From 95b8bac865f5b7b94685b190b0fe3dbee93430f1 Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Sat, 31 Jul 2021 16:05:49 +0200 Subject: [PATCH 1/4] Ensure openssl is available to us --- tests/integration/targets/setup_sshkey/tasks/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tests/integration/targets/setup_sshkey/tasks/main.yml b/tests/integration/targets/setup_sshkey/tasks/main.yml index 18c571b6718..7a2f704cc17 100644 --- a/tests/integration/targets/setup_sshkey/tasks/main.yml +++ b/tests/integration/targets/setup_sshkey/tasks/main.yml @@ -15,6 +15,13 @@ # You should have received a copy of the GNU General Public License # along with Ansible. If not, see . +- name: ensure openssl cli is available + package: + name: openssl + state: present + tags: + - prepare + - name: create a temp file tempfile: state: file From c37a9731dd795b758754a9f1b378b15f0f6dc9de Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Sat, 31 Jul 2021 22:38:02 +0200 Subject: [PATCH 2/4] Try again to generate EC2 key fingerprints --- test-requirements.txt | 2 + .../setup_sshkey/files/ec2-fingerprint.py | 33 +++++++++++++ .../targets/setup_sshkey/tasks/main.yml | 49 +++++++++++-------- 3 files changed, 63 insertions(+), 21 deletions(-) create mode 100644 tests/integration/targets/setup_sshkey/files/ec2-fingerprint.py diff --git a/test-requirements.txt b/test-requirements.txt index 3d217284154..1c232aebe7d 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -8,3 +8,5 @@ pytest-mock netaddr # Sometimes needed where we don't have features we need in modules awscli +# Used for comparing SSH Public keys to the Amazon fingerprints +pycrypto diff --git a/tests/integration/targets/setup_sshkey/files/ec2-fingerprint.py b/tests/integration/targets/setup_sshkey/files/ec2-fingerprint.py new file mode 100644 index 00000000000..ea2f51b0f4c --- /dev/null +++ b/tests/integration/targets/setup_sshkey/files/ec2-fingerprint.py @@ -0,0 +1,33 @@ +#!/usr/bin/env python +""" +Reads an OpenSSH Public key and spits out the 'AWS' MD5 sum +The equivalent of + +ssh-keygen -f id_rsa.pub -e -m PKCS8 | openssl pkey -pubin -outform DER | openssl md5 -c | cut -f 2 -d ' ' + +(but without needing the OpenSSL CLI) +""" + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +import hashlib +import sys +from Crypto.PublicKey import RSA + +if len(sys.argv) == 0: + ssh_public_key = "id_rsa.pub" +else: + ssh_public_key = sys.argv[1] + +with open(ssh_public_key, 'r') as key_fh: + data = key_fh.read() + +# Convert from SSH format to DER format +public_key = RSA.importKey(data).exportKey('DER') +md5digest = hashlib.md5(public_key).hexdigest() +# Format the md5sum into the normal format +pairs = zip(md5digest[::2], md5digest[1::2]) +md5string = ":".join(["".join(pair) for pair in pairs]) + +print(md5string) diff --git a/tests/integration/targets/setup_sshkey/tasks/main.yml b/tests/integration/targets/setup_sshkey/tasks/main.yml index 7a2f704cc17..dd41a5d7f83 100644 --- a/tests/integration/targets/setup_sshkey/tasks/main.yml +++ b/tests/integration/targets/setup_sshkey/tasks/main.yml @@ -15,48 +15,55 @@ # You should have received a copy of the GNU General Public License # along with Ansible. If not, see . -- name: ensure openssl cli is available - package: - name: openssl - state: present +- name: create a temp dir + tempfile: + state: directory + register: sshkey_dir tags: - prepare -- name: create a temp file - tempfile: - state: file - register: sshkey_file +- name: ensure script is available + copy: + src: ec2-fingerprint.py + dest: '{{ sshkey_dir.path }}/ec2-fingerprint.py' + mode: 0700 tags: - prepare +- name: Set location of SSH keys + set_fact: + sshkey: '{{ sshkey_dir.path }}/key_one' + another_sshkey: '{{ sshkey_dir.path }}/key_two' + sshkey_pub: '{{ sshkey_dir.path }}/key_one.pub' + another_sshkey_pub: '{{ sshkey_dir.path }}/key_two.pub' + - name: generate sshkey - shell: echo 'y' | ssh-keygen -P '' -f {{ sshkey_file.path }} + shell: echo 'y' | ssh-keygen -P '' -f '{{ sshkey }}' tags: - prepare -- name: create another temp file - tempfile: - state: file - register: another_sshkey_file +- name: record fingerprint + shell: '{{ sshkey_dir.path }}/ec2-fingerprint.py {{ sshkey_pub }}' + register: fingerprint tags: - prepare - name: generate another_sshkey - shell: echo 'y' | ssh-keygen -P '' -f {{ another_sshkey_file.path }} + shell: echo 'y' | ssh-keygen -P '' -f {{ another_sshkey }} tags: - prepare -- name: record fingerprint - shell: openssl rsa -in {{ sshkey_file.path }} -pubout -outform DER 2>/dev/null | openssl md5 -c - register: fingerprint +- name: record another fingerprint + shell: '{{ sshkey_dir.path }}/ec2-fingerprint.py {{ another_sshkey_pub }}' + register: another_fingerprint tags: - prepare - name: set facts for future roles set_fact: - sshkey: '{{ sshkey_file.path }}' - key_material: "{{ lookup('file', sshkey_file.path ~ '.pub') }}" - another_key_material: "{{ lookup('file', another_sshkey_file.path ~ '.pub') }}" - fingerprint: '{{ fingerprint.stdout.split()[1] }}' + key_material: "{{ lookup('file', sshkey_pub) }}" + another_key_material: "{{ lookup('file', another_sshkey_pub) }}" + fingerprint: '{{ fingerprint.stdout }}' + another_fingerprint: '{{ another_fingerprint.stdout }}' tags: - prepare From 094554c5a22fe6342cb8704267f9342f0721d0be Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Sat, 7 Aug 2021 14:02:37 +0200 Subject: [PATCH 3/4] Try adding GCC - see if pycrypto based result works --- bindep.txt | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 bindep.txt diff --git a/bindep.txt b/bindep.txt new file mode 100644 index 00000000000..1f29b25b433 --- /dev/null +++ b/bindep.txt @@ -0,0 +1,4 @@ +# Needed by the ec2_key integration tests (generating EC2 format fingerprint) +openssl [test platform:rpm] +gcc [test platform:rpm] +python3-devel [test platform:rpm] From 042e56e96103021abf821dbc78ce667ba2438fe7 Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Sat, 7 Aug 2021 15:01:33 +0200 Subject: [PATCH 4/4] re-enable ec2_key --- tests/integration/targets/ec2_key/aliases | 2 -- 1 file changed, 2 deletions(-) diff --git a/tests/integration/targets/ec2_key/aliases b/tests/integration/targets/ec2_key/aliases index 59b5d7afa94..e1a28da559a 100644 --- a/tests/integration/targets/ec2_key/aliases +++ b/tests/integration/targets/ec2_key/aliases @@ -2,6 +2,4 @@ # We need either the openssl binary, pycrpto, or a compiler on the Py36 and Py38 # Zuul nodes # https://github.com/ansible-collections/amazon.aws/issues/428 -disabled - cloud/aws