From d45b74f42d9508b4b5f02c38abd342d708bfba5e Mon Sep 17 00:00:00 2001
From: Scott Rubin <apreche@frontrowcrew.com>
Date: Sun, 4 Apr 2021 14:51:37 -0400
Subject: [PATCH] Add support for SSH Host Key Checking

By default it seems that SSH host key checking has been disabled. This
patch makes it optional. If a variable named known_hosts is passed in,
the key checking will be enabled. The variable should contain the
complete contents of the known_hosts file, which must contain the public
key(s) of the host(s) in the inventory.
---
 .github/workflows/test.yml |  4 ++++
 action.yml                 |  3 +++
 main.js                    | 22 ++++++++++++++++++++--
 post.js                    |  5 +++++
 4 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index db8c0c3..60037a6 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -65,11 +65,15 @@ jobs:
             Subsystem sftp /usr/lib/openssh/sftp-server
           EOF
           sudo systemctl restart sshd
+          echo 'SSH_KNOWN_HOSTS<<EOF' >> $GITHUB_ENV
+          echo $(ssh-keyscan localhost) >> $GITHUB_ENV
+          echo 'EOF' >> $GITHUB_ENV
       - name: With everything
         uses: ./
         with:
           playbook: playbook.yml
           key: ${{env.SSH_PRIVATE_KEY}}
+          known_hosts: ${{env.SSH_KNOWN_HOSTS}}
           directory: test
           vault_password: test
           requirements: requirements.yml
diff --git a/action.yml b/action.yml
index 9a95cb0..9766694 100644
--- a/action.yml
+++ b/action.yml
@@ -22,6 +22,9 @@ inputs:
   vault_password:
     description: The password used for decrypting vaulted files
     required: false
+  known_hosts:
+    description: Contents of SSH known_hosts file
+    required: false
   options:
     description: Extra options that should be passed to ansible-playbook command
     required: false
diff --git a/main.js b/main.js
index c17356c..1789e5e 100644
--- a/main.js
+++ b/main.js
@@ -12,6 +12,7 @@ async function main() {
         const key = core.getInput("key")
         const inventory = core.getInput("inventory")
         const vaultPassword = core.getInput("vault_password")
+        const knownHosts = core.getInput("known_hosts")
         const options = core.getInput("options")
 
         let cmd = ["ansible-playbook", playbook]
@@ -63,10 +64,27 @@ async function main() {
             cmd.push(vaultPasswordFile)
         }
 
-        process.env.ANSIBLE_HOST_KEY_CHECKING = "False"
+        if (knownHosts) {
+            const knownHostsFile = ".ansible_known_hosts"
+            fs.writeFileSync(knownHostsFile, knownHosts, { mode: 0600 })
+            core.saveState("knownHostsFile", knownHostsFile)
+            let known_hosts_param = [
+                "--ssh-common-args=",
+                "\"",
+                "-o UserKnownHostsFile=",
+                knownHostsFile,
+                "\""
+            ].join('')
+            cmd.push(known_hosts_param)
+            process.env.ANSIBLE_HOST_KEY_CHECKING = "True"
+        } else {
+            process.env.ANSIBLE_HOST_KEY_CHECKING = "False"
+        }
+
         process.env.ANSIBLE_FORCE_COLOR = "True"
 
-        await exec.exec(cmd.join(" "))
+        await exec.exec(cmd.join(' '))
+
     } catch (error) {
         core.setFailed(error.message)
     }
diff --git a/post.js b/post.js
index 0c149e2..281881b 100644
--- a/post.js
+++ b/post.js
@@ -14,6 +14,7 @@ async function main() {
         const keyFile = core.getState("keyFile")
         const inventoryFile = core.getState("inventoryFile")
         const vaultPasswordFile = core.getState("vaultPasswordFile")
+        const knownHostsFile = core.getState("knownHostsFile")
 
         if (directory)
             process.chdir(directory)
@@ -26,6 +27,10 @@ async function main() {
 
         if (vaultPasswordFile)
             rm(vaultPasswordFile)
+
+        if (knownHostsFile)
+            rm(knownHostsFile)
+
     } catch (error) {
         core.setFailed(error.message)
     }