Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl_publickey is broken in python3 #54190

Closed
jackivanov opened this issue Mar 21, 2019 · 6 comments · Fixed by #54192
Closed

openssl_publickey is broken in python3 #54190

jackivanov opened this issue Mar 21, 2019 · 6 comments · Fixed by #54192
Labels
affects_2.7 This issue/PR affects Ansible v2.7 bug This issue/PR relates to a bug. crypto Crypto community (ACME, openssl, letsencrypt) module This issue/PR relates to a module. python3 support:community This issue/PR relates to code supported by the Ansible community. traceback This issue/PR includes a traceback.

Comments

@jackivanov
Copy link

jackivanov commented Mar 21, 2019
edited
Loading

SUMMARY

It is not possible to create a public openssh key from a private encrypted private key using python3 as the interpreter

ISSUE TYPE
  • Bug Report
COMPONENT NAME

openssl_publickey

ANSIBLE VERSION
ansible 2.7.9
  config file = /Users/jack/git/jackivanov/ansible-test/ansible.cfg
  configured module search path = ['/Users/jack/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/jack/git/jackivanov/ansible-test/.venv/lib/python3.7/site-packages/ansible
  executable location = /Users/jack/git/jackivanov/ansible-test/.venv/bin/ansible
  python version = 3.7.2 (default, Feb 12 2019, 08:15:36) [Clang 10.0.0 (clang-1000.11.45.5)]

$ pip freeze
ansible==2.7.9
asn1crypto==0.24.0
bcrypt==3.1.6
cffi==1.12.2
cryptography==2.6.1
Jinja2==2.10
MarkupSafe==1.1.1
paramiko==2.4.2
pyasn1==0.4.5
pycparser==2.19
PyNaCl==1.3.0
pyOpenSSL==19.0.0
PyYAML==5.1
six==1.12.0
CONFIGURATION
DEFAULT_HOST_LIST(/Users/jack/git/jackivanov/ansible-test/ansible.cfg) = ['/Users/jack/git/jackivanov/ansible-test/inventory']
HOST_KEY_CHECKING(/Users/jack/git/jackivanov/ansible-test/ansible.cfg) = False
RETRY_FILES_ENABLED(/Users/jack/git/jackivanov/ansible-test/ansible.cfg) = False
OS / ENVIRONMENT

I don't think it's related, I faced this issue on both Ubuntu and MacOS.

STEPS TO REPRODUCE

Just run the playbook below:

ansible-playbook test.yml -e "ansible_python_interpreter=python3"

---
- hosts: localhost
  gather_facts: false
  become: false
  tasks:
    - openssl_privatekey:
        path: /tmp/openssl_privatekey
        passphrase: pass
        cipher: aes256
        force: false

    - openssl_publickey:
        path: /tmp/openssl_publickey
        privatekey_path: /tmp/openssl_privatekey
        privatekey_passphrase: pass
        format: OpenSSH
        force: true
EXPECTED RESULTS

Public key created successfully

ACTUAL RESULTS

I've got the following error:

TypeError: password must be bytes-like

Meanwhile, it works as expected in python2

ansible-playbook 2.7.9
  config file = /Users/jack/git/jackivanov/ansible-test/ansible.cfg
  configured module search path = ['/Users/jack/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/jack/git/jackivanov/ansible-test/.venv/lib/python3.7/site-packages/ansible
  executable location = /Users/jack/git/jackivanov/ansible-test/.venv/bin/ansible-playbook
  python version = 3.7.2 (default, Feb 12 2019, 08:15:36) [Clang 10.0.0 (clang-1000.11.45.5)]
Using /Users/jack/git/jackivanov/ansible-test/ansible.cfg as config file
setting up inventory plugins
/Users/jack/git/jackivanov/ansible-test/inventory did not meet host_list requirements, check plugin documentation if this is unexpected
/Users/jack/git/jackivanov/ansible-test/inventory did not meet script requirements, check plugin documentation if this is unexpected
Set default localhost to localhost
Parsed /Users/jack/git/jackivanov/ansible-test/inventory inventory source with ini plugin
Loading callback plugin default of type stdout, v2.0 from /Users/jack/git/jackivanov/ansible-test/.venv/lib/python3.7/site-packages/ansible/plugins/callback/default.py

PLAYBOOK: test.yml *****************************************************************************************************************************************************************************************
1 plays in test.yml

PLAY [localhost] *******************************************************************************************************************************************************************************************
META: ran handlers

