From 3e5c54d4fdb10deda9b7e4deaf2c537b132711c9 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Fri, 31 Jul 2020 11:30:51 -0300 Subject: [PATCH 1/6] Fix identification of existing vault type. In some scenarios, the value of the vault type is returned as a tuple, rather than a string, this made some changes to existing vault to fail. With this change, the vault type is correctly retrieved, if it was not provided by the user. --- plugins/modules/ipavault.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py index 6a3c73e8..8562ff72 100644 --- a/plugins/modules/ipavault.py +++ b/plugins/modules/ipavault.py @@ -494,8 +494,10 @@ def check_encryption_params(module, state, action, vault_type, salt, new_password, new_password_file, res_find): vault_type_invalid = [] - if res_find is not None: + if vault_type is None and res_find is not None: vault_type = res_find['ipavaulttype'] + if isinstance(vault_type, (tuple, list)): + vault_type = vault_type[0] if vault_type == "standard": vault_type_invalid = ['public_key', 'public_key_file', 'password', From d52364bac923f2935b948882d5825e7488b0e9cf Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Fri, 31 Jul 2020 11:32:36 -0300 Subject: [PATCH 2/6] Fix random salt generation. The generation of a random salt, when one was not provided, was in the wrong place and being generated too late to be used properly. Also, the generation of the value was duplicated. --- plugins/modules/ipavault.py | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py index 8562ff72..dffd9722 100644 --- a/plugins/modules/ipavault.py +++ b/plugins/modules/ipavault.py @@ -768,7 +768,12 @@ def main(): commands.append([name, "vault_mod_internal", args]) else: + if vault_type == 'symmetric' \ + and 'ipavaultsalt' not in args: + args['ipavaultsalt'] = os.urandom(32) + commands.append([name, "vault_add_internal", args]) + if vault_type != 'standard' and vault_data is None: vault_data = '' @@ -826,14 +831,6 @@ def main(): commands.append( [name, 'vault_remove_owner', owner_del_args]) - if vault_type == 'symmetric' \ - and 'ipavaultsalt' not in args: - args['ipavaultsalt'] = os.urandom(32) - - if vault_type == 'symmetric' \ - and 'ipavaultsalt' not in args: - args['ipavaultsalt'] = os.urandom(32) - elif action in "member": # Add users and groups if any([users, groups, services]): From daee6a6c744a740329ca231a277229567619e10c Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Fri, 31 Jul 2020 11:33:47 -0300 Subject: [PATCH 3/6] Fix verification of parameters for modifying `salt` attribute. When modifying an existing vault to change the value of `salt`, the password must also change. It is fine to "change" the password to the same value, thus only changing the salt value. --- plugins/modules/ipavault.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py index dffd9722..a608e64d 100644 --- a/plugins/modules/ipavault.py +++ b/plugins/modules/ipavault.py @@ -517,6 +517,16 @@ def check_encryption_params(module, state, action, vault_type, salt, module.fail_json( msg="Cannot modify password of inexistent vault.") + if ( + salt is not None + and not( + any([password, password_file]) + and any([new_password, new_password_file]) + ) + ): + module.fail_json( + msg="Vault `salt` can only change when changing the password.") + if vault_type == "asymmetric": vault_type_invalid = [ 'password', 'password_file', 'new_password', 'new_password_file' From 4ef4e706b79fdbb43e462b1a7130fc2cad5894b2 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Fri, 31 Jul 2020 11:42:13 -0300 Subject: [PATCH 4/6] Modify tests to verify password was changed correctly. Modify and add tests to verify that a password change has the correct effect on ipavault. --- tests/vault/test_vault_symmetric.yml | 58 ++++++++++++++++------------ 1 file changed, 34 insertions(+), 24 deletions(-) diff --git a/tests/vault/test_vault_symmetric.yml b/tests/vault/test_vault_symmetric.yml index bedc221d..92943319 100644 --- a/tests/vault/test_vault_symmetric.yml +++ b/tests/vault/test_vault_symmetric.yml @@ -178,6 +178,15 @@ register: result failed_when: result.vault.data != 'Hello World.' or result.changed + - name: Retrieve data from symmetric vault, with wrong password. + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + password: SomeWRONGpassword + state: retrieved + register: result + failed_when: not result.failed or "Invalid credentials" not in result.msg + - name: Change vault password. ipavault: ipaadmin_password: SomeADMINpassword @@ -187,24 +196,6 @@ register: result failed_when: not result.changed - - name: Retrieve data from symmetric vault, with wrong password. - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - password: SomeVAULTpassword - state: retrieved - register: result - failed_when: not result.failed or "Invalid credentials" not in result.msg - - - name: Change vault password, with wrong `old_password`. - ipavault: - ipaadmin_password: SomeADMINpassword - name: symvault - password: SomeVAULTpassword - new_password: SomeNEWpassword - register: result - failed_when: not result.failed or "Invalid credentials" not in result.msg - - name: Retrieve data from symmetric vault, with new password. ipavault: ipaadmin_password: SomeADMINpassword @@ -212,18 +203,37 @@ password: SomeNEWpassword state: retrieved register: result - failed_when: result.vault.data != 'Hello World.' or result.changed + failed_when: result.data != 'Hello World.' or result.changed - - name: Try to add vault with multiple passwords. + - name: Retrieve data from symmetric vault, with old password. ipavault: ipaadmin_password: SomeADMINpassword - name: inexistentvault + name: symvault password: SomeVAULTpassword - password_file: "{{ ansible_env.HOME }}/password.txt" + state: retrieved register: result - failed_when: not result.failed or "parameters are mutually exclusive" not in result.msg + failed_when: not result.failed or "Invalid credentials" not in result.msg + + - name: Change symmetric vault salt, changing password + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + password: SomeNEWpassword + new_password: SomeVAULTpassword + salt: AAAAAAAAAAAAAAAAAAAAAAA= + register: result + failed_when: not result.changed + + - name: Change symmetric vault salt, without changing password + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + password: SomeVAULTpassword + new_password: SomeVAULTpassword + salt: MTIzNDU2Nzg5MDEyMzQ1Ngo= + register: result + failed_when: not result.changed - - name: Try to add vault with multiple new passwords. ipavault: ipaadmin_password: SomeADMINpassword name: inexistentvault From 8ca282e276477b52d0850d4c01feb3d8e7a5be6d Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Fri, 31 Jul 2020 11:44:33 -0300 Subject: [PATCH 5/6] Modified and added tests to verify correct `salt` update behavior. --- tests/vault/test_vault_symmetric.yml | 37 ++++++++++++++++++++++++---- 1 file changed, 32 insertions(+), 5 deletions(-) diff --git a/tests/vault/test_vault_symmetric.yml b/tests/vault/test_vault_symmetric.yml index 92943319..1604a018 100644 --- a/tests/vault/test_vault_symmetric.yml +++ b/tests/vault/test_vault_symmetric.yml @@ -234,14 +234,41 @@ register: result failed_when: not result.changed + - name: Try to change symmetric vault salt, without providing any password ipavault: ipaadmin_password: SomeADMINpassword - name: inexistentvault - password: SomeVAULTpassword - new_password: SomeVAULTpassword - new_password_file: "{{ ansible_env.HOME }}/password.txt" + name: symvault + salt: MTIzNDU2Nzg5MDEyMzQ1Ngo= register: result - failed_when: not result.failed or "parameters are mutually exclusive" not in result.msg + failed_when: not result.failed and "Vault `salt` can only change when changing the password." not in result.msg + + - name: Try to change symmetric vault salt, without providing `password` + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + salt: MTIzNDU2Nzg5MDEyMzQ1Ngo= + new_password: SomeVAULTpassword + register: result + failed_when: not result.failed and "Vault `salt` can only change when changing the password." not in result.msg + + - name: Try to change symmetric vault salt, without providing `new_password` + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + salt: MTIzNDU2Nzg5MDEyMzQ1Ngo= + password: SomeVAULTpassword + register: result + failed_when: not result.failed and "Vault `salt` can only change when changing the password." not in result.msg + + - name: Try to change symmetric vault salt, using wrong password. + ipavault: + ipaadmin_password: SomeADMINpassword + name: symvault + password: SomeWRONGpassword + new_password: SomeWRONGpassword + salt: MDEyMzQ1Njc4OTAxMjM0NQo= + register: result + failed_when: not result.failed - name: Ensure symmetric vault is absent ipavault: From 3c2700f68beade3513e0e44415d8eb4fb23026e8 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Fri, 14 Aug 2020 10:43:30 -0300 Subject: [PATCH 6/6] Fixed Vault return value usage from `data` to `vault.data`. A test was failing due to use of old ipavault module return structure and some places on the documentation were alse referring to it. All ocurrences were fixed. --- README-vault.md | 2 +- plugins/modules/ipavault.py | 2 +- tests/vault/test_vault_symmetric.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README-vault.md b/README-vault.md index 91d311da..e7a31a2e 100644 --- a/README-vault.md +++ b/README-vault.md @@ -197,7 +197,7 @@ Example playbook to make sure vault is absent: state: absent register: result - debug: - msg: "{{ result.data }}" + msg: "{{ result.vault.data }}" ``` Variables diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py index a608e64d..8060976c 100644 --- a/plugins/modules/ipavault.py +++ b/plugins/modules/ipavault.py @@ -243,7 +243,7 @@ EXAMPLES = """ state: retrieved register: result - debug: - msg: "{{ result.data }}" + msg: "{{ result.vault.data }}" # Change password of a symmetric vault - ipavault: diff --git a/tests/vault/test_vault_symmetric.yml b/tests/vault/test_vault_symmetric.yml index 1604a018..5394c710 100644 --- a/tests/vault/test_vault_symmetric.yml +++ b/tests/vault/test_vault_symmetric.yml @@ -203,7 +203,7 @@ password: SomeNEWpassword state: retrieved register: result - failed_when: result.data != 'Hello World.' or result.changed + failed_when: result.vault.data != 'Hello World.' or result.changed - name: Retrieve data from symmetric vault, with old password. ipavault: