436 lines
18 KiB
Diff
436 lines
18 KiB
Diff
From 78b635ae78346fdfb298dd0d0c82ae1ff34b754a Mon Sep 17 00:00:00 2001
|
|
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
|
Date: Tue, 23 Jun 2020 17:53:47 -0300
|
|
Subject: [PATCH] Add suppport for changing password of symmetric vaults.
|
|
|
|
Allows changing passwords of symmetric waults, using a new variable
|
|
`new_password` (or the file-base version, `new_password_file`). The
|
|
old password must be passed using the `password` or `password_file`
|
|
variables that also received new aliases `old_password` and
|
|
`old_password_file`, respectively.
|
|
|
|
Tests were modyfied to reflect the changes.
|
|
---
|
|
README-vault.md | 23 +++-
|
|
.../vault/change-password-symmetric-vault.yml | 2 +-
|
|
plugins/modules/ipavault.py | 129 +++++++++++++++---
|
|
tests/vault/test_vault_symmetric.yml | 64 +++++++++
|
|
4 files changed, 194 insertions(+), 24 deletions(-)
|
|
|
|
diff --git a/README-vault.md b/README-vault.md
|
|
index c7ae6916..fa1d3e11 100644
|
|
--- a/README-vault.md
|
|
+++ b/README-vault.md
|
|
@@ -165,6 +165,22 @@ Example playbook to make sure vault data is absent in a symmetric vault:
|
|
state: absent
|
|
```
|
|
|
|
+Example playbook to change the password of a symmetric:
|
|
+
|
|
+```yaml
|
|
+---
|
|
+- name: Playbook to handle vaults
|
|
+ hosts: ipaserver
|
|
+ become: true
|
|
+
|
|
+ tasks:
|
|
+ - ipavault:
|
|
+ ipaadmin_password: SomeADMINpassword
|
|
+ name: symvault
|
|
+ old_password: SomeVAULTpassword
|
|
+ new_password: SomeNEWpassword
|
|
+```
|
|
+
|
|
Example playbook to make sure vault is absent:
|
|
|
|
```yaml
|
|
@@ -197,8 +213,11 @@ Variable | Description | Required
|
|
`name` \| `cn` | The list of vault name strings. | yes
|
|
`description` | The vault description string. | no
|
|
`nomembers` | Suppress processing of membership attributes. (bool) | no
|
|
-`password ` \| `vault_password` \| `ipavaultpassword` | Vault password. | no
|
|
-`public_key ` \| `vault_public_key` \| `ipavaultpublickey` | Base64 encoded vault public key. | no
|
|
+`password` \| `vault_password` \| `ipavaultpassword` \| `old_password`| Vault password. | no
|
|
+`password_file` \| `vault_password_file` \| `old_password_file`| File containing Base64 encoded Vault password. | no
|
|
+`new_password` | Vault new password. | no
|
|
+`new_password_file` | File containing Base64 encoded new Vault password. | no
|
|
+`public_key ` \| `vault_public_key` \| `old_password_file` | Base64 encoded vault public key. | no
|
|
`public_key_file` \| `vault_public_key_file` | Path to file with public key. | no
|
|
`private_key `\| `vault_private_key` | Base64 encoded vault private key. Used only to retrieve data. | no
|
|
`private_key_file` \| `vault_private_key_file` | Path to file with private key. Used only to retrieve data. | no
|
|
diff --git a/playbooks/vault/change-password-symmetric-vault.yml b/playbooks/vault/change-password-symmetric-vault.yml
|
|
index 3871f45d..396a79f6 100644
|
|
--- a/playbooks/vault/change-password-symmetric-vault.yml
|
|
+++ b/playbooks/vault/change-password-symmetric-vault.yml
|
|
@@ -10,7 +10,7 @@
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
password: SomeVAULTpassword
|
|
- - name: Change vault passord.
|
|
+ - name: Change vault password.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py
|
|
index ad5dd413..46c6fcdb 100644
|
|
--- a/plugins/modules/ipavault.py
|
|
+++ b/plugins/modules/ipavault.py
|
|
@@ -69,12 +69,20 @@
|
|
description: password to be used on symmetric vault.
|
|
required: false
|
|
type: string
|
|
- aliases: ["ipavaultpassword", "vault_password"]
|
|
+ aliases: ["ipavaultpassword", "vault_password", "old_password"]
|
|
password_file:
|
|
description: file with password to be used on symmetric vault.
|
|
required: false
|
|
type: string
|
|
- aliases: ["vault_password_file"]
|
|
+ aliases: ["vault_password_file", "old_password_file"]
|
|
+ new_password:
|
|
+ description: new password to be used on symmetric vault.
|
|
+ required: false
|
|
+ type: string
|
|
+ new_password_file:
|
|
+ description: file with new password to be used on symmetric vault.
|
|
+ required: false
|
|
+ type: string
|
|
salt:
|
|
description: Vault salt.
|
|
required: false
|
|
@@ -235,7 +243,15 @@
|
|
state: retrieved
|
|
register: result
|
|
- debug:
|
|
- msg: "{{ result.data | b64decode }}"
|
|
+ msg: "{{ result.data }}"
|
|
+
|
|
+# Change password of a symmetric vault
|
|
+- ipavault:
|
|
+ ipaadmin_password: SomeADMINpassword
|
|
+ name: symvault
|
|
+ username: admin
|
|
+ old_password: SomeVAULTpassword
|
|
+ new_password: SomeNEWpassword
|
|
|
|
# Ensure vault symvault is absent
|
|
- ipavault:
|
|
@@ -416,18 +432,29 @@ def check_parameters(module, state, action, description, username, service,
|
|
shared, users, groups, services, owners, ownergroups,
|
|
ownerservices, vault_type, salt, password, password_file,
|
|
public_key, public_key_file, private_key,
|
|
- private_key_file, vault_data, datafile_in, datafile_out):
|
|
+ private_key_file, vault_data, datafile_in, datafile_out,
|
|
+ new_password, new_password_file):
|
|
invalid = []
|
|
if state == "present":
|
|
invalid = ['private_key', 'private_key_file', 'datafile_out']
|
|
|
|
+ if all([password, password_file]) \
|
|
+ or all([new_password, new_password_file]):
|
|
+ module.fail_json(msg="Password specified multiple times.")
|
|
+
|
|
+ if any([new_password, new_password_file]) \
|
|
+ and not any([password, password_file]):
|
|
+ module.fail_json(
|
|
+ msg="Either `password` or `password_file` must be provided to "
|
|
+ "change symmetric vault password.")
|
|
+
|
|
if action == "member":
|
|
invalid.extend(['description'])
|
|
|
|
elif state == "absent":
|
|
invalid = ['description', 'salt', 'vault_type', 'private_key',
|
|
'private_key_file', 'datafile_in', 'datafile_out',
|
|
- 'vault_data']
|
|
+ 'vault_data', 'new_password', 'new_password_file']
|
|
|
|
if action == "vault":
|
|
invalid.extend(['users', 'groups', 'services', 'owners',
|
|
@@ -437,7 +464,7 @@ def check_parameters(module, state, action, description, username, service,
|
|
elif state == "retrieved":
|
|
invalid = ['description', 'salt', 'datafile_in', 'users', 'groups',
|
|
'owners', 'ownergroups', 'public_key', 'public_key_file',
|
|
- 'vault_data']
|
|
+ 'vault_data', 'new_password', 'new_password_file']
|
|
if action == 'member':
|
|
module.fail_json(
|
|
msg="State `retrieved` do not support action `member`.")
