Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enforce pkcs1 for ec2 keys #161

Merged
merged 1 commit into from
Jun 12, 2024
Merged

Conversation

sspans-sbp
Copy link
Contributor

The driver code expects an pkcs1 key for fetching the windows password. Make sure we generate the correct key type.

Current code fails with:

Traceback (most recent call last):
  File "/usr/local/bin/molecule", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1130, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1055, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1657, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/click/core.py", line 760, in invoke
    return __callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/click/decorators.py", line 26, in new_func
    return f(get_current_context(), *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/molecule/command/test.py", line 113, in test
    base.execute_cmdline_scenarios(scenario_name, args, command_args, ansible_args)
  File "/usr/local/lib/python3.11/site-packages/molecule/command/base.py", line 119, in execute_cmdline_scenarios
    execute_scenario(scenario)
  File "/usr/local/lib/python3.11/site-packages/molecule/command/base.py", line 162, in execute_scenario
    execute_subcommand(scenario.config, action)
  File "/usr/local/lib/python3.11/site-packages/molecule/command/base.py", line 152, in execute_subcommand
    return command(config).execute(args)
           ^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/molecule/command/base.py", line 52, in __init__
    self._setup()
  File "/usr/local/lib/python3.11/site-packages/molecule/command/base.py", line 71, in _setup
    self._config.provisioner.manage_inventory()
  File "/usr/local/lib/python3.11/site-packages/molecule/provisioner/ansible.py", line 849, in manage_inventory
    self._write_inventory()
  File "/usr/local/lib/python3.11/site-packages/molecule/provisioner/ansible.py", line 895, in _write_inventory
    self._verify_inventory()
  File "/usr/local/lib/python3.11/site-packages/molecule/provisioner/ansible.py", line 949, in _verify_inventory
    if not self.inventory:
           ^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/molecule/provisioner/ansible.py", line 666, in inventory
    connection_options = self.connection_options(instance_name)
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/molecule/provisioner/ansible.py", line 730, in connection_options
    d = self._config.driver.ansible_connection_options(instance_name)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/molecule_plugins/ec2/driver.py", line 243, in ansible_connection_options
    conn_opts["ansible_password"] = self._get_windows_instance_pass(
                                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/molecule_plugins/ec2/driver.py", line 273, in _get_windows_instance_pass
    key = load_pem_private_key(f.read(), None, default_backend())
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/cryptography/hazmat/primitives/serialization/base.py", line 24, in load_pem_private_key
    return ossl.load_pem_private_key(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 957, in load_pem_private_key
    return self._load_key(
           ^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1152, in _load_key
    self._handle_key_loading_error()
  File "/usr/local/lib/python3.11/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1207, in _handle_key_loading_error
    raise ValueError(
ValueError: ('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [<OpenSSLError(code=503841036, lib=60, reason=524556, reason_text=unsupported)>])

@apatard
Copy link
Member

apatard commented May 30, 2023

I'm no ec2 user so my question is possibly stupid: can this change break non windows platforms ?

Also, why doing this on playbook level and not in _get_windows_instance_pass ?

The driver code expects an pkcs1 key for fetching the windows password. Make sure we generate the correct key type.
@zhan9san
Copy link
Member

zhan9san commented Dec 2, 2023

I suggest to ensure the values of backend and private_key_format keep the default value of openssh_keypair_module

And add this two item in molecule.yaml

@ssbarnea ssbarnea added the bug Something isn't working label Jun 12, 2024
@ssbarnea ssbarnea merged commit c820d9c into ansible-community:main Jun 12, 2024
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants