openssl_*: proper mode support (#54085)

* Add write helper. * Adjust modules (except openssl_certificate). * Adding tests for mode (with openssl_privatekey). * Add openssl_certificate support. * Never, ever remove the output file before actually trying to generate new content for it. Removal is only allowed when state=absent, or when the object has been regenerated and the result needs to be written to that place. * Add changelog. * Extend test.
2026-05-07 22:02:50 +00:00 · 2019-03-25 14:20:53 +01:00
parent 9c355e5c52
commit d7a273273a
9 changed files with 109 additions and 85 deletions
--- a/lib/ansible/module_utils/crypto.py
+++ b/lib/ansible/module_utils/crypto.py
@@ -40,6 +40,7 @@ import errno
 import hashlib
 import os
 import re
+import tempfile

 from ansible.module_utils import six
 from ansible.module_utils._text import to_bytes, to_text
@@ -235,6 +236,49 @@ def select_message_digest(digest_string):
    return digest


+def write_file(module, content, default_mode=None):
+    '''
+    Writes content into destination file as securely as possible.
+    Uses file arguments from module.
+    '''
+    # Find out parameters for file
+    file_args = module.load_file_common_arguments(module.params)
+    if file_args['mode'] is None:
+        file_args['mode'] = default_mode
+    # Create tempfile name
+    tmp_fd, tmp_name = tempfile.mkstemp(prefix=b'.ansible_tmp')
+    try:
+        os.close(tmp_fd)
+    except Exception as dummy:
+        pass
+    module.add_cleanup_file(tmp_name)  # if we fail, let Ansible try to remove the file
+    try:
+        try:
+            # Create tempfile
+            file = os.open(tmp_name, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600)
+            os.write(file, content)
+            os.close(file)
+        except Exception as e:
+            try:
+                os.remove(tmp_name)
+            except Exception as dummy:
+                pass
+            module.fail_json(msg='Error while writing result into temporary file: {0}'.format(e))
+        # Update destination to wanted permissions
+        if os.path.exists(file_args['path']):
+            module.set_fs_attributes_if_different(file_args, False)
+        # Move tempfile to final destination
+        module.atomic_move(tmp_name, file_args['path'])
+        # Try to update permissions again
+        module.set_fs_attributes_if_different(file_args, False)
+    except Exception as e:
+        try:
+            os.remove(tmp_name)
+        except Exception as dummy:
+            pass
+        module.fail_json(msg='Error while writing result: {0}'.format(e))
+
+
@six.add_metaclass(abc.ABCMeta)
 class OpenSSLObject(object):