|
|
@@ -458,11 +485,17 @@ def check_parameters(module, state, action, description, username, service,
|
|
def check_encryption_params(module, state, action, vault_type, salt,
|
|
password, password_file, public_key,
|
|
public_key_file, private_key, private_key_file,
|
|
- vault_data, datafile_in, datafile_out, res_find):
|
|
+ vault_data, datafile_in, datafile_out,
|
|
+ new_password, new_password_file, res_find):
|
|
vault_type_invalid = []
|
|
+
|
|
+ if res_find is not None:
|
|
+ vault_type = res_find['ipavaulttype']
|
|
+
|
|
if vault_type == "standard":
|
|
vault_type_invalid = ['public_key', 'public_key_file', 'password',
|
|
- 'password_file', 'salt']
|
|
+ 'password_file', 'salt', 'new_password',
|
|
+ 'new_password_file']
|
|
|
|
if vault_type is None or vault_type == "symmetric":
|
|
vault_type_invalid = ['public_key', 'public_key_file',
|
|
@@ -473,8 +506,14 @@ def check_encryption_params(module, state, action, vault_type, salt,
|
|
msg="Symmetric vault requires password or password_file "
|
|
"to store data or change `salt`.")
|
|
|
|
+ if any([new_password, new_password_file]) and res_find is None:
|
|
+ module.fail_json(
|
|
+ msg="Cannot modify password of inexistent vault.")
|
|
+
|
|
if vault_type == "asymmetric":
|
|
- vault_type_invalid = ['password', 'password_file']
|
|
+ vault_type_invalid = [
|
|
+ 'password', 'password_file', 'new_password', 'new_password_file'
|
|
+ ]
|
|
if not any([public_key, public_key_file]) and res_find is None:
|
|
module.fail_json(
|
|
msg="Assymmetric vault requires public_key "
|
|
@@ -487,6 +526,43 @@ def check_encryption_params(module, state, action, vault_type, salt,
|
|
(param, vault_type or 'symmetric'))
|
|
|
|
|
|
+def change_password(module, res_find, password, password_file, new_password,
|
|
+ new_password_file):
|
|
+ """
|
|
+ Change the password of a symmetric vault.
|
|
+
|
|
+ To change the password of a vault, it is needed to retrieve the stored
|
|
+ data with the current password, and store the data again, with the new
|
|
+ password, forcing it to override the old one.
|
|
+ """
|
|
+ # verify parameters.
|
|
+ if not any([new_password, new_password_file]):
|
|
+ return []
|
|
+ if res_find["ipavaulttype"][0] != "symmetric":
|
|
+ module.fail_json(msg="Cannot change password of `%s` vault."
|
|
+ % res_find["ipavaulttype"])
|
|
+
|
|
+ # prepare arguments to retrieve data.
|
|
+ name = res_find["cn"][0]
|
|
+ args = {}
|
|
+ if password:
|
|
+ args["password"] = password
|
|
+ if password_file:
|
|
+ args["password"] = password_file
|
|
+ # retrieve current stored data
|
|
+ result = api_command(module, 'vault_retrieve', name, args)
|
|
+ args['data'] = result['result']['data']
|
|
+
|
|
+ # modify arguments to store data with new password.
|
|
+ if password:
|
|
+ args["password"] = new_password
|
|
+ if password_file:
|
|
+ args["password"] = new_password_file
|
|
+ args["override_password"] = True
|
|
+ # return the command to store data with the new password.
