Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix ec2_win_password to allow blank key_passphrase #28791

Merged
merged 1 commit into from
Sep 29, 2017
Merged

Fix ec2_win_password to allow blank key_passphrase #28791

merged 1 commit into from
Sep 29, 2017

Conversation

jonjozwiak
Copy link
Contributor

SUMMARY

There was a change between ansible 2.3.2 and ansible 2.4.0 that broke the ec2_win_password module if using a key without a passphrase. The below task worked in 2.3.2 and fails in 2.4.0:

- name: obtain windows passwords for instances
  ec2_win_password:
    region: "us-east-1"
    instance_id: "i-09b943879876303ea"
    key_file: "/home/jjozwiak/.ssh/id_rsa"
    wait: yes
    wait_timeout: 45
  register: ec2_password

In 2.4.0 this returns a failure indicating the private key is given a passphrase, but the key isn't encrypted.

The full traceback is:
File "/tmp/ansible_6K5Q9I/ansible_module_ec2_win_password.py", line 167, in main
key = load_pem_private_key(f.read(), b_key_passphrase, BACKEND)
File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/primitives/serialization.py", line 20, in load_pem_private_key
return backend.load_pem_private_key(data, password)
File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1006, in load_pem_private_key
password,
File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1231, in _load_key
"Password was given but private key is not encrypted.")

This can be fixed by passing a None as the passphrase if one isn't defined

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

modules/cloud/amazon/ec2_win_password.py

ANSIBLE VERSION
ansible 2.4.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/jjozwiak/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.13 (default, Jun 26 2017, 10:20:05) [GCC 7.1.1 20170622 (Red Hat 7.1.1-3)]
ADDITIONAL INFORMATION
After change, I get a successful run: 
PLAY [localhost] ***********************************************************************************************

TASK [obtain windows passwords for instances] ******************************************************************
changed: [localhost]

TASK [debug] ***************************************************************************************************
ok: [localhost] => {
    "ec2_password": {
        "changed": true, 
        "elapsed": 0, 
        "failed": false, 
        "win_password": "******************************"
    }
}

PLAY RECAP *****************************************************************************************************
localhost                  : ok=2    changed=1    unreachable=0    failed=0

@ansibot
Copy link
Contributor

ansibot commented Aug 29, 2017

cc @RickMendes @willthames
click here for bot help

@ansibot ansibot added affects_2.4 This issue/PR affects Ansible v2.4 aws bugfix_pull_request cloud community_review In order to be merged, this PR must follow the community review workflow. module This issue/PR relates to a module. needs_triage Needs a first human triage before being processed. support:community This issue/PR relates to code supported by the Ansible community. labels Aug 29, 2017
@jhawkesworth
Copy link
Contributor

I'm not a user of this module but the code looks like it does what is described.

@ansibot ansibot removed the needs_triage Needs a first human triage before being processed. label Aug 29, 2017
@ansibot ansibot added the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Sep 6, 2017
@carpnick
Copy link

I can validate this broke between 2.3.2 and 2.4

@willthames
Copy link
Contributor

@carpnick are you able to validate the fix works for you?

@carpnick
Copy link

@willthames I can confirm that this does fix the issue. I installed 2.4, validated it failed, applied the patch, everything works.

@carpnick
Copy link

@crazycoop74 FYI

@willthames
Copy link
Contributor

rebuild_merge

Thanks @carpnick for verifying the PR and @jonjozwiak for the implementation

@ansibot ansibot removed the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Sep 29, 2017
@ansibot ansibot merged commit 74f9509 into ansible:devel Sep 29, 2017
prasadkatti pushed a commit to prasadkatti/ansible that referenced this pull request Oct 1, 2017
@jonjozwiak
Fix ec2_win_password to allow blank key_passphrase (ansible#28791)
6eeb459
@jborean93
Copy link
Contributor

@willthames I'm guessing this should be cherry-picked to stable-2.4 for the 2.4.1 release. Let me know if you don't want this to happen.

@jborean93 jborean93 mentioned this pull request Oct 4, 2017
Closed
BondAnthony pushed a commit to BondAnthony/ansible that referenced this pull request Oct 5, 2017
@jonjozwiak @BondAnthony
Fix ec2_win_password to allow blank key_passphrase (ansible#28791)
b1a4b08
@willthames
Copy link
Contributor

@jborean93 I'm fine with it being cherry picked

jborean93 pushed a commit that referenced this pull request Oct 9, 2017
@jonjozwiak @jborean93
Fix ec2_win_password to allow blank key_passphrase (#28791)
60e98a3 
(cherry picked from commit 74f9509)
@jborean93
Copy link
Contributor

Thanks @willthames, cherry-picked under 60e98a3 for 2.4.1.

pstiasny added a commit to pstiasny/golem that referenced this pull request Oct 26, 2017
@pstiasny
update required ansible version
adf28e4 
The bugfix that required installation of dev ansible version
(ansible/ansible#28791) made it to
the pypi release.
maaktweluit pushed a commit to maaktweluit/golem that referenced this pull request Nov 10, 2017
@pstiasny @maaktweluit
update required ansible version
9479d67 
The bugfix that required installation of dev ansible version
(ansible/ansible#28791) made it to
the pypi release.
@pyup-bot pyup-bot mentioned this pull request Jan 1, 2018
Closed
This was referenced Jan 31, 2018
Closed
Closed
Closed
Closed
Closed
@ansibot ansibot added bug This issue/PR relates to a bug. and removed bugfix_pull_request labels Mar 6, 2018
@ansible ansible locked and limited conversation to collaborators Apr 26, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
affects_2.4 This issue/PR affects Ansible v2.4 aws bug This issue/PR relates to a bug. cloud community_review In order to be merged, this PR must follow the community review workflow. module This issue/PR relates to a module. support:community This issue/PR relates to code supported by the Ansible community.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@jonjozwiak @ansibot @jhawkesworth @carpnick @willthames @jborean93