TASK [openssl_privatekey] **********************************************************************************************************************************************************************************
task path: /Users/jack/git/jackivanov/ansible-test/test.yml:6
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: jack
<localhost> EXEC /bin/sh -c 'echo ~jack && sleep 0'
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /Users/jack/.ansible/tmp/ansible-tmp-1553193914.4587588-890793947605 `" && echo ansible-tmp-1553193914.4587588-890793947605="` echo /Users/jack/.ansible/tmp/ansible-tmp-1553193914.4587588-890793947605 `" ) && sleep 0'
Using module file /Users/jack/git/jackivanov/ansible-test/.venv/lib/python3.7/site-packages/ansible/modules/crypto/openssl_privatekey.py
<localhost> PUT /Users/jack/.ansible/tmp/ansible-local-23447hahaom5t/tmppsilltym TO /Users/jack/.ansible/tmp/ansible-tmp-1553193914.4587588-890793947605/AnsiballZ_openssl_privatekey.py
<localhost> EXEC /bin/sh -c 'chmod u x /Users/jack/.ansible/tmp/ansible-tmp-1553193914.4587588-890793947605/ /Users/jack/.ansible/tmp/ansible-tmp-1553193914.4587588-890793947605/AnsiballZ_openssl_privatekey.py && sleep 0'
<localhost> EXEC /bin/sh -c 'python3 /Users/jack/.ansible/tmp/ansible-tmp-1553193914.4587588-890793947605/AnsiballZ_openssl_privatekey.py && sleep 0'
<localhost> EXEC /bin/sh -c 'rm -f -r /Users/jack/.ansible/tmp/ansible-tmp-1553193914.4587588-890793947605/ > /dev/null 2>&1 && sleep 0'
ok: [localhost] => {
    "changed": false,
    "filename": "/tmp/openssl_privatekey",
    "fingerprint": {},
    "invocation": {
        "module_args": {
            "attributes": null,
            "backup": null,
            "cipher": "aes256",
            "content": null,
            "delimiter": null,
            "directory_mode": null,
            "follow": false,
            "force": false,
            "group": null,
            "mode": null,
            "owner": null,
            "passphrase": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "path": "/tmp/openssl_privatekey",
            "regexp": null,
            "remote_src": null,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "size": 4096,
            "src": null,
            "state": "present",
            "type": "RSA",
            "unsafe_writes": null
        }
    },
    "size": 4096,
    "type": "RSA"
}

