Fixed hash_host option in known_hosts module. Fixes #44284

test/integration/targets/known_hosts/tasks/main.yml

@@ -19,7 +19,7 @@
 - name: copy an existing file in place
   copy:
     src: existing_known_hosts
-    dest: "{{ output_dir | expanduser }}/known_hosts"
+    dest: "{{ output_dir }}/known_hosts"
 
 # test addition
 
@@ -29,13 +29,13 @@
     name: example.org
     key: "{{ example_org_rsa_key }}"
     state: present
-    path: "{{output_dir|expanduser}}/known_hosts"
+    path: "{{output_dir}}/known_hosts"
   register: diff
 
 - name: assert that the diff looks as expected (the key was added at the end)
   assert:
     that:
-    - 'diff.changed'
+    - 'diff is changed'
     - 'diff.diff.before_header == diff.diff.after_header == output_dir|expanduser + "/known_hosts"'
     - 'diff.diff.after.splitlines()[:-1] == diff.diff.before.splitlines()'
     - 'diff.diff.after.splitlines()[-1] == example_org_rsa_key.strip()'
@@ -45,17 +45,17 @@
     name: example.org
     key: "{{ example_org_rsa_key }}"
     state: present
-    path: "{{output_dir|expanduser}}/known_hosts"
+    path: "{{output_dir}}/known_hosts"
   register: result
 
 - name: get the file content
-  shell: cat "{{output_dir|expanduser}}/known_hosts"
+  command: "cat {{output_dir}}/known_hosts"
   register: known_hosts
 
 - name: assert that the key was added and ordering preserved
   assert:
     that:
-    - 'result.changed'
+    - 'result is changed'
     - 'known_hosts.stdout_lines[0].startswith("example.com")'
     - 'known_hosts.stdout_lines[4].startswith("# example.net")'
     - 'known_hosts.stdout_lines[-1].strip() == example_org_rsa_key.strip()'
@@ -68,13 +68,13 @@
     name: example.org
     key: "{{ example_org_rsa_key }}"
     state: present
-    path: "{{output_dir|expanduser}}/known_hosts"
+    path: "{{output_dir}}/known_hosts"
   register: check
 
 - name: assert that no changes were expected
   assert:
     that:
-    - 'not check.changed'
+    - 'check is not changed'
     - 'check.diff.before == check.diff.after'
 
 - name: add the same host
@@ -82,17 +82,17 @@
     name: example.org
     key: "{{ example_org_rsa_key }}"
     state: present
-    path: "{{output_dir|expanduser}}/known_hosts"
+    path: "{{output_dir}}/known_hosts"
   register: result
 
 - name: get the file content
-  shell: cat "{{output_dir|expanduser}}/known_hosts"
+  command: "cat {{output_dir}}/known_hosts"
   register: known_hosts_v2
 
 - name: assert that no changes happened
   assert:
     that:
-    - 'not result.changed'
+    - 'result is not changed'
     - 'result.diff.before == result.diff.after'
     - 'known_hosts.stdout == known_hosts_v2.stdout'
 
@@ -104,7 +104,7 @@
     name: example.org
     key: "{{ example_org_rsa_key }}"
     state: absent
-    path: "{{output_dir|expanduser}}/known_hosts"
+    path: "{{output_dir}}/known_hosts"
   register: diff
 
 - name: assert that the diff looks as expected (the key was removed)
@@ -119,17 +119,17 @@
     name: example.org
     key: "{{ example_org_rsa_key }}"
     state: absent
-    path: "{{output_dir|expanduser}}/known_hosts"
+    path: "{{output_dir}}/known_hosts"
   register: result
 
 - name: get the file content
-  shell: cat "{{output_dir|expanduser}}/known_hosts"
+  command: "cat {{output_dir}}/known_hosts"
   register: known_hosts_v3
 
 - name: assert that the key was removed and ordering preserved
   assert:
     that:
-    - 'result.changed'
+    - 'result is changed'
     - '"example.org" not in known_hosts_v3.stdout'
     - 'known_hosts_v3.stdout_lines[0].startswith("example.com")'
     - 'known_hosts_v3.stdout_lines[-1].startswith("# example.net")'
@@ -142,13 +142,13 @@
     name: example.org
     key: "{{ example_org_rsa_key }}"
     state: absent
-    path: "{{output_dir|expanduser}}/known_hosts"
+    path: "{{output_dir}}/known_hosts"
   register: check
 
 - name: assert that no changes were expected
   assert:
     that:
-    - 'not check.changed'
+    - 'check is not changed'
     - 'check.diff.before == check.diff.after'
 
 - name: remove the same host
@@ -156,27 +156,203 @@
     name: example.org
     key: "{{ example_org_rsa_key }}"
     state: absent
-    path: "{{output_dir|expanduser}}/known_hosts"
+    path: "{{output_dir}}/known_hosts"
   register: result
 
 - name: get the file content
-  shell: cat "{{output_dir|expanduser}}/known_hosts"
+  command: "cat {{output_dir}}/known_hosts"
   register: known_hosts_v4
 
 - name: assert that no changes happened
   assert:
     that:
-    - 'not result.changed'
+    - 'result is not changed'
     - 'result.diff.before == result.diff.after'
     - 'known_hosts_v3.stdout == known_hosts_v4.stdout'
 
