From 16260777d28b936817f9cde10a640a60184bd2cb Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde Date: Tue, 8 Oct 2024 07:57:50 -0700 Subject: [PATCH] [WIP] Copy: opt for sha256 instead of sha1 Signed-off-by: Abhijeet Kasurde --- lib/ansible/modules/assemble.py | 4 ++-- lib/ansible/modules/copy.py | 11 ++++++----- lib/ansible/modules/fetch.py | 1 + lib/ansible/plugins/action/assemble.py | 4 ++-- lib/ansible/plugins/action/copy.py | 5 +++-- lib/ansible/plugins/action/fetch.py | 11 ++++++----- 6 files changed, 20 insertions(+), 16 deletions(-) diff --git a/lib/ansible/modules/assemble.py b/lib/ansible/modules/assemble.py index ff570aee1b9..7f773fecd65 100644 --- a/lib/ansible/modules/assemble.py +++ b/lib/ansible/modules/assemble.py @@ -243,7 +243,7 @@ def main(): module.fail_json(msg="validate must contain %%s: %s" % validate) path = assemble_from_fragments(src, delimiter, compiled_regexp, ignore_hidden, module.tmpdir) - path_hash = module.sha1(path) + path_hash = module.sha256(path) result['checksum'] = path_hash # Backwards compat. This won't return data if FIPS mode is active @@ -254,7 +254,7 @@ def main(): result['md5sum'] = pathmd5 if os.path.exists(dest): - dest_hash = module.sha1(dest) + dest_hash = module.sha256(dest) if path_hash != dest_hash: if validate: diff --git a/lib/ansible/modules/copy.py b/lib/ansible/modules/copy.py index 8a5297466f4..0ff3bbc870e 100644 --- a/lib/ansible/modules/copy.py +++ b/lib/ansible/modules/copy.py @@ -112,9 +112,10 @@ options: version_added: '2.4' checksum: description: - - SHA1 checksum of the file being transferred. + - SHA256 checksum of the file being transferred. - Used to validate that the copy of the file was successful. - If this is not provided, ansible will use the local calculated checksum of the src file. + - Ansible 2.19 and onwards, SHA256 is default instead of SHA1. type: str version_added: '2.5' extends_documentation_fragment: @@ -238,10 +239,10 @@ md5sum: type: str sample: 2a5aeecc61dc98c4d780b14b330e3282 checksum: - description: SHA1 checksum of the file after running copy. + description: SHA256 checksum of the file after running copy. returned: success type: str - sample: 6e642bb8dd5c2e027bf21dd923337cbb4214f827 + sample: e1ace7b1f177f35749523ce34721d2b1e1ad0b1e3196754f476a69730d24cb53 backup_file: description: Name of backup file created. returned: changed and if backup=yes @@ -562,9 +563,9 @@ def main(): if os.path.isfile(src): try: - checksum_src = module.sha1(src) + checksum_src = module.sha256(src) except (OSError, IOError) as e: - module.warn("Unable to calculate src checksum, assuming change: %s" % to_native(e)) + module.warn(f"Unable to calculate src checksum, assuming change: {to_native(e)}") try: # Backwards compat only. This will be None in FIPS mode md5sum_src = module.md5(src) diff --git a/lib/ansible/modules/fetch.py b/lib/ansible/modules/fetch.py index 5886a82ce8c..f56d1284498 100644 --- a/lib/ansible/modules/fetch.py +++ b/lib/ansible/modules/fetch.py @@ -89,6 +89,7 @@ notes: C(fail_when) or C(ignore_errors) to get this ability. They may also explicitly set O(fail_on_missing) to V(false) to get the non-failing behaviour. +- Ansible 2.19 and onwards, SHA256 is used to calculate checksum. seealso: - module: ansible.builtin.copy - module: ansible.builtin.slurp diff --git a/lib/ansible/plugins/action/assemble.py b/lib/ansible/plugins/action/assemble.py index bedf8191093..7675286fefd 100644 --- a/lib/ansible/plugins/action/assemble.py +++ b/lib/ansible/plugins/action/assemble.py @@ -29,7 +29,7 @@ from ansible.errors import AnsibleError, AnsibleAction, _AnsibleActionDone, Ansi from ansible.module_utils.common.text.converters import to_native, to_text