feat: add private_key_format choices for openssh_keypair (#511)

* feat: add private_key_format choices for openssh_keypair

* chore: add changelog fragment

plugins/module_utils/openssh/backends/common.py

@@ -219,10 +219,11 @@ class KeygenCommand(object):
 
 
 class PrivateKey(object):
-    def __init__(self, size, key_type, fingerprint):
+    def __init__(self, size, key_type, fingerprint, format=''):
         self._size = size
         self._type = key_type
         self._fingerprint = fingerprint
+        self._format = format
 
     @property
     def size(self):
@@ -236,6 +237,10 @@ class PrivateKey(object):
     def fingerprint(self):
         return self._fingerprint
 
+    @property
+    def format(self):
+        return self._format
+
     @classmethod
     def from_string(cls, string):
         properties = string.split()
@@ -251,6 +256,7 @@ class PrivateKey(object):
             'size': self._size,
             'type': self._type,
             'fingerprint': self._fingerprint,
+            'format': self._format,
         }
 
 
@@ -324,3 +330,17 @@ class PublicKey(object):
             'comment': self._comment,
             'public_key': self._data,
         }
+
+
+def parse_private_key_format(path):
+    with open(path, 'r') as file:
+        header = file.readline().strip()
+
+    if header == '-----BEGIN OPENSSH PRIVATE KEY-----':
+        return 'SSH'
+    elif header == '-----BEGIN PRIVATE KEY-----':
+        return 'PKCS8'
+    elif header == '-----BEGIN RSA PRIVATE KEY-----':
+        return 'PKCS1'
+
+    return ''

plugins/module_utils/openssh/backends/keypair_backend.py

@@ -31,6 +31,7 @@ from ansible_collections.community.crypto.plugins.module_utils.openssh.backends.
     OpensshModule,
     PrivateKey,
     PublicKey,
+    parse_private_key_format,
 )
 from ansible_collections.community.crypto.plugins.module_utils.openssh.utils import (
     any_in,
@@ -182,8 +183,13 @@ class KeypairBackend(OpensshModule):
         return all([
             self.size == self.original_private_key.size,
             self.type == self.original_private_key.type,
+            self._private_key_valid_backend(),
         ])
 
+    @abc.abstractmethod
+    def _private_key_valid_backend(self):
+        pass
+
     @OpensshModule.trigger_change
     @OpensshModule.skip_if_check_mode
     def _generate(self):
@@ -329,6 +335,9 @@ class KeypairBackendOpensshBin(KeypairBackend):
         except (IOError, OSError) as e:
             self.module.fail_json(msg=to_native(e))
 
+    def _private_key_valid_backend(self):
+        return True
+
 
 class KeypairBackendCryptography(KeypairBackend):
     def __init__(self, module):
@@ -360,6 +369,8 @@ class KeypairBackendCryptography(KeypairBackend):
                                "or for ed25519 keys"
                     )
                 )
+        else:
+            result = key_format.upper()
 
         return result
 
@@ -386,6 +397,7 @@ class KeypairBackendCryptography(KeypairBackend):
             size=keypair.size,
             key_type=keypair.key_type,
             fingerprint=keypair.fingerprint,
+            format=parse_private_key_format(self.private_key_path)
         )
 
     def _get_public_key(self):
@@ -428,6 +440,14 @@ class KeypairBackendCryptography(KeypairBackend):
         except (IOError, OSError) as e:
             self.module.fail_json(msg=to_native(e))
 
+    def _private_key_valid_backend(self):
+        # avoids breaking behavior and prevents
+        # automatic conversions with OpenSSH upgrades
+        if self.module.params['private_key_format'] == 'auto':
+            return True
+
+        return self.private_key_format == self.original_private_key.format
+
 
 def select_backend(module, backend):
     can_use_cryptography = HAS_OPENSSH_SUPPORT