+# test addition as hashed_host
+
+- name: add a new hashed host
+  known_hosts:
+    name: example.org
+    key: "{{ example_org_rsa_key }}"
+    state: present
+    path: "{{output_dir}}/known_hosts"
+    hash_host: yes
+  register: result
+
+- name: get the file content
+  command: "cat {{output_dir}}/known_hosts"
+  register: known_hosts_v5
+
+- name: assert that the key was added and ordering preserved
+  assert:
+    that:
+    - 'result is changed'
+    - 'known_hosts_v5.stdout_lines[0].startswith("example.com")'
+    - 'known_hosts_v5.stdout_lines[4].startswith("# example.net")'
+    - 'known_hosts_v5.stdout_lines[-1].strip().startswith("|1|")'
+    - 'known_hosts_v5.stdout_lines[-1].strip().endswith(example_org_rsa_key.strip().split()[-1])'
+
+# test idempotence of hashed addition
+
+- name: add the same host hashed
+  known_hosts:
+    name: example.org
+    key: "{{ example_org_rsa_key }}"
+    state: present
+    path: "{{output_dir}}/known_hosts"
+    hash_host: yes
+  register: result
+
+- name: get the file content
+  command: "cat {{output_dir}}/known_hosts"
+  register: known_hosts_v6
+
+- name: assert that no changes happened
+  assert:
+    that:
+    - 'result is not changed'
+    - 'result.diff.before == result.diff.after'
+    - 'known_hosts_v5.stdout == known_hosts_v6.stdout'
+
+# test hashed removal
+
+- name: remove the hashed host
+  known_hosts:
+    name: example.org
+    key: "{{ example_org_rsa_key }}"
+    state: absent
+    path: "{{output_dir}}/known_hosts"
+  register: result
+
+- name: get the file content
+  command: "cat {{output_dir}}/known_hosts"
+  register: known_hosts_v7
+
+- name: assert that the key was removed and ordering preserved
+  assert:
+    that:
+    - 'result is changed'
+    - 'example_org_rsa_key.strip().split()[-1] not in known_hosts_v7.stdout'
+    - 'known_hosts_v7.stdout_lines[0].startswith("example.com")'
+    - 'known_hosts_v7.stdout_lines[-1].startswith("# example.net")'
+
+# test idempotence of removal
+
+- name: remove the same hashed host
+  known_hosts:
+    name: example.org
+    key: "{{ example_org_rsa_key }}"
+    state: absent
+    path: "{{output_dir}}/known_hosts"
+  register: result
+
+- name: get the file content
+  command: "cat {{output_dir}}/known_hosts"
+  register: known_hosts_v8
+
+- name: assert that no changes happened
+  assert:
+    that:
+    - 'result is not changed'
+    - 'result.diff.before == result.diff.after'
+    - 'known_hosts_v7.stdout == known_hosts_v8.stdout'
+
+# test roundtrip plaintext => hashed => plaintext
+# The assertions are rather relaxed, because most of this hash been tested previously
+
+- name: add a new host
+  known_hosts:
+    name: example.org
+    key: "{{ example_org_rsa_key }}"
+    state: present
+    path: "{{output_dir}}/known_hosts"
+
+- name: get the file content
+  command: "cat {{output_dir}}/known_hosts"
+  register: known_hosts_v8
+
+- name: assert the plaintext host is there
+  assert:
+    that:
+      - 'known_hosts_v8.stdout_lines[-1].strip() == example_org_rsa_key.strip()'
+
+- name: update the host to hashed mode
+  known_hosts:
+    name: example.org
+    key: "{{ example_org_rsa_key }}"
+    state: present
+    path: "{{output_dir}}/known_hosts"
+    hash_host: true
+
+- name: get the file content
+  command: "cat {{output_dir}}/known_hosts"
+  register: known_hosts_v9
+
+- name: assert the hashed host is there
+  assert:
+    that:
+      - 'known_hosts_v9.stdout_lines[-1].strip().startswith("|1|")'
+      - 'known_hosts_v9.stdout_lines[-1].strip().endswith(example_org_rsa_key.strip().split()[-1])'
+
+- name: downgrade the host to plaintext mode
+  known_hosts:
+    name: example.org
+    key: "{{ example_org_rsa_key }}"
+    state: present
+    path: "{{output_dir}}/known_hosts"
+
+- name: get the file content
+  command: "cat {{output_dir}}/known_hosts"
+  register: known_hosts_v10
+
+- name: assert the plaintext host is there
+  assert:
+    that:
+      - 'known_hosts_v10.stdout_lines[5].strip() == example_org_rsa_key.strip()'
+
+# ... and remove the host again for the next test
+
+- name: copy an existing file in place
+  copy:
+    src: existing_known_hosts
+    dest: "{{ output_dir }}/known_hosts"
+
+# Test key changes
+
+- name: add a hashed host
+  known_hosts:
+    name: example.org
+    key: "{{ example_org_rsa_key }}"
+    state: present
+    path: "{{output_dir}}/known_hosts"
+    hash_host: true
+
+- name: change the key of a hashed host
+  known_hosts:
+    name: example.org
+    key: "{{ example_org_rsa_key.strip()[:-7] + 'RANDOM=' }}"
+    state: present
+    path: "{{output_dir}}/known_hosts"
+    hash_host: true
+
+- name: get the file content
+  command: "cat {{output_dir}}/known_hosts"
+  register: known_hosts_v11
+
+- name: assert the change took place and the key got modified
+  assert:
+    that:
+      - 'known_hosts_v11.stdout_lines[-1].strip().endswith("RANDOM=")'
+
 # test errors
 
 - name: Try using a comma separated list of hosts
   known_hosts:
     name: example.org,acme.com
     key: "{{ example_org_rsa_key }}"
-    path: "{{output_dir|expanduser}}/known_hosts"
+    path: "{{output_dir}}/known_hosts"
   ignore_errors: yes
   register: result
 
@@ -190,7 +366,7 @@
   known_hosts:
     name: example.com
     key: "{{ example_org_rsa_key }}"
-    path: "{{output_dir|expanduser}}/known_hosts"
+    path: "{{output_dir}}/known_hosts"
   ignore_errors: yes
   register: result