Lookup password omit salt (#16361)

* Lookup unencrypted password must not include salt
* Integration test lookup: remove previous directory
* Test that lookup password doesn't return salt
* Lookup password: test behavior with empty encrypt parameter

Closes #16189

(cherry picked from commit b361bf90d7)
pull/16483/head
Pilou 9 years ago committed by Matt Clay
parent 25c5314f2e
commit 57eb60757c

@ -137,25 +137,23 @@ class LookupModule(LookupBase):
password = content password = content
salt = None salt = None
if params['encrypt'] is not None:
try:
sep = content.rindex(' ')
except ValueError:
# No salt
pass
else:
salt_field = content[sep + 1:]
if salt_field.startswith('salt='):
password = content[:sep]
salt = salt_field[len('salt='):]
try:
sep = content.rindex(' salt=')
except ValueError:
# No salt
pass
else:
salt = password[sep + len(' salt='):]
password = content[:sep]
if params['encrypt'] is not None and salt is None:
# crypt requested, add salt if missing # crypt requested, add salt if missing
if not salt: salt = self.random_salt()
salt = self.random_salt() content = '%s salt=%s' % (password, salt)
content = '%s salt=%s' % (password, salt) with open(path, 'w') as f:
with open(path, 'w') as f: os.chmod(path, 0o600)
os.chmod(path, 0o600) f.write(content + '\n')
f.write(content + '\n')
if params['encrypt']: if params['encrypt']:
password = do_encrypt(password, params['encrypt'], salt=salt) password = do_encrypt(password, params['encrypt'], salt=salt)

@ -35,10 +35,11 @@
# PASSWORD LOOKUP # PASSWORD LOOKUP
- name: remove previous password files - name: remove previous password files and directory
file: dest={{output_dir}}/lookup/password state=absent file: dest={{item}} state=absent
with_items: with_items:
- "{{output_dir}}/lookup/password" - "{{output_dir}}/lookup/password"
- "{{output_dir}}/lookup/password_with_salt"
- "{{output_dir}}/lookup" - "{{output_dir}}/lookup"
- name: create a password file - name: create a password file
@ -80,6 +81,59 @@
that: that:
- "wc_result.stdout == '9'" - "wc_result.stdout == '9'"
- "cat_result.stdout == newpass" - "cat_result.stdout == newpass"
- "' salt=' not in cat_result.stdout"
- name: fetch password from an existing file
set_fact:
pass2: "{{ lookup('password', output_dir + '/lookup/password length=8') }}"
- name: read password (again)
shell: cat {{output_dir}}/lookup/password
register: cat_result2
- debug: var=cat_result2.stdout
- name: verify password (again)
assert:
that:
- "cat_result2.stdout == newpass"
- "' salt=' not in cat_result2.stdout"
- name: create a password (with salt) file
debug: msg={{ lookup('password', output_dir + '/lookup/password_with_salt encrypt=sha256_crypt') }}
- name: read password and salt
shell: cat {{output_dir}}/lookup/password_with_salt
register: cat_pass_salt
- debug: var=cat_pass_salt.stdout
- name: fetch unencrypted password
set_fact:
newpass: "{{ lookup('password', output_dir + '/lookup/password_with_salt') }}"
- debug: var=newpass
- name: verify password and salt
assert:
that:
- "cat_pass_salt.stdout != newpass"
- "cat_pass_salt.stdout.startswith(newpass)"
- "' salt=' in cat_pass_salt.stdout"
- "' salt=' not in newpass"
- name: fetch unencrypted password (using empty encrypt parameter)
set_fact:
newpass2: "{{ lookup('password', output_dir + '/lookup/password_with_salt encrypt=') }}"
- name: verify lookup password behavior
assert:
that:
- "newpass == newpass2"
# ENV LOOKUP # ENV LOOKUP

Loading…
Cancel
Save