From 85b4c7017236a647fbb72a94bafa2ba527f060ef Mon Sep 17 00:00:00 2001 From: Brian Coca Date: Tue, 20 Apr 2021 11:47:34 -0400 Subject: [PATCH] defend against bad or missing crypt (#74304) * defend against bad or missing crypt fixes #74279 (cherry picked from commit 4494ef3a9d0b0816e228a2b0cf8ebce9b732253a) --- changelogs/fragments/crypt_missing.yml | 2 ++ lib/ansible/utils/encrypt.py | 24 ++++++++++++++++++------ test/units/utils/test_encrypt.py | 2 +- 3 files changed, 21 insertions(+), 7 deletions(-) create mode 100644 changelogs/fragments/crypt_missing.yml diff --git a/changelogs/fragments/crypt_missing.yml b/changelogs/fragments/crypt_missing.yml new file mode 100644 index 00000000000..430e3a07c02 --- /dev/null +++ b/changelogs/fragments/crypt_missing.yml @@ -0,0 +1,2 @@ +bugfixes: + - ansible.utils.encrypt now handles missing or unusable 'crypt' library. diff --git a/lib/ansible/utils/encrypt.py b/lib/ansible/utils/encrypt.py index 21c9c003d67..a82b1d3e552 100644 --- a/lib/ansible/utils/encrypt.py +++ b/lib/ansible/utils/encrypt.py @@ -4,7 +4,6 @@ from __future__ import (absolute_import, division, print_function) __metaclass__ = type -import crypt import multiprocessing import random import re @@ -19,7 +18,8 @@ from ansible.module_utils.six import text_type from ansible.module_utils._text import to_text, to_bytes from ansible.utils.display import Display -PASSLIB_AVAILABLE = False +PASSLIB_E = CRYPT_E = None +HAS_CRYPT = PASSLIB_AVAILABLE = False try: import passlib import passlib.hash @@ -29,8 +29,15 @@ try: except ImportError: from passlib.utils import bcrypt64 PASSLIB_AVAILABLE = True -except Exception: - pass +except Exception as e: + PASSLIB_E = e + +try: + import crypt + HAS_CRYPT = True +except Exception as e: + CRYPT_E = e + display = Display() @@ -81,6 +88,9 @@ class CryptHash(BaseHash): def __init__(self, algorithm): super(CryptHash, self).__init__(algorithm) + if not HAS_CRYPT: + raise AnsibleError("crypt.crypt cannot be used as the 'crypt' python library is not installed or is unusable.", orig_exc=CRYPT_E) + if sys.platform.startswith('darwin'): raise AnsibleError("crypt.crypt not supported on Mac OS X/Darwin, install passlib python module") @@ -143,7 +153,7 @@ class PasslibHash(BaseHash): super(PasslibHash, self).__init__(algorithm) if not PASSLIB_AVAILABLE: - raise AnsibleError("passlib must be installed to hash with '%s'" % algorithm) + raise AnsibleError("passlib must be installed and usable to hash with '%s'" % algorithm, orig_exc=PASSLIB_E) try: self.crypt_algo = getattr(passlib.hash, algorithm) @@ -216,8 +226,10 @@ class PasslibHash(BaseHash): def passlib_or_crypt(secret, algorithm, salt=None, salt_size=None, rounds=None): if PASSLIB_AVAILABLE: return PasslibHash(algorithm).hash(secret, salt=salt, salt_size=salt_size, rounds=rounds) - else: + elif HAS_CRYPT: return CryptHash(algorithm).hash(secret, salt=salt, salt_size=salt_size, rounds=rounds) + else: + raise AnsibleError("Unable to encrypt nor hash, either crypt or passlib must be installed.", orig_exc=CRYPT_E) def do_encrypt(result, encrypt, salt_size=None, salt=None): diff --git a/test/units/utils/test_encrypt.py b/test/units/utils/test_encrypt.py index b3eb9cf372b..abf2683c04a 100644 --- a/test/units/utils/test_encrypt.py +++ b/test/units/utils/test_encrypt.py @@ -48,7 +48,7 @@ def assert_hash(expected, secret, algorithm, **settings): assert encrypt.passlib_or_crypt(secret, algorithm, **settings) == expected with pytest.raises(AnsibleError) as excinfo: encrypt.PasslibHash(algorithm).hash(secret, **settings) - assert excinfo.value.args[0] == "passlib must be installed to hash with '%s'" % algorithm + assert excinfo.value.args[0] == "passlib must be installed and usable to hash with '%s'" % algorithm @pytest.mark.skipif(sys.platform.startswith('darwin'), reason='macOS requires passlib')