[EmbeddedAnsible] Ensure newline for :ssh_key_data #20771
Conversation
| @@ -54,6 +54,8 @@ class ManageIQ::Providers::EmbeddedAnsible::AutomationManager::ScmCredential < M | |||
| alias ssh_key_data auth_key | |||
| alias ssh_key_unlock auth_key_password | |||
|
|
|||
| before_save :ensure_newline_for_ssh_key | |||
There was a problem hiding this comment.
would before_validation work as well?
feel like data manipulation should happen before validation rather than before save
There was a problem hiding this comment.
Seems like it still passes the tests, so either way works and I have no strong preference myself.
@Fryguy since I expect that you will give a final say anyway, do you want to weigh in on which you prefer before I end up rebasing this multiple times?
There was a problem hiding this comment.
Hi @NickLaMuro, Would preserving the private key as entered be an option here? The reason I ask is that an RSA private key without the newline works fine in Ansible. The problem we encountered was specific to ssh keys generated on 5.11 (rhel 8). There wasn't a problem when we used ssh keys generated on 5.11 (rhel 8) with the -m PEM option which creates the RSA private key as opposed tp the OPENSSH private key.
There was a problem hiding this comment.
I think before_validation is the better choice
There was a problem hiding this comment.
@tinaafitz I tested both types of private keys on a generic git clone with the following done to them:
$ echo "" >> ~/.ssh/id_rsa
$ echo "" >> ~/.ssh/id_rsa
$ echo "" >> ~/.ssh/id_rsa
So any number of newlines applied was no problem. However, lack of a \n seemed to be problematic, so I am airing on the side of "add a new line if it doesn't exist" universally instead of trying to parse specific keys.
If you find a key where this is not the case, we can address, but it seems like the following line:
-----END OPENSSH PRIVATE KEY-----
And
-----END RSA PRIVATE KEY-----
Are all that need to be in place, and subsequent lines are ignored.
There was a problem hiding this comment.
Thanks @NickLaMuro. I feel better about it. :-)
| @@ -66,4 +68,8 @@ def self.params_to_attributes(params) | |||
|
|
|||
| attrs | |||
| end | |||
|
|
|||
| def ensure_newline_for_ssh_key | |||
| self.auth_key = "#{auth_key}\n" unless auth_key.to_s[-1] == "\n" | |||
There was a problem hiding this comment.
Is the auth_key encoding already guaranteed? Just want to make sure to_s[-1] doesn't break with an encoding compatibility error.
There was a problem hiding this comment.
Should we only do this for when the key has the OPENSSH guard kind?
There was a problem hiding this comment.
Oh I just read the gitter channel, and yeah, if you think that all keys could benefit from a trailing newline, then I'm good with this.
There was a problem hiding this comment.
Also I can't tell from the diff, but please make this a private method.
There was a problem hiding this comment.
Oh I just noticed a problem here...if auth_key is nil (for a non-ssh based authentication), then will this change the nil to a blank + \n, which is probably not wanted?
There was a problem hiding this comment.
Also I can't tell from the diff, but please make this a private method.
@Fryguy Missed this oringally, but will do.
Oh I just noticed a problem here...if auth_key is nil
@Fryguy fixed and added specs
Is the auth_key encoding already guaranteed? Just want to make sure to_s[-1] doesn't break with an encoding compatibility error.
@djberg96 this inherits from credential.rb, which inherits from app/models/authentication.rb, and that model shows this attributes are covered:
manageiq/app/models/authentication.rb
Lines 20 to 24 in cf52121
NickLaMuro
force-pushed
the
embedded_ansible_scm_cred_ensure_newline
branch
from
4ee4dc9 to
cf52121
Compare
SSH formats like `OPENSSH` require that a newline exist on the last line, otherwise it is considered an invalid format. This adds a `before_validation` callback to the model to ensure that it adds a newline to the key (if a key exists) in case it was stripped off by the UI or via other means.
NickLaMuro
force-pushed
the
embedded_ansible_scm_cred_ensure_newline
branch
from
cf52121 to
89886e3
Compare
|
@Fryguy just pushed all of the requested fixes (after your approval). Hopefully those are good. |
|
Checked commit NickLaMuro@89886e3 with ruby 2.6.3, rubocop 0.82.0, haml-lint 0.35.0, and yamllint |
|
In the general case, rails trimming the last this solution looks like a great and would be a good candidate for backporting |
…nsure_newline [EmbeddedAnsible] Ensure newline for :ssh_key_data (cherry picked from commit 1895a65)
|
Kasparov backport details: |
…nsure_newline [EmbeddedAnsible] Ensure newline for :ssh_key_data (cherry picked from commit 1895a65)
|
Jansa backport details: |
|
@NickLaMuro can this be |
…nsure_newline [EmbeddedAnsible] Ensure newline for :ssh_key_data (cherry picked from commit 1895a65) https://bugzilla.redhat.com/show_bug.cgi?id=1893014
|
No conflicts 😄 Ivanchuk backport details: |
SSH formats like
OPENSSHrequire that a newline exist on the last line, otherwise it is considered an invalid format.This adds a
before_savecallback to the model to ensure that it adds a newline to the key in case it was stripped off by the UI or via other means.Links