diff options
-rw-r--r-- | changelogs/fragments/password_lookup_fix.yml | 2 | ||||
-rw-r--r-- | lib/ansible/plugins/lookup/password.py | 18 | ||||
-rw-r--r-- | test/integration/targets/lookup_password/tasks/main.yml | 45 |
3 files changed, 57 insertions, 8 deletions
diff --git a/changelogs/fragments/password_lookup_fix.yml b/changelogs/fragments/password_lookup_fix.yml new file mode 100644 index 0000000000..e59e7b2638 --- /dev/null +++ b/changelogs/fragments/password_lookup_fix.yml @@ -0,0 +1,2 @@ +bugfixes: + - password lookup does not ignore k=v arguments anymore. diff --git a/lib/ansible/plugins/lookup/password.py b/lib/ansible/plugins/lookup/password.py index f87939b647..855c4b1b9b 100644 --- a/lib/ansible/plugins/lookup/password.py +++ b/lib/ansible/plugins/lookup/password.py @@ -124,7 +124,6 @@ _raw: import os import string import time -import shutil import hashlib from ansible.errors import AnsibleError, AnsibleAssertionError @@ -139,12 +138,15 @@ DEFAULT_LENGTH = 20 VALID_PARAMS = frozenset(('length', 'encrypt', 'chars', 'ident', 'seed')) -def _parse_parameters(term): +def _parse_parameters(term, kwargs=None): """Hacky parsing of params See https://github.com/ansible/ansible-modules-core/issues/1968#issuecomment-136842156 and the first_found lookup For how we want to fix this later """ + if kwargs is None: + kwargs = {} + first_split = term.split(' ', 1) if len(first_split) <= 1: # Only a single argument given, therefore it's a path @@ -172,12 +174,12 @@ def _parse_parameters(term): raise AnsibleError('Unrecognized parameter(s) given to password lookup: %s' % ', '.join(invalid_params)) # Set defaults - params['length'] = int(params.get('length', DEFAULT_LENGTH)) - params['encrypt'] = params.get('encrypt', None) - params['ident'] = params.get('ident', None) - params['seed'] = params.get('seed', None) + params['length'] = int(params.get('length', kwargs.get('length', DEFAULT_LENGTH))) + params['encrypt'] = params.get('encrypt', kwargs.get('encrypt', None)) + params['ident'] = params.get('ident', kwargs.get('ident', None)) + params['seed'] = params.get('seed', kwargs.get('seed', None)) - params['chars'] = params.get('chars', None) + params['chars'] = params.get('chars', kwargs.get('chars', None)) if params['chars']: tmp_chars = [] if u',,' in params['chars']: @@ -338,7 +340,7 @@ class LookupModule(LookupBase): ret = [] for term in terms: - relpath, params = _parse_parameters(term) + relpath, params = _parse_parameters(term, kwargs) path = self._loader.path_dwim(relpath) b_path = to_bytes(path, errors='surrogate_or_strict') chars = _gen_candidate_chars(params['chars']) diff --git a/test/integration/targets/lookup_password/tasks/main.yml b/test/integration/targets/lookup_password/tasks/main.yml index 4eeef151f8..dacf032db3 100644 --- a/test/integration/targets/lookup_password/tasks/main.yml +++ b/test/integration/targets/lookup_password/tasks/main.yml @@ -102,3 +102,48 @@ assert: that: - "newpass != newpass2" + +- name: test both types of args and that seed guarantees same results + vars: + pns: "{{passwords_noseed['results']}}" + inl: "{{passwords_inline['results']}}" + kv: "{{passwords['results']}}" + l: [1, 2, 3] + block: + - name: generate passwords w/o seed + debug: + msg: '{{ lookup("password", "/dev/null")}}' + loop: "{{ l }}" + register: passwords_noseed + + - name: verify they are all different, this is not guaranteed, but statisically almost impossible + assert: + that: + - pns[0]['msg'] != pns[1]['msg'] + - pns[0]['msg'] != pns[2]['msg'] + - pns[1]['msg'] != pns[2]['msg'] + + - name: generate passwords, with seed inline + debug: + msg: '{{ lookup("password", "/dev/null seed=foo")}}' + loop: "{{ l }}" + register: passwords_inline + + - name: verify they are all the same + assert: + that: + - inl[0]['msg'] == inl[1]['msg'] + - inl[0]['msg'] == inl[2]['msg'] + + - name: generate passwords, with seed k=v + debug: + msg: '{{ lookup("password", "/dev/null", seed="foo")}}' + loop: "{{ l }}" + register: passwords + + - name: verify they are all the same + assert: + that: + - kv[0]['msg'] == kv[1]['msg'] + - kv[0]['msg'] == kv[2]['msg'] + - kv[0]['msg'] == inl[0]['msg'] |