1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

replace inline clear password by environment variable (#2177)

* replace inline clear password by environment variable on a per-command basis.

* add changelog fragment
* update related unit tests

* Update changelogs/fragments/2177-java_keystore_1668_dont_expose_secrets_on_cmdline.yml

Co-authored-by: Felix Fontein <felix@fontein.de>

* fix unit test: force result without lambda

Co-authored-by: Felix Fontein <felix@fontein.de>
This commit is contained in:
quidame 2021-04-05 16:37:13 +02:00 committed by GitHub
parent d2070277e8
commit eb851d4208
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 18 additions and 11 deletions

View file

@ -0,0 +1,4 @@
---
security_fixes:
- "java_keystore - pass secret to keytool through an environment variable to not expose it as a
commandline argument (https://github.com/ansible-collections/community.general/issues/1668)."

View file

@ -146,8 +146,9 @@ def read_certificate_fingerprint(module, openssl_bin, certificate_path):
def read_stored_certificate_fingerprint(module, keytool_bin, alias, keystore_path, keystore_password):
stored_certificate_fingerprint_cmd = [keytool_bin, "-list", "-alias", alias, "-keystore", keystore_path, "-storepass", keystore_password, "-v"]
(rc, stored_certificate_fingerprint_out, stored_certificate_fingerprint_err) = run_commands(module, stored_certificate_fingerprint_cmd)
stored_certificate_fingerprint_cmd = [keytool_bin, "-list", "-alias", alias, "-keystore", keystore_path, "-storepass:env", "STOREPASS", "-v"]
(rc, stored_certificate_fingerprint_out, stored_certificate_fingerprint_err) = run_commands(
module, stored_certificate_fingerprint_cmd, environ_update=dict(STOREPASS=keystore_password))
if rc != 0:
if "keytool error: java.lang.Exception: Alias <%s> does not exist" % alias not in stored_certificate_fingerprint_out:
return module.fail_json(msg=stored_certificate_fingerprint_out,
@ -168,8 +169,8 @@ def read_stored_certificate_fingerprint(module, keytool_bin, alias, keystore_pat
return stored_certificate_match.group(1)
def run_commands(module, cmd, data=None, check_rc=True):
return module.run_command(cmd, check_rc=check_rc, data=data)
def run_commands(module, cmd, data=None, environ_update=None, check_rc=True):
return module.run_command(cmd, check_rc=check_rc, data=data, environ_update=environ_update)
def create_path():
@ -236,10 +237,12 @@ def create_jks(module, name, openssl_bin, keytool_bin, keystore_path, password,
"-srckeystore", keystore_p12_path,
"-srcstoretype", "pkcs12",
"-alias", name,
"-deststorepass", password,
"-srcstorepass", password,
"-deststorepass:env", "STOREPASS",
"-srcstorepass:env", "STOREPASS",
"-noprompt"]
(rc, import_keystore_out, import_keystore_err) = run_commands(module, import_keystore_cmd, data=None)
(rc, import_keystore_out, import_keystore_err) = run_commands(module, import_keystore_cmd, data=None,
environ_update=dict(STOREPASS=password))
if rc == 0:
update_jks_perm(module, keystore_path)
return module.exit_json(changed=True,

View file

@ -71,14 +71,14 @@ class TestCreateJavaKeystore(ModuleTestCase):
with patch('os.remove', return_value=True):
self.create_path.side_effect = ['/tmp/tmpgrzm2ah7']
self.create_file.side_effect = ['/tmp/etacifitrec', '/tmp/yek_etavirp']
self.run_commands.side_effect = lambda module, cmd, data: (0, '', '')
self.run_commands.side_effect = [(0, '', ''), (0, '', '')]
create_jks(module, "test", "openssl", "keytool", "/path/to/keystore.jks", "changeit", "")
module.exit_json.assert_called_once_with(
changed=True,
cmd=["keytool", "-importkeystore",
"-destkeystore", "/path/to/keystore.jks",
"-srckeystore", "/tmp/tmpgrzm2ah7", "-srcstoretype", "pkcs12", "-alias", "test",
"-deststorepass", "changeit", "-srcstorepass", "changeit", "-noprompt"],
"-deststorepass:env", "STOREPASS", "-srcstorepass:env", "STOREPASS", "-noprompt"],
msg='',
rc=0,
stdout_lines=''
@ -173,7 +173,7 @@ class TestCreateJavaKeystore(ModuleTestCase):
cmd=["keytool", "-importkeystore",
"-destkeystore", "/path/to/keystore.jks",
"-srckeystore", "/tmp/tmpgrzm2ah7", "-srcstoretype", "pkcs12", "-alias", "test",
"-deststorepass", "changeit", "-srcstorepass", "changeit", "-noprompt"],
"-deststorepass:env", "STOREPASS", "-srcstorepass:env", "STOREPASS", "-noprompt"],
msg='',
rc=1
)
@ -306,7 +306,7 @@ class TestCertChanged(ModuleTestCase):
self.run_commands.side_effect = [(0, 'foo: wxyz:9876:stuv', ''), (1, '', 'Oops')]
cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo')
module.fail_json.assert_called_with(
cmd=["keytool", "-list", "-alias", "foo", "-keystore", "/path/to/keystore.jks", "-storepass", "changeit", "-v"],
cmd=["keytool", "-list", "-alias", "foo", "-keystore", "/path/to/keystore.jks", "-storepass:env", "STOREPASS", "-v"],
msg='',
err='Oops',
rc=1