ansible/test/integration/targets/lookup_password/tasks/main.yml

- name: create a password file
  set_fact:
    newpass: "{{ lookup('password', output_dir + '/lookup/password length=8') }}"

- name: stat the password file directory
  stat: path="{{output_dir}}/lookup"
  register: result

- name: assert the directory's permissions
  assert:
    that:
    - result.stat.mode == '0700'

- name: stat the password file
  stat: path="{{output_dir}}/lookup/password"
  register: result

- name: assert the directory's permissions
  assert:
    that:
    - result.stat.mode == '0600'

- name: get password length
  shell: wc -c {{output_dir}}/lookup/password | awk '{print $1}'
  register: wc_result

- debug: var=wc_result.stdout

- name: read password
  shell: cat {{output_dir}}/lookup/password
  register: cat_result

- debug: var=cat_result.stdout

- name: verify password
  assert:
    that:
        - "wc_result.stdout == '9'"
        - "cat_result.stdout == newpass"
        - "' salt=' not in cat_result.stdout"

- name: fetch password from an existing file
  set_fact:
    pass2: "{{ lookup('password', output_dir + '/lookup/password length=8') }}"

- name: read password (again)
  shell: cat {{output_dir}}/lookup/password
  register: cat_result2

- debug: var=cat_result2.stdout

- name: verify password (again)
  assert:
    that:
        - "cat_result2.stdout == newpass"
        - "' salt=' not in cat_result2.stdout"



- name: create a password (with salt) file
  debug: msg={{ lookup('password', output_dir + '/lookup/password_with_salt encrypt=sha256_crypt') }}

- name: read password and salt
  shell: cat {{output_dir}}/lookup/password_with_salt
  register: cat_pass_salt

- debug: var=cat_pass_salt.stdout

- name: fetch unencrypted password
  set_fact:
    newpass: "{{ lookup('password', output_dir + '/lookup/password_with_salt') }}"

- debug: var=newpass

- name: verify password and salt
  assert:
    that:
        - "cat_pass_salt.stdout != newpass"
        - "cat_pass_salt.stdout.startswith(newpass)"
        - "' salt=' in cat_pass_salt.stdout"
        - "' salt=' not in newpass"


- name: fetch unencrypted password (using empty encrypt parameter)
  set_fact:
    newpass2: "{{ lookup('password', output_dir + '/lookup/password_with_salt encrypt=') }}"

- name: verify lookup password behavior
  assert:
    that:
        - "newpass == newpass2"

- name: verify that we can generate a 1st password without writing it
  set_fact:
    newpass: "{{ lookup('password', '/dev/null') }}"

- name: verify that we can generate a 2nd password without writing it
  set_fact:
    newpass2: "{{ lookup('password', '/dev/null') }}"

- name: verify lookup password behavior with /dev/null
  assert:
    that:
        - "newpass != newpass2"

- name: test both types of args and that seed guarantees same results
  vars:
    pns: "{{passwords_noseed['results']}}"
    inl: "{{passwords_inline['results']}}"
    kv: "{{passwords['results']}}"
    l: [1, 2, 3]
  block:
  - name: generate passwords w/o seed
    debug:
      msg: '{{ lookup("password", "/dev/null")}}'
    loop: "{{ l }}"
    register: passwords_noseed

  - name: verify they are all different, this is not guaranteed, but statisically almost impossible
    assert:
      that:
        - pns[0]['msg'] != pns[1]['msg']
        - pns[0]['msg'] != pns[2]['msg']
        - pns[1]['msg'] != pns[2]['msg']

  - name: generate passwords, with seed inline
    debug:
      msg: '{{ lookup("password", "/dev/null seed=foo")}}'
    loop: "{{ l }}"
    register: passwords_inline

  - name: verify they are all the same
    assert:
      that:
        - inl[0]['msg'] == inl[1]['msg']
        - inl[0]['msg'] == inl[2]['msg']

  - name: generate passwords, with seed k=v
    debug:
      msg: '{{ lookup("password", "/dev/null", seed="foo")}}'
    loop: "{{ l }}"
    register: passwords

  - name: verify they are all the same
    assert:
      that:
        - kv[0]['msg'] == kv[1]['msg']
        - kv[0]['msg'] == kv[2]['msg']
        - kv[0]['msg'] == inl[0]['msg']