saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-17 10:10:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

salt.states.git.latest(): Prevent tracebacks when git ssh auth fails

Browse source 
This adds missing try/except blocks to ensure that a failed git ssh auth
doesn't cause a traceback.

It also adds information to the documentation for the "identity" param
which explains that passphraseless keys cannot be used unless Salt is
invoked using salt-call.
This commit is contained in:
Erik Johnson 2016-02-04 05:07:44 -06:00
parent c961cf1c7d
commit 8909d430e1
1 changed files with 81 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

123
salt/states/git.py
View file

@ -123,6 +123,20 @@ def _fail(ret, msg, comments=None):
return ret
def _failed_fetch(ret, exc, comments=None):
msg = (
'Fetch failed. Set \'force_fetch\' to True to force the fetch if the '
'failure was due to it being non-fast-forward. Output of the fetch '
'command follows:\n\n{0}'.format(_strip_exc(exc))
)
return _fail(ret, msg, comments)
def _failed_submodule_update(ret, exc, comments=None):
msg = 'Failed to update submodules: ' + _strip_exc(exc)
return _fail(ret, msg, comments)
def _not_fast_forward(ret, pre, post, branch, local_branch, comments):
return _fail(
ret,
@ -274,7 +288,42 @@ def latest(name,
with tags or revision IDs.
identity
A path on the minion server to a private key to use over SSH
Path to a private key to use for ssh URLs. This can be either a single
string, or a list of strings. For example:
.. code-block:: yaml
# Single key
git@github.com:user/repo.git:
git.latest:
- user: deployer
- identity: /home/deployer/.ssh/id_rsa
# Two keys
git@github.com:user/repo.git:
git.latest:
- user: deployer
- identity:
- /home/deployer/.ssh/id_rsa
- /home/deployer/.ssh/id_rsa_alternate
If multiple keys are specified, they will be tried one-by-one in order
for each git command which needs to authenticate.
.. warning::
Unless Salt is invoked from the minion using ``salt-call``, the
key(s) must be passphraseless. For greater security with
passphraseless private keys, see the `sshd(8)`_ manpage for
information on securing the keypair from the remote side in the
``authorized_keys`` file.
.. _`sshd(8)`: http://www.man7.org/linux/man-pages/man8/sshd.8.html#AUTHORIZED_KEYS_FILE%20FORMAT
.. versionchanged:: 2015.8.6
Salt will no longer attempt to use passphrase-protected keys unless
invoked from the minion using ``salt-call``, to prevent blocking
waiting for user input.
https_user
HTTP Basic Auth username for HTTPS (only) clones
@ -952,18 +1001,7 @@ def latest(name,
user=user,
identity=identity)
except CommandExecutionError as exc:
msg = 'Fetch failed'
if isinstance(exc, CommandExecutionError):
msg += (
'. Set \'force_fetch\' to True to force '
'the fetch if the failure was due to it '
'bein non-fast-forward. Output of the '
'fetch command follows:\n\n'
)
msg += _strip_exc(exc)
else:
msg += ':\n\n' + str(exc)
return _fail(ret, msg, comments)
return _failed_fetch(ret, exc, comments)
else:
if fetch_changes:
comments.append(
@ -1117,11 +1155,15 @@ def latest(name,
# TODO: Figure out how to add submodule update info to
# test=True return data, and changes dict.
if submodules:
__salt__['git.submodule'](target,
'update',
opts=['--init', '--recursive'],
user=user,
identity=identity)
try:
__salt__['git.submodule'](
target,
'update',
opts=['--init', '--recursive'],
user=user,
identity=identity)
except CommandExecutionError as exc:
return _failed_submodule_update(ret, exc, comments)
elif bare:
if __opts__['test']:
msg = (
@ -1141,18 +1183,7 @@ def latest(name,
user=user,
identity=identity)
except CommandExecutionError as exc:
msg = 'Fetch failed'
if isinstance(exc, CommandExecutionError):
msg += (
'. Set \'force_fetch\' to True to force '
'the fetch if the failure was due to it '
'bein non-fast-forward. Output of the '
'fetch command follows:\n\n'
)
msg += _strip_exc(exc)
else:
msg += ':\n\n' + str(exc)
return _fail(ret, msg, comments)
return _failed_fetch(ret, exc, comments)
else:
comments.append(
'Bare repository at {0} was fetched{1}'.format(
@ -1260,13 +1291,18 @@ def latest(name,
# We're cloning a fresh repo, there is no local branch or revision
local_branch = local_rev = None
__salt__['git.clone'](target,
name,
user=user,
opts=clone_opts,
identity=identity,
https_user=https_user,
https_pass=https_pass)
try:
__salt__['git.clone'](target,
name,
user=user,
opts=clone_opts,
identity=identity,
https_user=https_user,
https_pass=https_pass)
except CommandExecutionError as exc:
msg = 'Clone failed: {0}'.format(_strip_exc(exc))
return _fail(ret, msg, comments)
ret['changes']['new'] = name + ' => ' + target
comments.append(
'{0} cloned to {1}{2}'.format(
@ -1376,11 +1412,14 @@ def latest(name,
comments.append(upstream_action)
if submodules and remote_rev:
__salt__['git.submodule'](target,
'update',
opts=['--init', '--recursive'],
user=user,
identity=identity)
try:
__salt__['git.submodule'](target,
'update',
opts=['--init', '--recursive'],
user=user,
identity=identity)
except CommandExecutionError as exc:
return _failed_submodule_update(ret, exc, comments)
try:
new_rev = __salt__['git.revision'](