Lookup password omit salt (#16361)
* Lookup unencrypted password must not include salt * Integration test lookup: remove previous directory * Test that lookup password doesn't return salt * Lookup password: test behavior with empty encrypt parameter Closes #16189
This commit is contained in:
Pilou
Matt Clay
parent
7ba71fc2d2
commit
b361bf90d7
2 changed files with 71 additions and 19 deletions
|
|
@ -137,25 +137,23 @@ class LookupModule(LookupBase):
|
|||
|
||||
password = content
|
||||
salt = None
|
||||
if params['encrypt'] is not None:
|
||||
try:
|
||||
sep = content.rindex(' ')
|
||||
except ValueError:
|
||||
# No salt
|
||||
pass
|
||||
else:
|
||||
salt_field = content[sep + 1:]
|
||||
if salt_field.startswith('salt='):
|
||||
password = content[:sep]
|
||||
salt = salt_field[len('salt='):]
|
||||
|
||||
try:
|
||||
sep = content.rindex(' salt=')
|
||||
except ValueError:
|
||||
# No salt
|
||||
pass
|
||||
else:
|
||||
salt = password[sep + len(' salt='):]
|
||||
password = content[:sep]
|
||||
|
||||
if params['encrypt'] is not None and salt is None:
|
||||
# crypt requested, add salt if missing
|
||||
if not salt:
|
||||
salt = self.random_salt()
|
||||
content = '%s salt=%s' % (password, salt)
|
||||
with open(path, 'w') as f:
|
||||
os.chmod(path, 0o600)
|
||||
f.write(content + '\n')
|
||||
salt = self.random_salt()
|
||||
content = '%s salt=%s' % (password, salt)
|
||||
with open(path, 'w') as f:
|
||||
os.chmod(path, 0o600)
|
||||
f.write(content + '\n')
|
||||
|
||||
if params['encrypt']:
|
||||
password = do_encrypt(password, params['encrypt'], salt=salt)
|
||||
|
|
|
|||
|
|
@ -35,10 +35,11 @@
|
|||
|
||||
# PASSWORD LOOKUP
|
||||
|
||||
- name: remove previous password files
|
||||
file: dest={{output_dir}}/lookup/password state=absent
|
||||
- name: remove previous password files and directory
|
||||
file: dest={{item}} state=absent
|
||||
with_items:
|
||||
- "{{output_dir}}/lookup/password"
|
||||
- "{{output_dir}}/lookup/password_with_salt"
|
||||
- "{{output_dir}}/lookup"
|
||||
|
||||
- name: create a password file
|
||||
|
|
@ -80,6 +81,59 @@
|
|||
that:
|
||||
- "wc_result.stdout == '9'"
|
||||
- "cat_result.stdout == newpass"
|
||||
- "' salt=' not in cat_result.stdout"
|
||||
|
||||
- name: fetch password from an existing file
|
||||
set_fact:
|
||||
pass2: "{{ lookup('password', output_dir + '/lookup/password length=8') }}"
|
||||
|
||||
- name: read password (again)
|
||||
shell: cat {{output_dir}}/lookup/password
|
||||
register: cat_result2
|
||||
|
||||
- debug: var=cat_result2.stdout
|
||||
|
||||
- name: verify password (again)
|
||||
assert:
|
||||
that:
|
||||
- "cat_result2.stdout == newpass"
|
||||
- "' salt=' not in cat_result2.stdout"
|
||||
|
||||
|
||||
|
||||
- name: create a password (with salt) file
|
||||
debug: msg={{ lookup('password', output_dir + '/lookup/password_with_salt encrypt=sha256_crypt') }}
|
||||
|
||||
- name: read password and salt
|
||||
shell: cat {{output_dir}}/lookup/password_with_salt
|
||||
register: cat_pass_salt
|
||||
|
||||
- debug: var=cat_pass_salt.stdout
|
||||
|
||||
- name: fetch unencrypted password
|
||||
set_fact:
|
||||
newpass: "{{ lookup('password', output_dir + '/lookup/password_with_salt') }}"
|
||||
|
||||
- debug: var=newpass
|
||||
|
||||
- name: verify password and salt
|
||||
assert:
|
||||
that:
|
||||
- "cat_pass_salt.stdout != newpass"
|
||||
- "cat_pass_salt.stdout.startswith(newpass)"
|
||||
- "' salt=' in cat_pass_salt.stdout"
|
||||
- "' salt=' not in newpass"
|
||||
|
||||
|
||||
- name: fetch unencrypted password (using empty encrypt parameter)
|
||||
set_fact:
|
||||
newpass2: "{{ lookup('password', output_dir + '/lookup/password_with_salt encrypt=') }}"
|
||||
|
||||
- name: verify lookup password behavior
|
||||
assert:
|
||||
that:
|
||||
- "newpass == newpass2"
|
||||
|
||||
|
||||
# ENV LOOKUP
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue