Lookup password omit salt (#16361)
* Lookup unencrypted password must not include salt * Integration test lookup: remove previous directory * Test that lookup password doesn't return salt * Lookup password: test behavior with empty encrypt parameter Closes #16189
This commit is contained in:
parent
7ba71fc2d2
commit
b361bf90d7
2 changed files with 71 additions and 19 deletions
|
@ -137,25 +137,23 @@ class LookupModule(LookupBase):
|
||||||
|
|
||||||
password = content
|
password = content
|
||||||
salt = None
|
salt = None
|
||||||
if params['encrypt'] is not None:
|
|
||||||
try:
|
|
||||||
sep = content.rindex(' ')
|
|
||||||
except ValueError:
|
|
||||||
# No salt
|
|
||||||
pass
|
|
||||||
else:
|
|
||||||
salt_field = content[sep + 1:]
|
|
||||||
if salt_field.startswith('salt='):
|
|
||||||
password = content[:sep]
|
|
||||||
salt = salt_field[len('salt='):]
|
|
||||||
|
|
||||||
|
try:
|
||||||
|
sep = content.rindex(' salt=')
|
||||||
|
except ValueError:
|
||||||
|
# No salt
|
||||||
|
pass
|
||||||
|
else:
|
||||||
|
salt = password[sep + len(' salt='):]
|
||||||
|
password = content[:sep]
|
||||||
|
|
||||||
|
if params['encrypt'] is not None and salt is None:
|
||||||
# crypt requested, add salt if missing
|
# crypt requested, add salt if missing
|
||||||
if not salt:
|
salt = self.random_salt()
|
||||||
salt = self.random_salt()
|
content = '%s salt=%s' % (password, salt)
|
||||||
content = '%s salt=%s' % (password, salt)
|
with open(path, 'w') as f:
|
||||||
with open(path, 'w') as f:
|
os.chmod(path, 0o600)
|
||||||
os.chmod(path, 0o600)
|
f.write(content + '\n')
|
||||||
f.write(content + '\n')
|
|
||||||
|
|
||||||
if params['encrypt']:
|
if params['encrypt']:
|
||||||
password = do_encrypt(password, params['encrypt'], salt=salt)
|
password = do_encrypt(password, params['encrypt'], salt=salt)
|
||||||
|
|
|
@ -35,10 +35,11 @@
|
||||||
|
|
||||||
# PASSWORD LOOKUP
|
# PASSWORD LOOKUP
|
||||||
|
|
||||||
- name: remove previous password files
|
- name: remove previous password files and directory
|
||||||
file: dest={{output_dir}}/lookup/password state=absent
|
file: dest={{item}} state=absent
|
||||||
with_items:
|
with_items:
|
||||||
- "{{output_dir}}/lookup/password"
|
- "{{output_dir}}/lookup/password"
|
||||||
|
- "{{output_dir}}/lookup/password_with_salt"
|
||||||
- "{{output_dir}}/lookup"
|
- "{{output_dir}}/lookup"
|
||||||
|
|
||||||
- name: create a password file
|
- name: create a password file
|
||||||
|
@ -80,6 +81,59 @@
|
||||||
that:
|
that:
|
||||||
- "wc_result.stdout == '9'"
|
- "wc_result.stdout == '9'"
|
||||||
- "cat_result.stdout == newpass"
|
- "cat_result.stdout == newpass"
|
||||||
|
- "' salt=' not in cat_result.stdout"
|
||||||
|
|
||||||
|
- name: fetch password from an existing file
|
||||||
|
set_fact:
|
||||||
|
pass2: "{{ lookup('password', output_dir + '/lookup/password length=8') }}"
|
||||||
|
|
||||||
|
- name: read password (again)
|
||||||
|
shell: cat {{output_dir}}/lookup/password
|
||||||
|
register: cat_result2
|
||||||
|
|
||||||
|
- debug: var=cat_result2.stdout
|
||||||
|
|
||||||
|
- name: verify password (again)
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- "cat_result2.stdout == newpass"
|
||||||
|
- "' salt=' not in cat_result2.stdout"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
- name: create a password (with salt) file
|
||||||
|
debug: msg={{ lookup('password', output_dir + '/lookup/password_with_salt encrypt=sha256_crypt') }}
|
||||||
|
|
||||||
|
- name: read password and salt
|
||||||
|
shell: cat {{output_dir}}/lookup/password_with_salt
|
||||||
|
register: cat_pass_salt
|
||||||
|
|
||||||
|
- debug: var=cat_pass_salt.stdout
|
||||||
|
|
||||||
|
- name: fetch unencrypted password
|
||||||
|
set_fact:
|
||||||
|
newpass: "{{ lookup('password', output_dir + '/lookup/password_with_salt') }}"
|
||||||
|
|
||||||
|
- debug: var=newpass
|
||||||
|
|
||||||
|
- name: verify password and salt
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- "cat_pass_salt.stdout != newpass"
|
||||||
|
- "cat_pass_salt.stdout.startswith(newpass)"
|
||||||
|
- "' salt=' in cat_pass_salt.stdout"
|
||||||
|
- "' salt=' not in newpass"
|
||||||
|
|
||||||
|
|
||||||
|
- name: fetch unencrypted password (using empty encrypt parameter)
|
||||||
|
set_fact:
|
||||||
|
newpass2: "{{ lookup('password', output_dir + '/lookup/password_with_salt encrypt=') }}"
|
||||||
|
|
||||||
|
- name: verify lookup password behavior
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- "newpass == newpass2"
|
||||||
|
|
||||||
|
|
||||||
# ENV LOOKUP
|
# ENV LOOKUP
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue