file_common_arguments(module.params)
         if module.set_fs_attributes_if_different(file_args, False):
             self.changed = True
+        file_args['path'] = file_args['path'] + '.pub'
+        if module.set_fs_attributes_if_different(file_args, False):
+            self.changed = True
 
     def isPrivateKeyValid(self, module, perms_required=True):
 
@@ -268,7 +271,7 @@ class Keypair(object):
 
         return _check_state() and _check_perms(module) and _check_type() and _check_size()
 
-    def isPublicKeyValid(self, module):
+    def isPublicKeyValid(self, module, perms_required=True):
 
         def _get_pubkey_content():
             if os.path.exists(self.path + ".pub"):
@@ -296,6 +299,11 @@ class Keypair(object):
                 return pubkey_parts[2] == self.comment
             return False
 
+        def _check_perms(module):
+            file_args = module.load_file_common_arguments(module.params)
+            file_args['path'] = file_args['path'] + '.pub'
+            return not module.set_fs_attributes_if_different(file_args, False)
+
         pubkey = module.run_command([module.get_bin_path('ssh-keygen', True), '-yf', self.path])
         pubkey = pubkey[1].strip('\n')
         pubkey_parts = _parse_pubkey()
@@ -305,7 +313,10 @@ class Keypair(object):
         if not self.comment:
             return _pubkey_valid(pubkey)
 
-        return _pubkey_valid(pubkey) and _comment_valid()
+        if not perms_required:
+            return _pubkey_valid(pubkey) and _comment_valid()
+
+        return _pubkey_valid(pubkey) and _comment_valid() and _check_perms(module)
 
     def dump(self):
         # return result as a dict