1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

Lookup password omit salt (#16361)

* Lookup unencrypted password must not include salt
* Integration test lookup: remove previous directory
* Test that lookup password doesn't return salt
* Lookup password: test behavior with empty encrypt parameter

Closes #16189
This commit is contained in:
Pilou 2016-06-27 19:44:25 +02:00 committed by Matt Clay
parent 7ba71fc2d2
commit b361bf90d7
2 changed files with 71 additions and 19 deletions

View file

@ -137,25 +137,23 @@ class LookupModule(LookupBase):
password = content
salt = None
if params['encrypt'] is not None:
try:
sep = content.rindex(' ')
except ValueError:
# No salt
pass
else:
salt_field = content[sep + 1:]
if salt_field.startswith('salt='):
password = content[:sep]
salt = salt_field[len('salt='):]
try:
sep = content.rindex(' salt=')
except ValueError:
# No salt
pass
else:
salt = password[sep + len(' salt='):]
password = content[:sep]
if params['encrypt'] is not None and salt is None:
# crypt requested, add salt if missing
if not salt:
salt = self.random_salt()
content = '%s salt=%s' % (password, salt)
with open(path, 'w') as f:
os.chmod(path, 0o600)
f.write(content + '\n')
salt = self.random_salt()
content = '%s salt=%s' % (password, salt)
with open(path, 'w') as f:
os.chmod(path, 0o600)
f.write(content + '\n')
if params['encrypt']:
password = do_encrypt(password, params['encrypt'], salt=salt)

View file

@ -35,10 +35,11 @@
# PASSWORD LOOKUP
- name: remove previous password files
file: dest={{output_dir}}/lookup/password state=absent
- name: remove previous password files and directory
file: dest={{item}} state=absent
with_items:
- "{{output_dir}}/lookup/password"
- "{{output_dir}}/lookup/password_with_salt"
- "{{output_dir}}/lookup"
- name: create a password file
@ -80,6 +81,59 @@
that:
- "wc_result.stdout == '9'"
- "cat_result.stdout == newpass"
- "' salt=' not in cat_result.stdout"
- name: fetch password from an existing file
set_fact:
pass2: "{{ lookup('password', output_dir + '/lookup/password length=8') }}"
- name: read password (again)
shell: cat {{output_dir}}/lookup/password
register: cat_result2
- debug: var=cat_result2.stdout
- name: verify password (again)
assert:
that:
- "cat_result2.stdout == newpass"
- "' salt=' not in cat_result2.stdout"
- name: create a password (with salt) file
debug: msg={{ lookup('password', output_dir + '/lookup/password_with_salt encrypt=sha256_crypt') }}
- name: read password and salt
shell: cat {{output_dir}}/lookup/password_with_salt
register: cat_pass_salt
- debug: var=cat_pass_salt.stdout
- name: fetch unencrypted password
set_fact:
newpass: "{{ lookup('password', output_dir + '/lookup/password_with_salt') }}"
- debug: var=newpass
- name: verify password and salt
assert:
that:
- "cat_pass_salt.stdout != newpass"
- "cat_pass_salt.stdout.startswith(newpass)"
- "' salt=' in cat_pass_salt.stdout"
- "' salt=' not in newpass"
- name: fetch unencrypted password (using empty encrypt parameter)
set_fact:
newpass2: "{{ lookup('password', output_dir + '/lookup/password_with_salt encrypt=') }}"
- name: verify lookup password behavior
assert:
that:
- "newpass == newpass2"
# ENV LOOKUP