From 721de9f10a02fd0bd4be73b125cbc02644104db8 Mon Sep 17 00:00:00 2001
From: Chris Meyers <chris.meyers.fsu@gmail.com>
Date: Tue, 3 Jan 2017 16:17:52 -0500
Subject: [PATCH] pass network ssh key via an env var, not ssh-agent

---
 awx/main/tasks.py | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/awx/main/tasks.py b/awx/main/tasks.py
index 06a5288d6e..dc5b4fb77e 100644
--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@@ -374,9 +374,12 @@ class BaseTask(Task):
                     data += '\n'
                 # For credentials used with ssh-add, write to a named pipe which
                 # will be read then closed, instead of leaving the SSH key on disk.
-                if name in ('credential', 'network_credential', 'scm_credential', 'ad_hoc_credential') and not ssh_too_old:
+                if name in ('credential', 'scm_credential', 'ad_hoc_credential') and not ssh_too_old:
                     path = os.path.join(kwargs.get('private_data_dir', tempfile.gettempdir()), name)
                     self.open_fifo_write(path, data)
+                # Ansible network modules do not yet support ssh-agent.
+                # Instead, ssh private key file is explicitly passed via an
+                # env variable.
                 else:
                     handle, path = tempfile.mkstemp(dir=kwargs.get('private_data_dir', None))
                     f = os.fdopen(handle, 'w')
@@ -875,6 +878,10 @@ class RunJob(BaseTask):
             env['ANSIBLE_NET_USERNAME'] = network_cred.username
             env['ANSIBLE_NET_PASSWORD'] = decrypt_field(network_cred, 'password')
 
+            ssh_keyfile = kwargs.get('private_data_files', {}).get('network_credential', '')
+            if ssh_keyfile:
+                env['ANSIBLE_NET_SSH_KEYFILE'] = ssh_keyfile
+
             authorize = network_cred.authorize
             env['ANSIBLE_NET_AUTHORIZE'] = unicode(int(authorize))
             if authorize:
@@ -1037,8 +1044,15 @@ class RunJob(BaseTask):
         private_data_files = kwargs.get('private_data_files', {})
         if 'credential' in private_data_files:
             return private_data_files.get('credential')
-        elif 'network_credential' in private_data_files:
-            return private_data_files.get('network_credential')
+        '''
+        Note: Don't inject network ssh key data into ssh-agent for network
+        credentials because the ansible modules no not yet support it.
+        We will want to add back in support when/if Ansible network modules
+        support this.
+        '''
+        #elif 'network_credential' in private_data_files:
+        #    return private_data_files.get('network_credential')
+
         return ''
 
     def should_use_proot(self, instance, **kwargs):