made accelerate keys directory configurable, and permissions for the file and…

made accelerate keys directory configurable, and permissions for the file and dir configurable, and gave them a safe default

made accelerate keys directory configurable, and permissions for the file and…
made accelerate keys directory configurable, and permissions for the file and dir configurable, and gave them a safe default
4adc0775 · xyrix · James Cammarata · 45dde5b3 · 4adc0775 · 4adc0775
Commit 4adc0775 authored Feb 06, 2014 by xyrix Committed by James Cammarata Feb 12, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 3 deletions

lib/ansible/constants.py
+3 -0

lib/ansible/utils/__init__.py
+7 -3

No files found.
--- a/lib/ansible/constants.py
+++ b/lib/ansible/constants.py
@@ -151,6 +151,9 @@ ZEROMQ_PORT                    = get_config(p, 'fireball_connection', 'zeromq_po
 ACCELERATE_PORT                = get_config(p, 'accelerate', 'accelerate_port', 'ACCELERATE_PORT', 5099, integer=True)
 ACCELERATE_TIMEOUT             = get_config(p, 'accelerate', 'accelerate_timeout', 'ACCELERATE_TIMEOUT', 30, integer=True)
 ACCELERATE_CONNECT_TIMEOUT     = get_config(p, 'accelerate', 'accelerate_connect_timeout', 'ACCELERATE_CONNECT_TIMEOUT', 1.0, floating=True)
+ACCELERATE_KEYS_DIR            = get_config(p, 'accelerate', 'accelerate_keys_dir', 'ACCELERATE_KEYS_DIR', '~/.fireball.keys')
+ACCELERATE_KEYS_DIR_PERMS      = get_config(p, 'accelerate', 'accelerate_keys_dir_perms', 'ACCELERATE_KEYS_DIR_PERMS', '700')
+ACCELERATE_KEYS_FILE_PERMS     = get_config(p, 'accelerate', 'accelerate_keys_file_perms', 'ACCELERATE_KEYS_FILE_PERMS', '600')
 PARAMIKO_PTY                   = get_config(p, 'paramiko_connection', 'pty', 'ANSIBLE_PARAMIKO_PTY', True, boolean=True)

 # characters included in auto-generated passwords

--- a/lib/ansible/utils/__init__.py
+++ b/lib/ansible/utils/__init__.py
@@ -87,15 +87,19 @@ def key_for_hostname(hostname):
    if not KEYCZAR_AVAILABLE:
        raise errors.AnsibleError("python-keyczar must be installed on the control machine to use accelerated modes")

-    key_path = os.path.expanduser("~/.fireball.keys")
+    key_path = os.path.expanduser(C.ACCELERATE_KEYS_DIR)
    if not os.path.exists(key_path):
        os.makedirs(key_path)
-    key_path = os.path.expanduser("~/.fireball.keys/%s" % hostname)
+    elif not os.path.isdir(key_path):
+        raise errors.AnsibleError('ACCELERATE_KEYS_DIR is not a directory.')
+    os.chmod(key_path, int(C.ACCELERATE_KEYS_DIR_PERMS, 8))
+    key_path = os.path.join(key_path, hostname)

    # use new AES keys every 2 hours, which means fireball must not allow running for longer either
    if not os.path.exists(key_path) or (time.time() - os.path.getmtime(key_path) > 60*60*2):
        key = AesKey.Generate()
-        fh = open(key_path, "w")
+        fd = os.open(key_path, os.O_WRONLY | os.O_CREAT, int(C.ACCELERATE_KEYS_FILE_PERMS, 8))
+        fh = os.fdopen(fd, 'w')
        fh.write(str(key))
        fh.close()
        return key