ansible/test/units/utils/test_encrypt.py

# (c) 2018, Matthias Fuchs <matthias.s.fuchs@gmail.com>
#
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.

import pytest
import sys

from ansible.errors import AnsibleError, AnsibleFilterError
from ansible.plugins.filter.core import get_encrypted_password
from ansible.utils import encrypt


class passlib_off(object):
    def __init__(self):
        self.orig = encrypt.PASSLIB_AVAILABLE

    def __enter__(self):
        encrypt.PASSLIB_AVAILABLE = False
        return self

    def __exit__(self, exception_type, exception_value, traceback):
        encrypt.PASSLIB_AVAILABLE = self.orig


def assert_hash(expected, secret, algorithm, **settings):
    assert encrypt.CryptHash(algorithm).hash(secret, **settings) == expected

    if encrypt.PASSLIB_AVAILABLE:
        assert encrypt.passlib_or_crypt(secret, algorithm, **settings) == expected
        assert encrypt.PasslibHash(algorithm).hash(secret, **settings) == expected
    else:
        with pytest.raises(AnsibleFilterError):
            encrypt.PasslibHash(algorithm).hash(secret, **settings)


def test_encrypt_with_rounds():
    assert_hash("$5$12345678$uAZsE3BenI2G.nA8DpTl.9Dc8JiqacI53pEqRr5ppT7",
                secret="123", algorithm="sha256_crypt", salt="12345678", rounds=5000)
    assert_hash("$5$rounds=10000$12345678$JBinliYMFEcBeAXKZnLjenhgEhTmJBvZn3aR8l70Oy/",
                secret="123", algorithm="sha256_crypt", salt="12345678", rounds=10000)
    assert_hash("$6$12345678$LcV9LQiaPekQxZ.OfkMADjFdSO2k9zfbDQrHPVcYjSLqSdjLYpsgqviYvTEP/R41yPmhH3CCeEDqVhW1VHr3L.",
                secret="123", algorithm="sha512_crypt", salt="12345678", rounds=5000)


def test_encrypt_default_rounds():
    assert_hash("$1$12345678$tRy4cXc3kmcfRZVj4iFXr/",
                secret="123", algorithm="md5_crypt", salt="12345678")
    assert_hash("$5$12345678$uAZsE3BenI2G.nA8DpTl.9Dc8JiqacI53pEqRr5ppT7",
                secret="123", algorithm="sha256_crypt", salt="12345678")
    assert_hash("$6$12345678$LcV9LQiaPekQxZ.OfkMADjFdSO2k9zfbDQrHPVcYjSLqSdjLYpsgqviYvTEP/R41yPmhH3CCeEDqVhW1VHr3L.",
                secret="123", algorithm="sha512_crypt", salt="12345678")

    assert encrypt.CryptHash("md5_crypt").hash("123")


def test_password_hash_filter_no_passlib():
    with passlib_off():
        assert not encrypt.PASSLIB_AVAILABLE
        assert get_encrypted_password("123", "md5", salt="12345678") == "$1$12345678$tRy4cXc3kmcfRZVj4iFXr/"

        with pytest.raises(AnsibleFilterError):
            get_encrypted_password("123", "crypt16", salt="12")


def test_password_hash_filter_passlib():
    if not encrypt.PASSLIB_AVAILABLE:
        pytest.skip("passlib not available")

    with pytest.raises(AnsibleFilterError):
        get_encrypted_password("123", "sha257", salt="12345678")

