Lookup password omit salt (#16361)

* Lookup unencrypted password must not include salt
* Integration test lookup: remove previous directory
* Test that lookup password doesn't return salt
* Lookup password: test behavior with empty encrypt parameter

Closes #16189

lib/ansible/plugins/lookup/password.py

@@ -137,20 +137,18 @@ class LookupModule(LookupBase):
 
                 password = content
                 salt = None
-                if params['encrypt'] is not None:
+
                 try:
-                        sep = content.rindex(' ')
+                    sep = content.rindex(' salt=')
                 except ValueError:
                     # No salt
                     pass
                 else:
-                        salt_field = content[sep + 1:]
+                    salt = password[sep + len(' salt='):]
-                        if salt_field.startswith('salt='):
                     password = content[:sep]
-                            salt = salt_field[len('salt='):]
 
+                if params['encrypt'] is not None and salt is None:
                     # crypt requested, add salt if missing
-                    if not salt:
                     salt = self.random_salt()
                     content = '%s salt=%s' % (password, salt)
                     with open(path, 'w') as f:

test/integration/roles/test_lookups/tasks/main.yml

@@ -35,10 +35,11 @@
 
 # PASSWORD LOOKUP
 
-- name: remove previous password files
+- name: remove previous password files and directory
-  file: dest={{output_dir}}/lookup/password state=absent
+  file: dest={{item}} state=absent
   with_items:
   - "{{output_dir}}/lookup/password"
+  - "{{output_dir}}/lookup/password_with_salt"
   - "{{output_dir}}/lookup"
 
 - name: create a password file
@@ -80,6 +81,59 @@
     that:
         - "wc_result.stdout == '9'"
         - "cat_result.stdout == newpass"
+        - "' salt=' not in cat_result.stdout"
+
+- name: fetch password from an existing file
+  set_fact:
+    pass2: "{{ lookup('password', output_dir + '/lookup/password length=8') }}"
+
+- name: read password (again)
+  shell: cat {{output_dir}}/lookup/password
+  register: cat_result2
+
+- debug: var=cat_result2.stdout
+
+- name: verify password (again)
+  assert:
+    that:
+        - "cat_result2.stdout == newpass"
+        - "' salt=' not in cat_result2.stdout"
+
+
+
+- name: create a password (with salt) file
+  debug: msg={{ lookup('password', output_dir + '/lookup/password_with_salt encrypt=sha256_crypt') }}
+
+- name: read password and salt
+  shell: cat {{output_dir}}/lookup/password_with_salt
+  register: cat_pass_salt
+
+- debug: var=cat_pass_salt.stdout
+
+- name: fetch unencrypted password
+  set_fact:
+    newpass: "{{ lookup('password', output_dir + '/lookup/password_with_salt') }}"
+
+- debug: var=newpass
+
+- name: verify password and salt
+  assert:
+    that:
+        - "cat_pass_salt.stdout != newpass"
+        - "cat_pass_salt.stdout.startswith(newpass)"
+        - "' salt=' in cat_pass_salt.stdout"
+        - "' salt=' not in newpass"
+
+
+- name: fetch unencrypted password (using empty encrypt parameter)
+  set_fact:
+    newpass2: "{{ lookup('password', output_dir + '/lookup/password_with_salt encrypt=') }}"
+
+- name: verify lookup password behavior
+  assert:
+    that:
+        - "newpass == newpass2"
+
 
 # ENV LOOKUP