from ansible.module_utils.parsing.convert_bool import boolean from ansible.plugins.action import ActionBase -from ansible.utils.hashing import checksum_s +from ansible.utils.hashing import secure_hash_s class ActionModule(ActionBase): @@ -122,7 +122,7 @@ class ActionModule(ActionBase): # Does all work assembling the file path = self._assemble_from_fragments(src, delimiter, _re, ignore_hidden, decrypt) - path_checksum = checksum_s(path) + path_checksum = secure_hash_s(path, hash_func=hashlib.sha256) dest = self._remote_expand_user(dest) dest_stat = self._execute_remote_stat(dest, all_vars=task_vars, follow=follow) diff --git a/lib/ansible/plugins/action/copy.py b/lib/ansible/plugins/action/copy.py index 348def60337..eb953d2432b 100644 --- a/lib/ansible/plugins/action/copy.py +++ b/lib/ansible/plugins/action/copy.py @@ -18,6 +18,7 @@ from __future__ import annotations +import hashlib import json import os import os.path @@ -31,7 +32,7 @@ from ansible.module_utils.basic import FILE_COMMON_ARGUMENTS from ansible.module_utils.common.text.converters import to_bytes, to_native, to_text from ansible.module_utils.parsing.convert_bool import boolean from ansible.plugins.action import ActionBase -from ansible.utils.hashing import checksum +from ansible.utils.hashing import secure_hash # Supplement the FILE_COMMON_ARGUMENTS with arguments that are specific to file @@ -278,7 +279,7 @@ class ActionModule(ActionBase): return None # Generate a hash of the local file. - local_checksum = checksum(source_full) + local_checksum = secure_hash(source_full, hash_func=hashlib.sha256) if local_checksum != dest_status['checksum']: # The checksums don't match and we will change or error out. diff --git a/lib/ansible/plugins/action/fetch.py b/lib/ansible/plugins/action/fetch.py index d099fd357cf..0160e44c47c 100644 --- a/lib/ansible/plugins/action/fetch.py +++ b/lib/ansible/plugins/action/fetch.py @@ -16,15 +16,16 @@ # along with Ansible. If not, see . from __future__ import annotations -import os import base64 +import hashlib +import os from ansible.errors import AnsibleConnectionFailure, AnsibleError, AnsibleActionFail, AnsibleActionSkip from ansible.module_utils.common.text.converters import to_bytes, to_text from ansible.module_utils.six import string_types from ansible.module_utils.parsing.convert_bool import boolean from ansible.plugins.action import ActionBase from ansible.utils.display import Display -from ansible.utils.hashing import checksum, checksum_s, md5, secure_hash +from ansible.utils.hashing import md5, secure_hash, secure_hash_s from ansible.utils.path import makedirs_safe, is_subpath display = Display() @@ -127,7 +128,7 @@ class ActionModule(ActionBase): if slurpres['encoding'] == 'base64': remote_data = base64.b64decode(slurpres['content']) if remote_data is not None: - remote_checksum = checksum_s(remote_data) + remote_checksum = secure_hash_s(remote_data, hash_func=hashlib.sha256) # calculate the destination name if os.path.sep not in self._connection._shell.join_path('a', ''): @@ -167,7 +168,7 @@ class ActionModule(ActionBase): dest = os.path.normpath(dest) # calculate checksum for the local file - local_checksum = checksum(dest) + local_checksum = secure_hash(dest, hash_func=hashlib.sha256) if remote_checksum != local_checksum: # create the containing directories, if needed @@ -183,7 +184,7 @@ class ActionModule(ActionBase): f.close() except (IOError, OSError) as e: raise AnsibleActionFail("Failed to fetch the file: %s" % e) - new_checksum = secure_hash(dest) + new_checksum = secure_hash(dest, hash_func=hashlib.sha256) # For backwards compatibility. We'll return None on FIPS enabled systems try: new_md5 = md5(dest)