|
|
+ return [(name, "vault_archive", args)]
|
|
+
|
|
+
|
|
def main():
|
|
ansible_module = AnsibleModule(
|
|
argument_spec=dict(
|
|
@@ -533,10 +609,18 @@ def main():
|
|
datafile_out=dict(type="str", required=False, default=None,
|
|
aliases=['out']),
|
|
vault_password=dict(type="str", required=False, default=None,
|
|
- aliases=['ipavaultpassword', 'password'],
|
|
- no_log=True),
|
|
+ no_log=True,
|
|
+ aliases=['ipavaultpassword', 'password',
|
|
+ "old_password"]),
|
|
vault_password_file=dict(type="str", required=False, default=None,
|
|
- no_log=False, aliases=['password_file']),
|
|
+ no_log=False,
|
|
+ aliases=[
|
|
+ 'password_file', "old_password_file"
|
|
+ ]),
|
|
+ new_password=dict(type="str", required=False, default=None,
|
|
+ no_log=True),
|
|
+ new_password_file=dict(type="str", required=False, default=None,
|
|
+ no_log=False),
|
|
# state
|
|
action=dict(type="str", default="vault",
|
|
choices=["vault", "data", "member"]),
|
|
@@ -546,6 +630,7 @@ def main():
|
|
supports_check_mode=True,
|
|
mutually_exclusive=[['username', 'service', 'shared'],
|
|
['datafile_in', 'vault_data'],
|
|
+ ['new_password', 'new_password_file'],
|
|
['vault_password', 'vault_password_file'],
|
|
['vault_public_key', 'vault_public_key_file']],
|
|
)
|
|
@@ -576,6 +661,8 @@ def main():
|
|
salt = module_params_get(ansible_module, "vault_salt")
|
|
password = module_params_get(ansible_module, "vault_password")
|
|
password_file = module_params_get(ansible_module, "vault_password_file")
|
|
+ new_password = module_params_get(ansible_module, "new_password")
|
|
+ new_password_file = module_params_get(ansible_module, "new_password_file")
|
|
public_key = module_params_get(ansible_module, "vault_public_key")
|
|
public_key_file = module_params_get(ansible_module,
|
|
"vault_public_key_file")
|
|
@@ -614,7 +701,8 @@ def main():
|
|
service, shared, users, groups, services, owners,
|
|
ownergroups, ownerservices, vault_type, salt, password,
|
|
password_file, public_key, public_key_file, private_key,
|
|
- private_key_file, vault_data, datafile_in, datafile_out)
|
|
+ private_key_file, vault_data, datafile_in, datafile_out,
|
|
+ new_password, new_password_file)
|
|
# Init
|
|
|
|
changed = False
|
|
@@ -660,7 +748,7 @@ def main():
|
|
ansible_module, state, action, vault_type, salt, password,
|
|
password_file, public_key, public_key_file, private_key,
|
|
private_key_file, vault_data, datafile_in, datafile_out,
|
|
- res_find)
|
|
+ new_password, new_password_file, res_find)
|
|
|
|
# Found the vault
|
|
if action == "vault":
|
|
@@ -721,7 +809,6 @@ def main():
|
|
owner_add_args = gen_member_args(
|
|
args, owner_add, ownergroups_add, ownerservice_add)
|
|
if owner_add_args is not None:
|
|
- # ansible_module.warn("OWNER ADD: %s" % owner_add_args)
|
|
commands.append(
|
|
[name, 'vault_add_owner', owner_add_args])
|
|
|
|
@@ -729,7 +816,6 @@ def main():
|
|
owner_del_args = gen_member_args(
|
|
args, owner_del, ownergroups_del, ownerservice_del)
|
|
if owner_del_args is not None:
|
|
- # ansible_module.warn("OWNER DEL: %s" % owner_del_args)
|
|
commands.append(
|
|
[name, 'vault_remove_owner', owner_del_args])
|
|
|
|
@@ -758,19 +844,22 @@ def main():
|
|
if any([vault_data, datafile_in]):
|
|
commands.append([name, "vault_archive", pwdargs])
|
|
|
|
+ cmds = change_password(
|
|
+ ansible_module, res_find, password, password_file,
|
|
+ new_password, new_password_file)
|
|
+ commands.extend(cmds)
|
|
+
|
|
elif state == "retrieved":
|
|
if res_find is None:
|
|
ansible_module.fail_json(
|
|
msg="Vault `%s` not found to retrieve data." % name)
|
|
|
|
- vault_type = res_find['cn']
|
|
-
|
|
# verify data encription args
|
|
check_encryption_params(
|
|
ansible_module, state, action, vault_type, salt, password,
|
|
password_file, public_key, public_key_file, private_key,
|
|
private_key_file, vault_data, datafile_in, datafile_out,
|
|
- res_find)
|
|
+ new_password, new_password_file, res_find)
|
|
|
|
pwdargs = data_storage_args(
|
|
args, vault_data, password, password_file, private_key,
|
|
@@ -813,7 +902,6 @@ def main():
|
|
errors = []
|
|
for name, command, args in commands:
|
|
try:
|
|
- # ansible_module.warn("RUN: %s %s %s" % (command, name, args))
|
|
result = api_command(ansible_module, command, name, args)
|
|
|
|
if command == 'vault_archive':
|
|
@@ -829,7 +917,6 @@ def main():
|
|
raise Exception("No data retrieved.")
|
|
changed = False
|
|
else:
|
|
- # ansible_module.warn("RESULT: %s" % (result))
|
|
if "completed" in result:
|
|
if result["completed"] > 0:
|
|
changed = True
|
|
diff --git a/tests/vault/test_vault_symmetric.yml b/tests/vault/test_vault_symmetric.yml
|
|
index c9429f4f..a6072d88 100644
|
|
--- a/tests/vault/test_vault_symmetric.yml
|
|
+++ b/tests/vault/test_vault_symmetric.yml
|
|
@@ -178,6 +178,61 @@
|
|
register: result
|
|
failed_when: result.data != 'Hello World.' or result.changed
|
|
|
|
+ - name: Change vault password.
|
|
+ ipavault:
|
|
+ ipaadmin_password: SomeADMINpassword
|
|
+ name: symvault
|
|
+ password: SomeVAULTpassword
|
|
+ new_password: SomeNEWpassword
|
|
+ register: result
|
|
+ failed_when: not result.changed
|
|
+
|
|
+ - name: Retrieve data from symmetric vault, with wrong password.
|
|
+ ipavault:
|
|
+ ipaadmin_password: SomeADMINpassword
|
|
+ name: symvault
|
|
+ password: SomeVAULTpassword
|
|
+ state: retrieved
|
|
+ register: result
|
|
+ failed_when: not result.failed or "Invalid credentials" not in result.msg
|
|
+
|
|
+ - name: Change vault password, with wrong `old_password`.
|
|
+ ipavault:
|
|
+ ipaadmin_password: SomeADMINpassword
|
|
+ name: symvault
|
|
+ password: SomeVAULTpassword
|
|
+ new_password: SomeNEWpassword
|
|
+ register: result
|
|
+ failed_when: not result.failed or "Invalid credentials" not in result.msg
|
|
+
|
|
+ - name: Retrieve data from symmetric vault, with new password.
|
|
+ ipavault:
|
|
+ ipaadmin_password: SomeADMINpassword
|
|
+ name: symvault
|
|
+ password: SomeNEWpassword
|
|
+ state: retrieved
|
|
+ register: result
|
|
+ failed_when: result.data != 'Hello World.' or result.changed
|
|
+
|
|
+ - name: Try to add vault with multiple passwords.
|
|
+ ipavault:
|
|
+ ipaadmin_password: SomeADMINpassword
|
|
+ name: inexistentvault
|
|
+ password: SomeVAULTpassword
|
|
+ password_file: "{{ ansible_env.HOME }}/password.txt"
|
|
+ register: result
|
|
+ failed_when: not result.failed or "parameters are mutually exclusive" not in result.msg
|
|
+
|
|
+ - name: Try to add vault with multiple new passwords.
|
|
+ ipavault:
|
|
+ ipaadmin_password: SomeADMINpassword
|
|
+ name: inexistentvault
|
|
+ password: SomeVAULTpassword
|
|
+ new_password: SomeVAULTpassword
|
|
+ new_password_file: "{{ ansible_env.HOME }}/password.txt"
|
|
+ register: result
|
|
+ failed_when: not result.failed or "parameters are mutually exclusive" not in result.msg
|
|
+
|
|
- name: Ensure symmetric vault is absent
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
@@ -194,5 +249,14 @@
|
|
register: result
|
|
failed_when: result.changed
|
|
|
|
+ - name: Try to change password of inexistent vault.
|
|
+ ipavault:
|
|
+ ipaadmin_password: SomeADMINpassword
|
|
+ name: inexistentvault
|
|
+ password: SomeVAULTpassword
|
|
+ new_password: SomeNEWpassword
|
|
+ register: result
|
|
+ failed_when: not result.failed or "Cannot modify password of inexistent vault" not in result.msg
|
|
+
|
|
- name: Cleanup testing environment.
|
|
import_tasks: env_cleanup.yml
|