    # Uses 5000 rounds by default for sha256 matching crypt behaviour
    assert get_encrypted_password("123", "sha256", salt="12345678") == "$5$12345678$uAZsE3BenI2G.nA8DpTl.9Dc8JiqacI53pEqRr5ppT7"
    assert get_encrypted_password("123", "sha256", salt="12345678", rounds=5000) == "$5$12345678$uAZsE3BenI2G.nA8DpTl.9Dc8JiqacI53pEqRr5ppT7"

    assert (get_encrypted_password("123", "sha256", salt="12345678", rounds=10000) ==
            "$5$rounds=10000$12345678$JBinliYMFEcBeAXKZnLjenhgEhTmJBvZn3aR8l70Oy/")

    assert (get_encrypted_password("123", "sha512", salt="12345678", rounds=6000) ==
            "$6$rounds=6000$12345678$l/fC67BdJwZrJ7qneKGP1b6PcatfBr0dI7W6JLBrsv8P1wnv/0pu4WJsWq5p6WiXgZ2gt9Aoir3MeORJxg4.Z/")

    assert (get_encrypted_password("123", "sha512", salt="12345678", rounds=5000) ==
            "$6$12345678$LcV9LQiaPekQxZ.OfkMADjFdSO2k9zfbDQrHPVcYjSLqSdjLYpsgqviYvTEP/R41yPmhH3CCeEDqVhW1VHr3L.")

    assert get_encrypted_password("123", "crypt16", salt="12") == "12pELHK2ME3McUFlHxel6uMM"

    # Try algorithm that uses a raw salt
    assert get_encrypted_password("123", "pbkdf2_sha256")


def test_do_encrypt_no_passlib():
    with passlib_off():
        assert not encrypt.PASSLIB_AVAILABLE
        assert encrypt.do_encrypt("123", "md5_crypt", salt="12345678") == "$1$12345678$tRy4cXc3kmcfRZVj4iFXr/"

        with pytest.raises(AnsibleError):
            encrypt.do_encrypt("123", "crypt16", salt="12")


def test_do_encrypt_passlib():
    if not encrypt.PASSLIB_AVAILABLE:
        pytest.skip("passlib not available")

    with pytest.raises(AnsibleError):
        encrypt.do_encrypt("123", "sha257_crypt", salt="12345678")

    # Uses 5000 rounds by default for sha256 matching crypt behaviour.
    assert encrypt.do_encrypt("123", "sha256_crypt", salt="12345678") == "$5$12345678$uAZsE3BenI2G.nA8DpTl.9Dc8JiqacI53pEqRr5ppT7"

    assert encrypt.do_encrypt("123", "md5_crypt", salt="12345678") == "$1$12345678$tRy4cXc3kmcfRZVj4iFXr/"

    assert encrypt.do_encrypt("123", "crypt16", salt="12") == "12pELHK2ME3McUFlHxel6uMM"


def test_random_salt():
    res = encrypt.random_salt()
    expected_salt_candidate_chars = u'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789./'
    assert len(res) == 8
    for res_char in res:
        assert res_char in expected_salt_candidate_chars
Share the implementation of hashing for both vars_prompt and password_hash (#21215) * Share the implementation of hashing for both vars_prompt and password_hash. * vars_prompt with encrypt does not require passlib for the algorithms supported by crypt. * Additional checks ensure that there is always a result. This works around issues in the crypt.crypt python function that returns None for algorithms it does not know. Some modules (like user module) interprets None as no password at all, which is misleading. * The password_hash filter supports all parameters of passlib. This allows users to provide a rounds parameter, fixing #15326. * password_hash is not restricted to the subset provided by crypt.crypt, fixing one half of #17266. * Updated documentation fixes other half of #17266. * password_hash does not hard-code the salt-length, which fixes bcrypt in connection with passlib. bcrypt requires a salt with length 22, which fixes #25347 * Salts are only generated by ansible when using crypt.crypt. Otherwise passlib generates them. * Avoids deprecated functionality of passlib with newer library versions. * When no rounds are specified for sha256/sha256_crypt and sha512/sha512_crypt always uses the default values used by crypt, i.e. 5000 rounds. Before when installed passlibs' defaults were used. passlib changes its defaults with newer library versions, leading to non idempotent behavior. NOTE: This will lead to the recalculation of existing hashes generated with passlib and without a rounds parameter. Yet henceforth the hashes will remain the same. No matter the installed passlib version. Making these hashes idempotent. Fixes #15326 Fixes #17266 Fixes #25347 except bcrypt still uses 2a, instead of the suggested 2b. * random_salt is solely handled by encrypt.py. There is no _random_salt function there anymore. Also the test moved to test_encrypt.py. * Uses pytest.skip when passlib is not available, instead of a silent return. * More checks are executed when passlib is not available. * Moves tests that require passlib into their own test-function. * Uses the six library to reraise the exception. * Fixes integration test. When no rounds are provided the defaults of crypt are used. In that case the rounds are not part of the resulting MCF output. 6 years ago			`# (c) 2018, Matthias Fuchs <matthias.s.fuchs@gmail.com>`
			`#`
			`# This file is part of Ansible`
			`#`
			`# Ansible is free software: you can redistribute it and/or modify`
			`# it under the terms of the GNU General Public License as published by`
			`# the Free Software Foundation, either version 3 of the License, or`
			`# (at your option) any later version.`
			`#`
			`# Ansible is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with Ansible. If not, see <http://www.gnu.org/licenses/>.`

			`import pytest`
			`import sys`

			`from ansible.errors import AnsibleError, AnsibleFilterError`
			`from ansible.plugins.filter.core import get_encrypted_password`
			`from ansible.utils import encrypt`


			`class passlib_off(object):`
			`def __init__(self):`
			`self.orig = encrypt.PASSLIB_AVAILABLE`

			`def __enter__(self):`
			`encrypt.PASSLIB_AVAILABLE = False`
			`return self`

			`def __exit__(self, exception_type, exception_value, traceback):`
			`encrypt.PASSLIB_AVAILABLE = self.orig`


			`def assert_hash(expected, secret, algorithm, **settings):`
			`assert encrypt.CryptHash(algorithm).hash(secret, **settings) == expected`

			`if encrypt.PASSLIB_AVAILABLE:`
			`assert encrypt.passlib_or_crypt(secret, algorithm, **settings) == expected`
			`assert encrypt.PasslibHash(algorithm).hash(secret, **settings) == expected`
			`else:`
			`with pytest.raises(AnsibleFilterError):`
			`encrypt.PasslibHash(algorithm).hash(secret, **settings)`


			`def test_encrypt_with_rounds():`
			`assert_hash("$5$12345678$uAZsE3BenI2G.nA8DpTl.9Dc8JiqacI53pEqRr5ppT7",`
			`secret="123", algorithm="sha256_crypt", salt="12345678", rounds=5000)`
			`assert_hash("$5$rounds=10000$12345678$JBinliYMFEcBeAXKZnLjenhgEhTmJBvZn3aR8l70Oy/",`
			`secret="123", algorithm="sha256_crypt", salt="12345678", rounds=10000)`
			`assert_hash("$6$12345678$LcV9LQiaPekQxZ.OfkMADjFdSO2k9zfbDQrHPVcYjSLqSdjLYpsgqviYvTEP/R41yPmhH3CCeEDqVhW1VHr3L.",`
			`secret="123", algorithm="sha512_crypt", salt="12345678", rounds=5000)`


			`def test_encrypt_default_rounds():`
			`assert_hash("$1$12345678$tRy4cXc3kmcfRZVj4iFXr/",`
			`secret="123", algorithm="md5_crypt", salt="12345678")`
			`assert_hash("$5$12345678$uAZsE3BenI2G.nA8DpTl.9Dc8JiqacI53pEqRr5ppT7",`
			`secret="123", algorithm="sha256_crypt", salt="12345678")`
			`assert_hash("$6$12345678$LcV9LQiaPekQxZ.OfkMADjFdSO2k9zfbDQrHPVcYjSLqSdjLYpsgqviYvTEP/R41yPmhH3CCeEDqVhW1VHr3L.",`
			`secret="123", algorithm="sha512_crypt", salt="12345678")`

			`assert encrypt.CryptHash("md5_crypt").hash("123")`


			`def test_password_hash_filter_no_passlib():`
			`with passlib_off():`
			`assert not encrypt.PASSLIB_AVAILABLE`
			`assert get_encrypted_password("123", "md5", salt="12345678") == "$1$12345678$tRy4cXc3kmcfRZVj4iFXr/"`

			`with pytest.raises(AnsibleFilterError):`
			`get_encrypted_password("123", "crypt16", salt="12")`


			`def test_password_hash_filter_passlib():`
			`if not encrypt.PASSLIB_AVAILABLE:`
			`pytest.skip("passlib not available")`

			`with pytest.raises(AnsibleFilterError):`
			`get_encrypted_password("123", "sha257", salt="12345678")`

			`# Uses 5000 rounds by default for sha256 matching crypt behaviour`
			`assert get_encrypted_password("123", "sha256", salt="12345678") == "$5$12345678$uAZsE3BenI2G.nA8DpTl.9Dc8JiqacI53pEqRr5ppT7"`
			`assert get_encrypted_password("123", "sha256", salt="12345678", rounds=5000) == "$5$12345678$uAZsE3BenI2G.nA8DpTl.9Dc8JiqacI53pEqRr5ppT7"`

			`assert (get_encrypted_password("123", "sha256", salt="12345678", rounds=10000) ==`
			`"$5$rounds=10000$12345678$JBinliYMFEcBeAXKZnLjenhgEhTmJBvZn3aR8l70Oy/")`

			`assert (get_encrypted_password("123", "sha512", salt="12345678", rounds=6000) ==`
			`"$6$rounds=6000$12345678$l/fC67BdJwZrJ7qneKGP1b6PcatfBr0dI7W6JLBrsv8P1wnv/0pu4WJsWq5p6WiXgZ2gt9Aoir3MeORJxg4.Z/")`

			`assert (get_encrypted_password("123", "sha512", salt="12345678", rounds=5000) ==`
			`"$6$12345678$LcV9LQiaPekQxZ.OfkMADjFdSO2k9zfbDQrHPVcYjSLqSdjLYpsgqviYvTEP/R41yPmhH3CCeEDqVhW1VHr3L.")`

			`assert get_encrypted_password("123", "crypt16", salt="12") == "12pELHK2ME3McUFlHxel6uMM"`

			`# Try algorithm that uses a raw salt`
			`assert get_encrypted_password("123", "pbkdf2_sha256")`


			`def test_do_encrypt_no_passlib():`
			`with passlib_off():`
			`assert not encrypt.PASSLIB_AVAILABLE`
			`assert encrypt.do_encrypt("123", "md5_crypt", salt="12345678") == "$1$12345678$tRy4cXc3kmcfRZVj4iFXr/"`

			`with pytest.raises(AnsibleError):`
			`encrypt.do_encrypt("123", "crypt16", salt="12")`


			`def test_do_encrypt_passlib():`
			`if not encrypt.PASSLIB_AVAILABLE:`
			`pytest.skip("passlib not available")`

			`with pytest.raises(AnsibleError):`
			`encrypt.do_encrypt("123", "sha257_crypt", salt="12345678")`

			`# Uses 5000 rounds by default for sha256 matching crypt behaviour.`
			`assert encrypt.do_encrypt("123", "sha256_crypt", salt="12345678") == "$5$12345678$uAZsE3BenI2G.nA8DpTl.9Dc8JiqacI53pEqRr5ppT7"`

			`assert encrypt.do_encrypt("123", "md5_crypt", salt="12345678") == "$1$12345678$tRy4cXc3kmcfRZVj4iFXr/"`

			`assert encrypt.do_encrypt("123", "crypt16", salt="12") == "12pELHK2ME3McUFlHxel6uMM"`


			`def test_random_salt():`
			`res = encrypt.random_salt()`
			`expected_salt_candidate_chars = u'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789./'`
			`assert len(res) == 8`
			`for res_char in res:`
			`assert res_char in expected_salt_candidate_chars`