mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
replace inline clear password by environment variable (#2177)
* replace inline clear password by environment variable on a per-command basis. * add changelog fragment * update related unit tests * Update changelogs/fragments/2177-java_keystore_1668_dont_expose_secrets_on_cmdline.yml Co-authored-by: Felix Fontein <felix@fontein.de> * fix unit test: force result without lambda Co-authored-by: Felix Fontein <felix@fontein.de>
This commit is contained in:
parent
d2070277e8
commit
eb851d4208
3 changed files with 18 additions and 11 deletions
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
security_fixes:
|
||||||
|
- "java_keystore - pass secret to keytool through an environment variable to not expose it as a
|
||||||
|
commandline argument (https://github.com/ansible-collections/community.general/issues/1668)."
|
|
@ -146,8 +146,9 @@ def read_certificate_fingerprint(module, openssl_bin, certificate_path):
|
||||||
|
|
||||||
|
|
||||||
def read_stored_certificate_fingerprint(module, keytool_bin, alias, keystore_path, keystore_password):
|
def read_stored_certificate_fingerprint(module, keytool_bin, alias, keystore_path, keystore_password):
|
||||||
stored_certificate_fingerprint_cmd = [keytool_bin, "-list", "-alias", alias, "-keystore", keystore_path, "-storepass", keystore_password, "-v"]
|
stored_certificate_fingerprint_cmd = [keytool_bin, "-list", "-alias", alias, "-keystore", keystore_path, "-storepass:env", "STOREPASS", "-v"]
|
||||||
(rc, stored_certificate_fingerprint_out, stored_certificate_fingerprint_err) = run_commands(module, stored_certificate_fingerprint_cmd)
|
(rc, stored_certificate_fingerprint_out, stored_certificate_fingerprint_err) = run_commands(
|
||||||
|
module, stored_certificate_fingerprint_cmd, environ_update=dict(STOREPASS=keystore_password))
|
||||||
if rc != 0:
|
if rc != 0:
|
||||||
if "keytool error: java.lang.Exception: Alias <%s> does not exist" % alias not in stored_certificate_fingerprint_out:
|
if "keytool error: java.lang.Exception: Alias <%s> does not exist" % alias not in stored_certificate_fingerprint_out:
|
||||||
return module.fail_json(msg=stored_certificate_fingerprint_out,
|
return module.fail_json(msg=stored_certificate_fingerprint_out,
|
||||||
|
@ -168,8 +169,8 @@ def read_stored_certificate_fingerprint(module, keytool_bin, alias, keystore_pat
|
||||||
return stored_certificate_match.group(1)
|
return stored_certificate_match.group(1)
|
||||||
|
|
||||||
|
|
||||||
def run_commands(module, cmd, data=None, check_rc=True):
|
def run_commands(module, cmd, data=None, environ_update=None, check_rc=True):
|
||||||
return module.run_command(cmd, check_rc=check_rc, data=data)
|
return module.run_command(cmd, check_rc=check_rc, data=data, environ_update=environ_update)
|
||||||
|
|
||||||
|
|
||||||
def create_path():
|
def create_path():
|
||||||
|
@ -236,10 +237,12 @@ def create_jks(module, name, openssl_bin, keytool_bin, keystore_path, password,
|
||||||
"-srckeystore", keystore_p12_path,
|
"-srckeystore", keystore_p12_path,
|
||||||
"-srcstoretype", "pkcs12",
|
"-srcstoretype", "pkcs12",
|
||||||
"-alias", name,
|
"-alias", name,
|
||||||
"-deststorepass", password,
|
"-deststorepass:env", "STOREPASS",
|
||||||
"-srcstorepass", password,
|
"-srcstorepass:env", "STOREPASS",
|
||||||
"-noprompt"]
|
"-noprompt"]
|
||||||
(rc, import_keystore_out, import_keystore_err) = run_commands(module, import_keystore_cmd, data=None)
|
|
||||||
|
(rc, import_keystore_out, import_keystore_err) = run_commands(module, import_keystore_cmd, data=None,
|
||||||
|
environ_update=dict(STOREPASS=password))
|
||||||
if rc == 0:
|
if rc == 0:
|
||||||
update_jks_perm(module, keystore_path)
|
update_jks_perm(module, keystore_path)
|
||||||
return module.exit_json(changed=True,
|
return module.exit_json(changed=True,
|
||||||
|
|
|
@ -71,14 +71,14 @@ class TestCreateJavaKeystore(ModuleTestCase):
|
||||||
with patch('os.remove', return_value=True):
|
with patch('os.remove', return_value=True):
|
||||||
self.create_path.side_effect = ['/tmp/tmpgrzm2ah7']
|
self.create_path.side_effect = ['/tmp/tmpgrzm2ah7']
|
||||||
self.create_file.side_effect = ['/tmp/etacifitrec', '/tmp/yek_etavirp']
|
self.create_file.side_effect = ['/tmp/etacifitrec', '/tmp/yek_etavirp']
|
||||||
self.run_commands.side_effect = lambda module, cmd, data: (0, '', '')
|
self.run_commands.side_effect = [(0, '', ''), (0, '', '')]
|
||||||
create_jks(module, "test", "openssl", "keytool", "/path/to/keystore.jks", "changeit", "")
|
create_jks(module, "test", "openssl", "keytool", "/path/to/keystore.jks", "changeit", "")
|
||||||
module.exit_json.assert_called_once_with(
|
module.exit_json.assert_called_once_with(
|
||||||
changed=True,
|
changed=True,
|
||||||
cmd=["keytool", "-importkeystore",
|
cmd=["keytool", "-importkeystore",
|
||||||
"-destkeystore", "/path/to/keystore.jks",
|
"-destkeystore", "/path/to/keystore.jks",
|
||||||
"-srckeystore", "/tmp/tmpgrzm2ah7", "-srcstoretype", "pkcs12", "-alias", "test",
|
"-srckeystore", "/tmp/tmpgrzm2ah7", "-srcstoretype", "pkcs12", "-alias", "test",
|
||||||
"-deststorepass", "changeit", "-srcstorepass", "changeit", "-noprompt"],
|
"-deststorepass:env", "STOREPASS", "-srcstorepass:env", "STOREPASS", "-noprompt"],
|
||||||
msg='',
|
msg='',
|
||||||
rc=0,
|
rc=0,
|
||||||
stdout_lines=''
|
stdout_lines=''
|
||||||
|
@ -173,7 +173,7 @@ class TestCreateJavaKeystore(ModuleTestCase):
|
||||||
cmd=["keytool", "-importkeystore",
|
cmd=["keytool", "-importkeystore",
|
||||||
"-destkeystore", "/path/to/keystore.jks",
|
"-destkeystore", "/path/to/keystore.jks",
|
||||||
"-srckeystore", "/tmp/tmpgrzm2ah7", "-srcstoretype", "pkcs12", "-alias", "test",
|
"-srckeystore", "/tmp/tmpgrzm2ah7", "-srcstoretype", "pkcs12", "-alias", "test",
|
||||||
"-deststorepass", "changeit", "-srcstorepass", "changeit", "-noprompt"],
|
"-deststorepass:env", "STOREPASS", "-srcstorepass:env", "STOREPASS", "-noprompt"],
|
||||||
msg='',
|
msg='',
|
||||||
rc=1
|
rc=1
|
||||||
)
|
)
|
||||||
|
@ -306,7 +306,7 @@ class TestCertChanged(ModuleTestCase):
|
||||||
self.run_commands.side_effect = [(0, 'foo: wxyz:9876:stuv', ''), (1, '', 'Oops')]
|
self.run_commands.side_effect = [(0, 'foo: wxyz:9876:stuv', ''), (1, '', 'Oops')]
|
||||||
cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo')
|
cert_changed(module, "openssl", "keytool", "/path/to/keystore.jks", "changeit", 'foo')
|
||||||
module.fail_json.assert_called_with(
|
module.fail_json.assert_called_with(
|
||||||
cmd=["keytool", "-list", "-alias", "foo", "-keystore", "/path/to/keystore.jks", "-storepass", "changeit", "-v"],
|
cmd=["keytool", "-list", "-alias", "foo", "-keystore", "/path/to/keystore.jks", "-storepass:env", "STOREPASS", "-v"],
|
||||||
msg='',
|
msg='',
|
||||||
err='Oops',
|
err='Oops',
|
||||||
rc=1
|
rc=1
|
||||||
|
|
Loading…
Reference in a new issue