[WIP] Copy: opt for sha256 instead of sha1

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
pull/84077/head
Abhijeet Kasurde 1 month ago
parent 56bab1d097
commit 16260777d2

@ -243,7 +243,7 @@ def main():
module.fail_json(msg="validate must contain %%s: %s" % validate) module.fail_json(msg="validate must contain %%s: %s" % validate)
path = assemble_from_fragments(src, delimiter, compiled_regexp, ignore_hidden, module.tmpdir) path = assemble_from_fragments(src, delimiter, compiled_regexp, ignore_hidden, module.tmpdir)
path_hash = module.sha1(path) path_hash = module.sha256(path)
result['checksum'] = path_hash result['checksum'] = path_hash
# Backwards compat. This won't return data if FIPS mode is active # Backwards compat. This won't return data if FIPS mode is active
@ -254,7 +254,7 @@ def main():
result['md5sum'] = pathmd5 result['md5sum'] = pathmd5
if os.path.exists(dest): if os.path.exists(dest):
dest_hash = module.sha1(dest) dest_hash = module.sha256(dest)
if path_hash != dest_hash: if path_hash != dest_hash:
if validate: if validate:

@ -112,9 +112,10 @@ options:
version_added: '2.4' version_added: '2.4'
checksum: checksum:
description: description:
- SHA1 checksum of the file being transferred. - SHA256 checksum of the file being transferred.
- Used to validate that the copy of the file was successful. - Used to validate that the copy of the file was successful.
- If this is not provided, ansible will use the local calculated checksum of the src file. - If this is not provided, ansible will use the local calculated checksum of the src file.
- Ansible 2.19 and onwards, SHA256 is default instead of SHA1.
type: str type: str
version_added: '2.5' version_added: '2.5'
extends_documentation_fragment: extends_documentation_fragment:
@ -238,10 +239,10 @@ md5sum:
type: str type: str
sample: 2a5aeecc61dc98c4d780b14b330e3282 sample: 2a5aeecc61dc98c4d780b14b330e3282
checksum: checksum:
description: SHA1 checksum of the file after running copy. description: SHA256 checksum of the file after running copy.
returned: success returned: success
type: str type: str
sample: 6e642bb8dd5c2e027bf21dd923337cbb4214f827 sample: e1ace7b1f177f35749523ce34721d2b1e1ad0b1e3196754f476a69730d24cb53
backup_file: backup_file:
description: Name of backup file created. description: Name of backup file created.
returned: changed and if backup=yes returned: changed and if backup=yes
@ -562,9 +563,9 @@ def main():
if os.path.isfile(src): if os.path.isfile(src):
try: try:
checksum_src = module.sha1(src) checksum_src = module.sha256(src)
except (OSError, IOError) as e: except (OSError, IOError) as e:
module.warn("Unable to calculate src checksum, assuming change: %s" % to_native(e)) module.warn(f"Unable to calculate src checksum, assuming change: {to_native(e)}")
try: try:
# Backwards compat only. This will be None in FIPS mode # Backwards compat only. This will be None in FIPS mode
md5sum_src = module.md5(src) md5sum_src = module.md5(src)

@ -89,6 +89,7 @@ notes:
C(fail_when) or C(ignore_errors) to get this ability. They may C(fail_when) or C(ignore_errors) to get this ability. They may
also explicitly set O(fail_on_missing) to V(false) to get the also explicitly set O(fail_on_missing) to V(false) to get the
non-failing behaviour. non-failing behaviour.
- Ansible 2.19 and onwards, SHA256 is used to calculate checksum.
seealso: seealso:
- module: ansible.builtin.copy - module: ansible.builtin.copy
- module: ansible.builtin.slurp - module: ansible.builtin.slurp

@ -29,7 +29,7 @@ from ansible.errors import AnsibleError, AnsibleAction, _AnsibleActionDone, Ansi
from ansible.module_utils.common.text.converters import to_native, to_text from ansible.module_utils.common.text.converters import to_native, to_text
from ansible.module_utils.parsing.convert_bool import boolean from ansible.module_utils.parsing.convert_bool import boolean
from ansible.plugins.action import ActionBase from ansible.plugins.action import ActionBase
from ansible.utils.hashing import checksum_s from ansible.utils.hashing import secure_hash_s
class ActionModule(ActionBase): class ActionModule(ActionBase):
@ -122,7 +122,7 @@ class ActionModule(ActionBase):
# Does all work assembling the file # Does all work assembling the file
path = self._assemble_from_fragments(src, delimiter, _re, ignore_hidden, decrypt) path = self._assemble_from_fragments(src, delimiter, _re, ignore_hidden, decrypt)
path_checksum = checksum_s(path) path_checksum = secure_hash_s(path, hash_func=hashlib.sha256)
dest = self._remote_expand_user(dest) dest = self._remote_expand_user(dest)
dest_stat = self._execute_remote_stat(dest, all_vars=task_vars, follow=follow) dest_stat = self._execute_remote_stat(dest, all_vars=task_vars, follow=follow)

