From b361bf90d70aa82b95150ab8222768f1b055b0bc Mon Sep 17 00:00:00 2001 From: Pilou Date: Mon, 27 Jun 2016 19:44:25 +0200 Subject: [PATCH] Lookup password omit salt (#16361) * Lookup unencrypted password must not include salt * Integration test lookup: remove previous directory * Test that lookup password doesn't return salt * Lookup password: test behavior with empty encrypt parameter Closes #16189 --- lib/ansible/plugins/lookup/password.py | 32 +++++----- .../roles/test_lookups/tasks/main.yml | 58 ++++++++++++++++++- 2 files changed, 71 insertions(+), 19 deletions(-) diff --git a/lib/ansible/plugins/lookup/password.py b/lib/ansible/plugins/lookup/password.py index 9806788165..0776f73c24 100644 --- a/lib/ansible/plugins/lookup/password.py +++ b/lib/ansible/plugins/lookup/password.py @@ -137,25 +137,23 @@ class LookupModule(LookupBase): password = content salt = None - if params['encrypt'] is not None: - try: - sep = content.rindex(' ') - except ValueError: - # No salt - pass - else: - salt_field = content[sep + 1:] - if salt_field.startswith('salt='): - password = content[:sep] - salt = salt_field[len('salt='):] + try: + sep = content.rindex(' salt=') + except ValueError: + # No salt + pass + else: + salt = password[sep + len(' salt='):] + password = content[:sep] + + if params['encrypt'] is not None and salt is None: # crypt requested, add salt if missing - if not salt: - salt = self.random_salt() - content = '%s salt=%s' % (password, salt) - with open(path, 'w') as f: - os.chmod(path, 0o600) - f.write(content + '\n') + salt = self.random_salt() + content = '%s salt=%s' % (password, salt) + with open(path, 'w') as f: + os.chmod(path, 0o600) + f.write(content + '\n') if params['encrypt']: password = do_encrypt(password, params['encrypt'], salt=salt) diff --git a/test/integration/roles/test_lookups/tasks/main.yml b/test/integration/roles/test_lookups/tasks/main.yml index 72fa11be79..556f23e044 100644 --- a/test/integration/roles/test_lookups/tasks/main.yml +++ b/test/integration/roles/test_lookups/tasks/main.yml @@ -35,10 +35,11 @@ # PASSWORD LOOKUP -- name: remove previous password files - file: dest={{output_dir}}/lookup/password state=absent +- name: remove previous password files and directory + file: dest={{item}} state=absent with_items: - "{{output_dir}}/lookup/password" + - "{{output_dir}}/lookup/password_with_salt" - "{{output_dir}}/lookup" - name: create a password file @@ -80,6 +81,59 @@ that: - "wc_result.stdout == '9'" - "cat_result.stdout == newpass" + - "' salt=' not in cat_result.stdout" + +- name: fetch password from an existing file + set_fact: + pass2: "{{ lookup('password', output_dir + '/lookup/password length=8') }}" + +- name: read password (again) + shell: cat {{output_dir}}/lookup/password + register: cat_result2 + +- debug: var=cat_result2.stdout + +- name: verify password (again) + assert: + that: + - "cat_result2.stdout == newpass" + - "' salt=' not in cat_result2.stdout" + + + +- name: create a password (with salt) file + debug: msg={{ lookup('password', output_dir + '/lookup/password_with_salt encrypt=sha256_crypt') }} + +- name: read password and salt + shell: cat {{output_dir}}/lookup/password_with_salt + register: cat_pass_salt + +- debug: var=cat_pass_salt.stdout + +- name: fetch unencrypted password + set_fact: + newpass: "{{ lookup('password', output_dir + '/lookup/password_with_salt') }}" + +- debug: var=newpass + +- name: verify password and salt + assert: + that: + - "cat_pass_salt.stdout != newpass" + - "cat_pass_salt.stdout.startswith(newpass)" + - "' salt=' in cat_pass_salt.stdout" + - "' salt=' not in newpass" + + +- name: fetch unencrypted password (using empty encrypt parameter) + set_fact: + newpass2: "{{ lookup('password', output_dir + '/lookup/password_with_salt encrypt=') }}" + +- name: verify lookup password behavior + assert: + that: + - "newpass == newpass2" + # ENV LOOKUP