diff options
| author | Gaudenz Steinlin <gaudenz@users.noreply.github.com> | 2022-11-29 16:26:30 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-11-29 16:26:30 +0100 |
| commit | c33a782a9c1e6d1e6b900c0eed642dfd3defac1c (patch) | |
| tree | 5825886dc8fbaa0cc0ddf34c16bfc7b320a0c14e | |
| parent | 3936b5c471068d86c3e51a454a1de2f0d2942845 (diff) | |
| download | ansible-c33a782a9c1e6d1e6b900c0eed642dfd3defac1c.tar.gz | |
Fix password lookup rewrites file when using encrypt (#79431)
* Remove unused mock from test_password_already_created_encrypt
The _get_paths mock is never used in the
test_password_already_created_encrypt test case.
* Add test to assert the password file is not rewritten
If the password file already contains the salt and the hasing algorithm
does not use the ident parameter, the password lookup should not write
to the password file.
* Fix "changed" if using "encrypt" in password lookup
When using the "encrypt" parameter to the password lookup without the
ident parameter, the password file was always marked as "changed". This
caused the file to be rewritten with the same content. This is fixed by
only marking the file as changed, if an "ident" value needs to be added
to the file.
Fixes #79430.
Add changelog entry
| -rw-r--r-- | changelogs/fragments/79431-fix-password-lookup-rewrites.yml | 2 | ||||
| -rw-r--r-- | lib/ansible/plugins/lookup/password.py | 3 | ||||
| -rw-r--r-- | test/units/plugins/lookup/test_password.py | 7 |
3 files changed, 8 insertions, 4 deletions
diff --git a/changelogs/fragments/79431-fix-password-lookup-rewrites.yml b/changelogs/fragments/79431-fix-password-lookup-rewrites.yml new file mode 100644 index 0000000000..36f1555339 --- /dev/null +++ b/changelogs/fragments/79431-fix-password-lookup-rewrites.yml @@ -0,0 +1,2 @@ +bugfixes: + - Fixes the password lookup to not rewrite files if they are not changed when using the "encrypt" parameter (#79430). diff --git a/lib/ansible/plugins/lookup/password.py b/lib/ansible/plugins/lookup/password.py index 06ea8b36b1..06a011a240 100644 --- a/lib/ansible/plugins/lookup/password.py +++ b/lib/ansible/plugins/lookup/password.py @@ -366,11 +366,12 @@ class LookupModule(LookupBase): ident = params['ident'] if encrypt and not ident: - changed = True try: ident = BaseHash.algorithms[encrypt].implicit_ident except KeyError: ident = None + if ident: + changed = True if changed and b_path != to_bytes('/dev/null'): content = _format_content(plaintext_password, salt, encrypt=encrypt, ident=ident) diff --git a/test/units/plugins/lookup/test_password.py b/test/units/plugins/lookup/test_password.py index 15207b2f39..39aa8b9a7b 100644 --- a/test/units/plugins/lookup/test_password.py +++ b/test/units/plugins/lookup/test_password.py @@ -520,10 +520,8 @@ class TestLookupModuleWithPasslib(BaseTestLookupModule): self.assertEqual(int(str_parts[2]), crypt_parts['rounds']) self.assertIsInstance(result, text_type) - @patch.object(PluginLoader, '_get_paths') @patch('ansible.plugins.lookup.password._write_password_file') - def test_password_already_created_encrypt(self, mock_get_paths, mock_write_file): - mock_get_paths.return_value = ['/path/one', '/path/two', '/path/three'] + def test_password_already_created_encrypt(self, mock_write_file): password.os.path.exists = lambda x: x == to_bytes('/path/to/somewhere') with patch.object(builtins, 'open', mock_open(read_data=b'hunter42 salt=87654321\n')) as m: @@ -531,6 +529,9 @@ class TestLookupModuleWithPasslib(BaseTestLookupModule): for result in results: self.assertEqual(result, u'$pbkdf2-sha256$20000$ODc2NTQzMjE$Uikde0cv0BKaRaAXMrUQB.zvG4GmnjClwjghwIRf2gU') + # Assert the password file is not rewritten + mock_write_file.assert_not_called() + @pytest.mark.skipif(passlib is None, reason='passlib must be installed to run these tests') class TestLookupModuleWithPasslibWrappedAlgo(BaseTestLookupModule): |