From 96bdcbe90c44903fefcf526f9536b2ff5b4d516e Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Tue, 3 Dec 2019 20:13:44 +0100
Subject: openssh_keypair: fix idempotence issue (#65017) (#65127)

* Fix idempotence issue.

* Add changelog.

(cherry picked from commit b36f57225665de07c31d6affac541adc12207040)
---
 changelogs/fragments/65017-openssh_keypair-idempotence.yml  | 2 ++
 lib/ansible/modules/crypto/openssh_keypair.py               | 8 +++-----
 test/integration/targets/openssh_keypair/tasks/main.yml     | 5 +++++
 test/integration/targets/openssh_keypair/tests/validate.yml | 5 +++++
 4 files changed, 15 insertions(+), 5 deletions(-)
 create mode 100644 changelogs/fragments/65017-openssh_keypair-idempotence.yml

diff --git a/changelogs/fragments/65017-openssh_keypair-idempotence.yml b/changelogs/fragments/65017-openssh_keypair-idempotence.yml
new file mode 100644
index 0000000000..411b714982
--- /dev/null
+++ b/changelogs/fragments/65017-openssh_keypair-idempotence.yml
@@ -0,0 +1,2 @@
+bugfixes:
+- "openssh_keypair - fixes idempotence issue with public key (https://github.com/ansible/ansible/issues/64969)."
diff --git a/lib/ansible/modules/crypto/openssh_keypair.py b/lib/ansible/modules/crypto/openssh_keypair.py
index 152c087f50..66f23c4170 100644
--- a/lib/ansible/modules/crypto/openssh_keypair.py
+++ b/lib/ansible/modules/crypto/openssh_keypair.py
@@ -272,8 +272,7 @@ class Keypair(object):
             else:
                 return False
 
-        def _parse_pubkey():
-            pubkey_content = _get_pubkey_content()
+        def _parse_pubkey(pubkey_content):
             if pubkey_content:
                 parts = pubkey_content.split(' ', 2)
                 return parts[0], parts[1], '' if len(parts) <= 2 else parts[2]
@@ -281,8 +280,7 @@ class Keypair(object):
 
         def _pubkey_valid(pubkey):
             if pubkey_parts:
-                current_pubkey = ' '.join([pubkey_parts[0], pubkey_parts[1]])
-                return current_pubkey == pubkey
+                return pubkey_parts[:2] == _parse_pubkey(pubkey)[:2]
             return False
 
         def _comment_valid():
@@ -292,7 +290,7 @@ class Keypair(object):
 
         pubkey = module.run_command([module.get_bin_path('ssh-keygen', True), '-yf', self.path])
         pubkey = pubkey[1].strip('\n')
-        pubkey_parts = _parse_pubkey()
+        pubkey_parts = _parse_pubkey(_get_pubkey_content())
         if _pubkey_valid(pubkey):
             self.public_key = pubkey
 
diff --git a/test/integration/targets/openssh_keypair/tasks/main.yml b/test/integration/targets/openssh_keypair/tasks/main.yml
index 529f4334c0..62850ca8a5 100644
--- a/test/integration/targets/openssh_keypair/tasks/main.yml
+++ b/test/integration/targets/openssh_keypair/tasks/main.yml
@@ -4,6 +4,11 @@
     path: '{{ output_dir }}/privatekey1'
   register: privatekey1_result
 
+- name: Generate privatekey1 - standard (idempotent)
+  openssh_keypair:
+    path: '{{ output_dir }}/privatekey1'
+  register: privatekey1_idem_result
+
 - name: Generate privatekey2 - size 2048
   openssh_keypair:
     path: '{{ output_dir }}/privatekey2'
diff --git a/test/integration/targets/openssh_keypair/tests/validate.yml b/test/integration/targets/openssh_keypair/tests/validate.yml
index 93899e8017..57bb909dff 100644
--- a/test/integration/targets/openssh_keypair/tests/validate.yml
+++ b/test/integration/targets/openssh_keypair/tests/validate.yml
@@ -38,6 +38,11 @@
     that:
       - privatekey1.stdout == '4096'
 
+- name: Validate privatekey1 idempotence
+  assert:
+    that:
+      - privatekey1_idem_result is not changed
+
 
 - name: Validate privatekey2 (test - RSA key with size 2048 bits)
   shell: "ssh-keygen -lf {{ output_dir }}/privatekey2 | grep -o -E '^[0-9]+'"
-- 
cgit v1.2.1