TASK [openssl_publickey] ***********************************************************************************************************************************************************************************
task path: /Users/jack/git/jackivanov/ansible-test/test.yml:12
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: jack
<localhost> EXEC /bin/sh -c 'echo ~jack && sleep 0'
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /Users/jack/.ansible/tmp/ansible-tmp-1553193914.930419-258635253131728 `" && echo ansible-tmp-1553193914.930419-258635253131728="` echo /Users/jack/.ansible/tmp/ansible-tmp-1553193914.930419-258635253131728 `" ) && sleep 0'
Using module file /Users/jack/git/jackivanov/ansible-test/.venv/lib/python3.7/site-packages/ansible/modules/crypto/openssl_publickey.py
<localhost> PUT /Users/jack/.ansible/tmp/ansible-local-23447hahaom5t/tmp_969g52a TO /Users/jack/.ansible/tmp/ansible-tmp-1553193914.930419-258635253131728/AnsiballZ_openssl_publickey.py
<localhost> EXEC /bin/sh -c 'chmod u x /Users/jack/.ansible/tmp/ansible-tmp-1553193914.930419-258635253131728/ /Users/jack/.ansible/tmp/ansible-tmp-1553193914.930419-258635253131728/AnsiballZ_openssl_publickey.py && sleep 0'
<localhost> EXEC /bin/sh -c 'python3 /Users/jack/.ansible/tmp/ansible-tmp-1553193914.930419-258635253131728/AnsiballZ_openssl_publickey.py && sleep 0'
<localhost> EXEC /bin/sh -c 'rm -f -r /Users/jack/.ansible/tmp/ansible-tmp-1553193914.930419-258635253131728/ > /dev/null 2>&1 && sleep 0'
fatal: [localhost]: FAILED! => {
    "changed": false,
    "module_stderr": "/Users/jack/.ansible/tmp/ansible-tmp-1553193914.930419-258635253131728/AnsiballZ_openssl_publickey.py:17: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses\n  import imp\nTraceback (most recent call last):\n  File \"/Users/jack/git/jackivanov/ansible-test/.venv/lib/python3.7/site-packages/cryptography/utils.py\", line 35, in _check_byteslike\n    memoryview(value)\nTypeError: memoryview: a bytes-like object is required, not 'str'\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n  File \"/Users/jack/.ansible/tmp/ansible-tmp-1553193914.930419-258635253131728/AnsiballZ_openssl_publickey.py\", line 113, in <module>\n    _ansiballz_main()\n  File \"/Users/jack/.ansible/tmp/ansible-tmp-1553193914.930419-258635253131728/AnsiballZ_openssl_publickey.py\", line 105, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/Users/jack/.ansible/tmp/ansible-tmp-1553193914.930419-258635253131728/AnsiballZ_openssl_publickey.py\", line 48, in invoke_module\n    imp.load_module('__main__', mod, module, MOD_DESC)\n  File \"/Users/jack/git/jackivanov/ansible-test/.venv/lib/python3.7/imp.py\", line 234, in load_module\n    return load_source(name, filename, file)\n  File \"/Users/jack/git/jackivanov/ansible-test/.venv/lib/python3.7/imp.py\", line 169, in load_source\n    module = _exec(spec, sys.modules[name])\n  File \"<frozen importlib._bootstrap>\", line 630, in _exec\n  File \"<frozen importlib._bootstrap_external>\", line 728, in exec_module\n  File \"<frozen importlib._bootstrap>\", line 219, in _call_with_frames_removed\n  File \"/var/folders/d2/jghvtrvj2sn3gpjcty1mtxb00000gn/T/ansible_openssl_publickey_payload__rwi4woe/__main__.py\", line 310, in <module>\n  File \"/var/folders/d2/jghvtrvj2sn3gpjcty1mtxb00000gn/T/ansible_openssl_publickey_payload__rwi4woe/__main__.py\", line 289, in main\n  File \"/var/folders/d2/jghvtrvj2sn3gpjcty1mtxb00000gn/T/ansible_openssl_publickey_payload__rwi4woe/__main__.py\", line 176, in generate\n  File \"/Users/jack/git/jackivanov/ansible-test/.venv/lib/python3.7/site-packages/cryptography/hazmat/primitives/serialization/base.py\", line 16, in load_pem_private_key\n    return backend.load_pem_private_key(data, password)\n  File \"/Users/jack/git/jackivanov/ansible-test/.venv/lib/python3.7/site-packages/cryptography/hazmat/backends/openssl/backend.py\", line 1045, in load_pem_private_key\n    password,\n  File \"/Users/jack/git/jackivanov/ansible-test/.venv/lib/python3.7/site-packages/cryptography/hazmat/backends/openssl/backend.py\", line 1242, in _load_key\n    utils._check_byteslike(\"password\", password)\n  File \"/Users/jack/git/jackivanov/ansible-test/.venv/lib/python3.7/site-packages/cryptography/utils.py\", line 37, in _check_byteslike\n    raise TypeError(\"{} must be bytes-like\".format(name))\nTypeError: password must be bytes-like\n",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1
}

PLAY RECAP *************************************************************************************************************************************************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=1
@ansibot
Copy link
Contributor

ansibot commented Mar 21, 2019

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibot
Copy link
Contributor

ansibot commented Mar 21, 2019

cc @MarkusTeufelberger @Shaps @Spredzy @Xyon @felixfontein @puiterwijk @resmo
click here for bot help

@ansibot ansibot added affects_2.7 This issue/PR affects Ansible v2.7 bug This issue/PR relates to a bug. crypto Crypto community (ACME, openssl, letsencrypt) module This issue/PR relates to a module. needs_triage Needs a first human triage before being processed. python3 support:community This issue/PR relates to code supported by the Ansible community. traceback This issue/PR includes a traceback. labels Mar 21, 2019
@felixfontein
Copy link
Contributor

Thanks for reporting this! It's a pretty obvious bug and also shows that some parts of the module are not covered by the integration tests...

@jackivanov
Copy link
Author

Affects 2.5 as well, so a fix would need to be backported

@ansibot ansibot removed the needs_triage Needs a first human triage before being processed. label Mar 21, 2019
@felixfontein felixfontein mentioned this issue Mar 21, 2019
Merged
@felixfontein
Copy link
Contributor

2.5 only gets security fixes; see here. If one for 2.6 gets merged we'll see, but one for 2.7 will definitely be merged.

@felixfontein
Copy link
Contributor

resolved_by_pr #54192

@jackivanov jackivanov mentioned this issue Apr 17, 2019
Merged
14 tasks
@ansible ansible locked and limited conversation to collaborators Jul 25, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
affects_2.7 This issue/PR affects Ansible v2.7 bug This issue/PR relates to a bug. crypto Crypto community (ACME, openssl, letsencrypt) module This issue/PR relates to a module. python3 support:community This issue/PR relates to code supported by the Ansible community. traceback This issue/PR includes a traceback.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

openssl_publickey: fix handling of OpenSSH private keys with passphrase felixfontein/ansible
3 participants
@felixfontein @ansibot @jackivanov