defend against bad or missing crypt (#74304)

* defend against bad or missing crypt

  fixes #74279

(cherry picked from commit 4494ef3a9d)
pull/74307/head
Brian Coca 4 years ago committed by Rick Elrod
parent 80f8b90b43
commit 55ad72992d

@ -0,0 +1,2 @@
bugfixes:
- ansible.utils.encrypt now handles missing or unusable 'crypt' library.

@ -4,7 +4,6 @@
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
import crypt
import multiprocessing
import random
import string
@ -18,15 +17,23 @@ from ansible.module_utils.six import text_type
from ansible.module_utils._text import to_text, to_bytes
from ansible.utils.display import Display
PASSLIB_AVAILABLE = False
PASSLIB_E = CRYPT_E = None
HAS_CRYPT = PASSLIB_AVAILABLE = False
try:
import passlib
import passlib.hash
from passlib.utils.handlers import HasRawSalt
PASSLIB_AVAILABLE = True
except Exception:
pass
except Exception as e:
PASSLIB_E = e
try:
import crypt
HAS_CRYPT = True
except Exception as e:
CRYPT_E = e
display = Display()
@ -77,6 +84,9 @@ class CryptHash(BaseHash):
def __init__(self, algorithm):
super(CryptHash, self).__init__(algorithm)
if not HAS_CRYPT:
raise AnsibleError("crypt.crypt cannot be used as the 'crypt' python library is not installed or is unusable.", orig_exc=CRYPT_E)
if sys.platform.startswith('darwin'):
raise AnsibleError("crypt.crypt not supported on Mac OS X/Darwin, install passlib python module")
@ -122,7 +132,7 @@ class PasslibHash(BaseHash):
super(PasslibHash, self).__init__(algorithm)
if not PASSLIB_AVAILABLE:
raise AnsibleError("passlib must be installed to hash with '%s'" % algorithm)
raise AnsibleError("passlib must be installed and usable to hash with '%s'" % algorithm, orig_exc=PASSLIB_E)
try:
self.crypt_algo = getattr(passlib.hash, algorithm)
@ -189,8 +199,10 @@ class PasslibHash(BaseHash):
def passlib_or_crypt(secret, algorithm, salt=None, salt_size=None, rounds=None):
if PASSLIB_AVAILABLE:
return PasslibHash(algorithm).hash(secret, salt=salt, salt_size=salt_size, rounds=rounds)
else:
elif HAS_CRYPT:
return CryptHash(algorithm).hash(secret, salt=salt, salt_size=salt_size, rounds=rounds)
else:
raise AnsibleError("Unable to encrypt nor hash, either crypt or passlib must be installed.", orig_exc=CRYPT_E)
def do_encrypt(result, encrypt, salt_size=None, salt=None):

@ -48,7 +48,7 @@ def assert_hash(expected, secret, algorithm, **settings):
assert encrypt.passlib_or_crypt(secret, algorithm, **settings) == expected
with pytest.raises(AnsibleError) as excinfo:
encrypt.PasslibHash(algorithm).hash(secret, **settings)
assert excinfo.value.args[0] == "passlib must be installed to hash with '%s'" % algorithm
assert excinfo.value.args[0] == "passlib must be installed and usable to hash with '%s'" % algorithm
@pytest.mark.skipif(sys.platform.startswith('darwin'), reason='macOS requires passlib')

Loading…
Cancel
Save