Merge branch 'Add-option-to-not-check-the-host-key-of-a-repo' into 'master'

Add the option to not check the host key of a repo Closes #1 See merge request !2

Merge branch 'Add-option-to-not-check-the-host-key-of-a-repo' into 'master'
733a28be · Steve Ison · a40b5940 · c45dbbbc · 733a28be · 733a28be
Commit 733a28be authored 5 years ago by Steve Ison
--- a/ansibleroles.example.yaml
+++ b/ansibleroles.example.yaml
@@ -5,10 +5,15 @@

 - name: DevOps Division Common Roles
  git:
-    repo: https://gitlab.developers.cam.ac.uk/uis/devops/infra/ansible-roles.git
+    repo: git@gitlab.developers.cam.ac.uk:uis/devops/infra/ansible-roles.git

    # Optional path within repo containing roles
    path: /roles

    # One can also specify a particular ref to clone
    # ref: master
+
+    host_keys:
+        - 'gitlab.developers.cam.ac.uk,35.230.144.41 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNW2DQ/ifQg+V4PM7GXDGMBeVnmMzyBMDhlnYWRDXbIUgU0Gj73tv2LwoaX4zoP3EFduA3Rk13mTdaY7YOSO7eA='
+        - 'gitlab.developers.cam.ac.uk,35.230.144.41 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILmDcutPIDJ/wj4Ya5KW13xtdQl/sNo3twd6SUdzXxrU'
+        - 'gitlab.developers.cam.ac.uk,35.230.144.41 AAAAB3NzaC1yc2EAAAADAQABAAABAQDTTWi24llbLd1fkDVd9nveXoqwDBsSuTSErhASxyMn/WseIp3QCT5L93006dZKBM0gq+GgYuz2skZfbbPAZRQrSQH5mg/lpFM2S1aLwns26pSC9J8eC6DAxtM5jNM0UCqF+2+RpLHxvMIOOaozPmfdHgmS5X/0gzViM/R1Omlaf771ER2225HsKC1QKJgBPyl0vPHfHNj9mwAUcyPF+cCl6KyvMnWKsuBSh/ej3S4LF3GX8cJ1ZIUdlNVYToDhwarAqQ8wgZI1cS3ftAxR7fpFr1vGUuKLzcvPvyc6BIgqTUTvSKgTQNK1yEtHnnGmybWNxKn2EUCuX95F14I+xb8r'
--- a/ansibleroles/config.py
+++ b/ansibleroles/config.py
@@ -117,5 +117,6 @@ def _load_git_source(source_dict):
        type='git',
        repo=repo,
        path=path,
-        ref=source_dict.get('ref')
+        ref=source_dict.get('ref'),
+        host_keys=source_dict.get('host_keys')
    )
--- a/ansibleroles/gitsource.py
+++ b/ansibleroles/gitsource.py
@@ -29,6 +29,9 @@ class GitRoleSource(RoleSource):
    #: repository's HEAD.
    ref: typing.Optional[str]

+    # Host keys to trust for this repo server
+    host_keys: typing.Optional[typing.List[str]]
+
    def materialise(self, directory):
        # Clone this repository to a temporary directory
        with tempfile.TemporaryDirectory(suffix='-clone') as tmp_dir:
@@ -38,12 +41,26 @@ class GitRoleSource(RoleSource):

            # Construct arguments to git clone
            kwargs = {}
+            ssh_cmd = 'ssh'
            if self.ref is not None:
                kwargs['branch'] = self.ref

+            tmp_key_file = None
+            if self.host_keys:
+                tmp_key_file = tempfile.NamedTemporaryFile(suffix='-host-keys', mode='w+')
+                for key in self.host_keys:
+                    key = key.replace('#', '')
+                    key = key.strip()
+                    print(key, file=tmp_key_file)
+                ssh_cmd += f' -o UserKnownHostsFile="{tmp_key_file.name}"'
+                tmp_key_file.seek(0)
+
+            kwargs['env'] = dict(GIT_SSH_COMMAND=ssh_cmd)
            # Shallow clone the repo
            clone = git.Repo.clone_from(self.repo, tmp_dir, depth=1, **kwargs)

+            if tmp_key_file is not None:
+                tmp_key_file.close()
            # Check the roles directory exists
            if not os.path.isdir(roles_path):
                raise RuntimeError(f'Path "{self.path}" does not exist in repo')

--- a/ansibleroles/tests/test_gitsource.py
+++ b/ansibleroles/tests/test_gitsource.py
@@ -18,7 +18,8 @@ class TestGitMaterialise(unittest.TestCase):

        # Create a source pointing to the test repo
        self.source = gitsource.GitRoleSource(
-            name='Testing', type='git', repo=f'file://{self.repo.git_dir}', path='/', ref=None)
+            name='Testing', type='git', repo=f'file://{self.repo.git_dir}',
+            path='/', ref=None, host_keys={})

        # Create a temporary directory for materialising into
        self.temp_dir = tempfile.mkdtemp()