* passwordstore: Add configurable locking
Passwordstore cannot be accessed safely in parallel, which causes
various issues:
- When accessing the same path, multiple different secrets are
returned when the secret didn't exist (missing=create).
- When accessing the same _or different_ paths, multiple pinentry
dialogs will be spawned by gpg-agent sequentially, having to enter
the password for the same gpg key multiple times in a row.
- Due to issues in gpg dependencies, accessing gpg-agent in parallel
is not reliable, causing plays to fail (this can be fixed by adding
`auto-expand-secmem` to _~/.gnupg/gpg-agent.conf_ though).
These problems have been described in various github issues in the past,
e.g., ansible/ansible#23816 and ansible/ansible#27277.
This cannot be worked around in playbooks by users in a non-error-prone
way.
It is addressed by adding new configuration options:
- lock:
- readwrite: Lock all operations
- write: Only lock write operations (default)
- none: Disable locking
- locktimeout: Time to wait for getting a lock (s/m/h suffix)
(defaults to 15m)
These options can also be set in ansible.cfg, e.g.:
[passwordstore_lookup]
lock=readwrite
locktimeout=30s
Also, add a note about modifying gpg-agent.conf.
* Tidy up locking config
There is no reason why lock configuration should be part of self.paramvals.
Now locking and its configuration happen all in one place.
* Change timeout description wording to the suggested value.
* Rearrange plugin setup, apply PR feedback
(cherry picked from commit 2416b81aa4)
Co-authored-by: grembo <freebsd@grem.de>
The passwordstore lookup plugin depends on parsing GnuPG's
error messages in English language. As a result, detection of
a specific error failes when users set a different locale.
This change corrects this by setting the `LANGUAGE` environment
variable to `C` when invoking `pass`, as this only affects
gettext translations.
See
https://www.gnu.org/software/gettext/manual/html_node/The-LANGUAGE-variable.html
(cherry picked from commit 77a0c139c9)
Co-authored-by: grembo <freebsd@grem.de>
Given a password stored in _path/to/secret_, requesting the password
_path/to_ will literally return `path/to`. This can lead to using
weak passwords by accident/mess up logic in code, based on the
state of the password store.
This is worked around by applying the same logic `pass` uses:
If a password was returned, check if there is a .gpg file it could
have come from. If not, treat it as missing.
Fixesansible-collections/community.general#4185
(cherry picked from commit da49c0968d)
Co-authored-by: grembo <freebsd@grem.de>
* added utf-8 markers to all .py files in plugins/filter
* added utf-8 markers to all .py files in plugins/inventory
* added utf-8 markers to all .py files in plugins/lookup
Add ability to ignore error on missing pass file to allow processing the
output further via another filters (mainly the default filter) without
updating the pass file itself.
It also contains the option to create the pass file, like the option
create=true does.
Finally, it also allows to issue a warning only, if the pass file is not
found.
* fix passwordstore.py to be compatible with gopass.
...even when used with create=true.
The same output snippet matches for both, `pass` and `gopass`, but while `pass` returns `1` on a non-existant password, `gopass` returns `10`, or `11`, depending on whether a similar named password was stored.
So I'd propose to change `e.returncode == 1` to `e.returncode != 0` to cover both cases here.
What do you think?
* Update passwordstore.py, fix typo
* Add changelog fragment.
* Update changelogs/fragments/1589-passwordstore-fix-passwordstore.py-to-be-compatible-with-gopass.yaml
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update changelogs/fragments/1589-passwordstore-fix-passwordstore.py-to-be-compatible-with-gopass.yaml
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
* Added umask option to passwordstore lookup plugin.
* Added umask documentation and changelog fragment.
* Added default values to paramvals within the run method.
* removed blank lines (PEP8)
* Update changelogs/fragments/lookup-passwordstore-umask.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/lookup/passwordstore.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update changelogs/fragments/lookup-passwordstore-umask.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
* passwordstore lookup plugin: changelog fragment update
* passing environment variables to subprocess.Popen()
* Update plugins/lookup/passwordstore.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* rm trailing whitespace
* Don't force default umask in the plugin, pass will take care of this.
* remove default from the documentation string
* remove trailing whitespaces
* prevent KeyErrors when checking if key exits in paramvals.
* Update plugins/lookup/passwordstore.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Fix for TypeError
* revert back to old directory test
Co-authored-by: bratw0rst <c.chmiel@speakup.nl>
Co-authored-by: Felix Fontein <felix@fontein.de>
* callback_type -> type.
* Mark authors as unknown.
* Add author field forgotten in #627.
* Fix author entries.
* Add author field forgotten in #127.
* Fix some types.
* Fix deprecation of callables.
* Fix various sanity errors.
* Revert callback_type -> type transform.
* Fix stat_result times: these are float according to https://github.com/python/typeshed/blob/master/stdlib/3/os/__init__.pyi
* Apply suggestions from code review
Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>
Co-authored-by: Andrew Klychkov <aaklychkov@mail.ru>