@ -18,6 +18,7 @@
from __future__ import annotations from __future__ import annotations
import hashlib
import json import json
import os import os
import os.path import os.path
@ -31,7 +32,7 @@ from ansible.module_utils.basic import FILE_COMMON_ARGUMENTS
from ansible.module_utils.common.text.converters import to_bytes, to_native, to_text from ansible.module_utils.common.text.converters import to_bytes, to_native, to_text
from ansible.module_utils.parsing.convert_bool import boolean from ansible.module_utils.parsing.convert_bool import boolean
from ansible.plugins.action import ActionBase from ansible.plugins.action import ActionBase
from ansible.utils.hashing import checksum from ansible.utils.hashing import secure_hash
# Supplement the FILE_COMMON_ARGUMENTS with arguments that are specific to file # Supplement the FILE_COMMON_ARGUMENTS with arguments that are specific to file
@ -278,7 +279,7 @@ class ActionModule(ActionBase):
return None return None
# Generate a hash of the local file. # Generate a hash of the local file.
local_checksum = checksum(source_full) local_checksum = secure_hash(source_full, hash_func=hashlib.sha256)
if local_checksum != dest_status['checksum']: if local_checksum != dest_status['checksum']:
# The checksums don't match and we will change or error out. # The checksums don't match and we will change or error out.

@ -16,15 +16,16 @@
# along with Ansible. If not, see <http://www.gnu.org/licenses/>. # along with Ansible. If not, see <http://www.gnu.org/licenses/>.
from __future__ import annotations from __future__ import annotations
import os
import base64 import base64
import hashlib
import os
from ansible.errors import AnsibleConnectionFailure, AnsibleError, AnsibleActionFail, AnsibleActionSkip from ansible.errors import AnsibleConnectionFailure, AnsibleError, AnsibleActionFail, AnsibleActionSkip
from ansible.module_utils.common.text.converters import to_bytes, to_text from ansible.module_utils.common.text.converters import to_bytes, to_text
from ansible.module_utils.six import string_types from ansible.module_utils.six import string_types
from ansible.module_utils.parsing.convert_bool import boolean from ansible.module_utils.parsing.convert_bool import boolean
from ansible.plugins.action import ActionBase from ansible.plugins.action import ActionBase
from ansible.utils.display import Display from ansible.utils.display import Display
from ansible.utils.hashing import checksum, checksum_s, md5, secure_hash from ansible.utils.hashing import md5, secure_hash, secure_hash_s
from ansible.utils.path import makedirs_safe, is_subpath from ansible.utils.path import makedirs_safe, is_subpath
display = Display() display = Display()
@ -127,7 +128,7 @@ class ActionModule(ActionBase):
if slurpres['encoding'] == 'base64': if slurpres['encoding'] == 'base64':
remote_data = base64.b64decode(slurpres['content']) remote_data = base64.b64decode(slurpres['content'])
if remote_data is not None: if remote_data is not None:
remote_checksum = checksum_s(remote_data) remote_checksum = secure_hash_s(remote_data, hash_func=hashlib.sha256)
# calculate the destination name # calculate the destination name
if os.path.sep not in self._connection._shell.join_path('a', ''): if os.path.sep not in self._connection._shell.join_path('a', ''):
@ -167,7 +168,7 @@ class ActionModule(ActionBase):
dest = os.path.normpath(dest) dest = os.path.normpath(dest)
# calculate checksum for the local file # calculate checksum for the local file
local_checksum = checksum(dest) local_checksum = secure_hash(dest, hash_func=hashlib.sha256)
if remote_checksum != local_checksum: if remote_checksum != local_checksum:
# create the containing directories, if needed # create the containing directories, if needed
@ -183,7 +184,7 @@ class ActionModule(ActionBase):
f.close() f.close()
except (IOError, OSError) as e: except (IOError, OSError) as e:
raise AnsibleActionFail("Failed to fetch the file: %s" % e) raise AnsibleActionFail("Failed to fetch the file: %s" % e)
new_checksum = secure_hash(dest) new_checksum = secure_hash(dest, hash_func=hashlib.sha256)
# For backwards compatibility. We'll return None on FIPS enabled systems # For backwards compatibility. We'll return None on FIPS enabled systems
try: try:
new_md5 = md5(dest) new_md5 = md5(dest)

Loading…
Cancel
Save