Merge pull request #334 from rjeffman/fix_ipavault_salt_update

Fix ipavault `salt` update.
2026-03-26 21:33:05 +00:00 · 2020-08-17 19:26:14 +02:00
parent 9a3f08b6c9 3c2700f68b
commit 0af8f35e83
3 changed files with 83 additions and 37 deletions
--- a/README-vault.md
+++ b/README-vault.md
@@ -197,7 +197,7 @@ Example playbook to make sure vault is absent:
      state: absent
    register: result
  - debug:
-      msg: "{{ result.data }}"
+      msg: "{{ result.vault.data }}"
 ```

 Variables
--- a/plugins/modules/ipavault.py
+++ b/plugins/modules/ipavault.py
@@ -243,7 +243,7 @@ EXAMPLES = """
    state: retrieved
  register: result
 - debug:
-    msg: "{{ result.data }}"
+    msg: "{{ result.vault.data }}"

 # Change password of a symmetric vault
 - ipavault:
@@ -494,8 +494,10 @@ def check_encryption_params(module, state, action, vault_type, salt,
                            new_password, new_password_file, res_find):
    vault_type_invalid = []

-    if res_find is not None:
+    if vault_type is None and res_find is not None:
        vault_type = res_find['ipavaulttype']
+        if isinstance(vault_type, (tuple, list)):
+            vault_type = vault_type[0]

    if vault_type == "standard":
        vault_type_invalid = ['public_key', 'public_key_file', 'password',
@@ -515,6 +517,16 @@ def check_encryption_params(module, state, action, vault_type, salt,
            module.fail_json(
                msg="Cannot modify password of inexistent vault.")

+        if (
+            salt is not None
+            and not(
+                any([password, password_file])
+                and any([new_password, new_password_file])
+            )
+        ):
+            module.fail_json(
+                msg="Vault `salt` can only change when changing the password.")
+
    if vault_type == "asymmetric":
        vault_type_invalid = [
            'password', 'password_file', 'new_password', 'new_password_file'
@@ -766,7 +778,12 @@ def main():
                            commands.append([name, "vault_mod_internal", args])

                    else:
+                        if vault_type == 'symmetric' \
+                           and 'ipavaultsalt' not in args:
+                            args['ipavaultsalt'] = os.urandom(32)
+
                        commands.append([name, "vault_add_internal", args])
+
                        if vault_type != 'standard' and vault_data is None:
                            vault_data = ''

@@ -824,14 +841,6 @@ def main():
                        commands.append(
                            [name, 'vault_remove_owner', owner_del_args])

-                    if vault_type == 'symmetric' \
-                       and 'ipavaultsalt' not in args:
-                        args['ipavaultsalt'] = os.urandom(32)
-
-                    if vault_type == 'symmetric' \
-                       and 'ipavaultsalt' not in args:
-                        args['ipavaultsalt'] = os.urandom(32)
-
                elif action in "member":
                    # Add users and groups
                    if any([users, groups, services]):
--- a/tests/vault/test_vault_symmetric.yml
+++ b/tests/vault/test_vault_symmetric.yml
@@ -178,6 +178,15 @@
    register: result
    failed_when: result.vault.data != 'Hello World.' or result.changed

+  - name: Retrieve data from symmetric vault, with wrong password.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      password: SomeWRONGpassword
+      state: retrieved
+    register: result
+    failed_when: not result.failed or "Invalid credentials" not in result.msg
+
  - name: Change vault password.
    ipavault:
      ipaadmin_password: SomeADMINpassword
@@ -187,24 +196,6 @@
    register: result
    failed_when: not result.changed

-  - name: Retrieve data from symmetric vault, with wrong password.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: symvault
-      password: SomeVAULTpassword
-      state: retrieved
-    register: result
-    failed_when: not result.failed or "Invalid credentials" not in result.msg
-
-  - name: Change vault password, with wrong `old_password`.
-    ipavault:
-      ipaadmin_password: SomeADMINpassword
-      name: symvault
-      password: SomeVAULTpassword
-      new_password: SomeNEWpassword
-    register: result
-    failed_when: not result.failed or "Invalid credentials" not in result.msg
-
  - name: Retrieve data from symmetric vault, with new password.
    ipavault:
      ipaadmin_password: SomeADMINpassword
@@ -214,24 +205,70 @@
    register: result
    failed_when: result.vault.data != 'Hello World.' or result.changed

-  - name: Try to add vault with multiple passwords.
+  - name: Retrieve data from symmetric vault, with old password.
    ipavault:
      ipaadmin_password: SomeADMINpassword
-      name: inexistentvault
+      name: symvault
      password: SomeVAULTpassword
-      password_file: "{{ ansible_env.HOME }}/password.txt"
+      state: retrieved
    register: result
-    failed_when: not result.failed or "parameters are mutually exclusive" not in result.msg
+    failed_when: not result.failed or "Invalid credentials" not in result.msg

-  - name: Try to add vault with multiple new passwords.
+  - name: Change symmetric vault salt, changing password
    ipavault:
      ipaadmin_password: SomeADMINpassword
-      name: inexistentvault
+      name: symvault
+      password: SomeNEWpassword
+      new_password: SomeVAULTpassword
+      salt: AAAAAAAAAAAAAAAAAAAAAAA=
+    register: result
+    failed_when: not result.changed
+
+  - name: Change symmetric vault salt, without changing password
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
      password: SomeVAULTpassword
      new_password: SomeVAULTpassword
-      new_password_file: "{{ ansible_env.HOME }}/password.txt"
+      salt: MTIzNDU2Nzg5MDEyMzQ1Ngo=
    register: result
-    failed_when: not result.failed or "parameters are mutually exclusive" not in result.msg
+    failed_when: not result.changed
+
+  - name: Try to change symmetric vault salt, without providing any password
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      salt: MTIzNDU2Nzg5MDEyMzQ1Ngo=
+    register: result
+    failed_when: not result.failed and  "Vault `salt` can only change when changing the password." not in result.msg
+
+  - name: Try to change symmetric vault salt, without providing `password`
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      salt: MTIzNDU2Nzg5MDEyMzQ1Ngo=
+      new_password: SomeVAULTpassword
+    register: result
+    failed_when: not result.failed and  "Vault `salt` can only change when changing the password." not in result.msg
+
+  - name: Try to change symmetric vault salt, without providing `new_password`
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      salt: MTIzNDU2Nzg5MDEyMzQ1Ngo=
+      password: SomeVAULTpassword
+    register: result
+    failed_when: not result.failed and  "Vault `salt` can only change when changing the password." not in result.msg
+
+  - name: Try to change symmetric vault salt, using wrong password.
+    ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      password: SomeWRONGpassword
+      new_password: SomeWRONGpassword
+      salt: MDEyMzQ1Njc4OTAxMjM0NQo=
+    register: result
+    failed_when: not result.failed

  - name: Ensure symmetric vault is absent
    ipavault: