Merge branch 'action_sshfp' into 'newinfra'

[moimoin-gendoc] Write ssh fingerprint instead of the full key that no one would ever read. See merge request !124

Merge branch 'action_sshfp' into 'newinfra'
[moimoin-gendoc] Write ssh fingerprint instead of the full key that no one would ever read. See merge request !124
69565b87 · Maxime Bombar · d17968e2 · ec6cd26d · 69565b87 · 69565b87
Commit 69565b87 authored 4 years ago by Maxime Bombar
--- a/action_plugins/sshfp.py
+++ b/action_plugins/sshfp.py
+import base64
+import hashlib
+
+from ansible.errors import AnsibleError
+from ansible.plugins.action import ActionBase
+from ansible.utils.display import Display
+from ansible.module_utils._text import to_native
+
+display = Display()
+
+
+class ActionModule(ActionBase):
+
+    TRANSFERS_FILES = False
+
+    def _sshfp(self, key):
+        return(b'SHA256:'+base64.b64encode(
+            hashlib.sha256(base64.b64decode(key)
+                           ).digest()).replace(b'=',b'')).decode('utf-8')
+
+    def run(self, tmp=None, task_vars=None):
+        """
+        The run method is the main Action Plugin driver. All work is done from within this 	method.
+
+        tmp: Temporary directory. Sometimes an action plugin sets up
+             a temporary directory and then calls another module. This parameter
+             allows us to reuse the same directory for both.
+
+        task_vars: The variables (host vars, group vars, config vars, etc) associated with this task.
+                   Note that while this will contain Ansible facts from the host, they should be used
+                   with caution as a user running Ansible can disable their collection. If you want
+                   make sure that your Action Plugin always has access to the ones it needs, you may
+                   want to consider running the setup module directly in the run the method and getting
+                   the Ansible facts that way.
+                   The strategy plugin which manages running tasks on instances uses an ansible.vars.manager
+                   VariableManager instance to retrieve this context specific dict of variables.
+        """
+        if task_vars is None:
+            task_vars = dict()
+
+        result = super(ActionModule, self).run(tmp, task_vars)
+
+        self._supports_check_mode = True
+        self._supports_async = False
+
+        setup_module_args=dict(
+            gather_subset='all',
+            gather_timeout=10
+        )
+
+        setup_result = self._execute_module(
+            module_name='setup',
+            module_args=setup_module_args,
+            persist_files=False,
+            task_vars=task_vars,
+            tmp=tmp,
+        )
+
+        hostname = task_vars.get('inventory_hostname')
+
+        for algo in ['rsa', 'ecdsa', 'ed25519']:
+            key = f'ansible_ssh_host_key_{algo}_public'
+            keyblob = setup_result['ansible_facts'].get(key)
+            if not keyblob:
+                display.vvv(f"host {hostname} doesn't offer {algo} ssh host key. Skipping...")
+                result[f'ssh_host_key_{algo}_fp'] = None
+                continue
+            try:
+                display.vvv("Trying to get fingerprint for {algo} ssh host key.")
+                fp = self._sshfp(keyblob)
+                result[f'ssh_host_key_{algo}_fp'] = fp
+            except Exception as e:
+                err_msg = to_native(e)
+                raise AnsibleError(err_msg)
+        return result
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -4,6 +4,7 @@

 # Explicitely redefined some defaults to make play execution work
 roles_path = ./roles
+action_plugins = ./action_plugins
 vars_plugins = ./vars_plugins
 lookup_plugins = ./lookup_plugins


--- a/roles/moinmoin-gendoc/tasks/main.yml
+++ b/roles/moinmoin-gendoc/tasks/main.yml
@@ -10,6 +10,10 @@
 - name: get dmidecode facts
  dmidecode: {}

+- name: get ssh fingerprints
+  sshfp: {}
+  register: sshfp
+
 - name: "Create wiki page documenting {{ ansible_hostname }} (physical)"
  when: ansible_system_vendor != 'QEMU'
  moinmoin_page:

--- a/roles/moinmoin-gendoc/templates/server.j2
+++ b/roles/moinmoin-gendoc/templates/server.j2
@@ -83,15 +83,15 @@ et {{ (ansible_memory_mb.swap.total/1024)|round(1) }} GiB de SWAP.

 '''RSA''' :
 {{ '{{{' }}
-{{ ansible_ssh_host_key_rsa_public | wordwrap }}
+{{ sshfp.ssh_host_key_rsa_fp }}
 {{ '}}}' }}

 '''ECDSA''' :
 {{ '{{{' }}
-{{ ansible_ssh_host_key_ecdsa_public | wordwrap }}
+{{ sshfp.ssh_host_key_ecdsa_fp }}
 {{ '}}}' }}

 '''ED25519''' :
 {{ '{{{' }}
-{{ ansible_ssh_host_key_ed25519_public | wordwrap }}
+{{ sshfp.ssh_host_key_ed25519_fp }}
 {{ '}}}' }}