328 lines
12 KiB
Diff
328 lines
12 KiB
Diff
From 3e5c54d4fdb10deda9b7e4deaf2c537b132711c9 Mon Sep 17 00:00:00 2001
|
|
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
|
Date: Fri, 31 Jul 2020 11:30:51 -0300
|
|
Subject: [PATCH] Fix identification of existing vault type.
|
|
|
|
In some scenarios, the value of the vault type is returned as a tuple,
|
|
rather than a string, this made some changes to existing vault to fail.
|
|
With this change, the vault type is correctly retrieved, if it was not
|
|
provided by the user.
|
|
---
|
|
plugins/modules/ipavault.py | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py
|
|
index 6a3c73e..8562ff7 100644
|
|
--- a/plugins/modules/ipavault.py
|
|
+++ b/plugins/modules/ipavault.py
|
|
@@ -494,8 +494,10 @@ def check_encryption_params(module, state, action, vault_type, salt,
|
|
new_password, new_password_file, res_find):
|
|
vault_type_invalid = []
|
|
|
|
- if res_find is not None:
|
|
+ if vault_type is None and res_find is not None:
|
|
vault_type = res_find['ipavaulttype']
|
|
+ if isinstance(vault_type, (tuple, list)):
|
|
+ vault_type = vault_type[0]
|
|
|
|
if vault_type == "standard":
|
|
vault_type_invalid = ['public_key', 'public_key_file', 'password',
|
|
--
|
|
2.26.2
|
|
|
|
From d52364bac923f2935b948882d5825e7488b0e9cf Mon Sep 17 00:00:00 2001
|
|
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
|
Date: Fri, 31 Jul 2020 11:32:36 -0300
|
|
Subject: [PATCH] Fix random salt generation.
|
|
|
|
The generation of a random salt, when one was not provided, was in the
|
|
wrong place and being generated too late to be used properly. Also, the
|
|
generation of the value was duplicated.
|
|
---
|
|
plugins/modules/ipavault.py | 13 +++++--------
|
|
1 file changed, 5 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py
|
|
index 8562ff7..dffd972 100644
|
|
--- a/plugins/modules/ipavault.py
|
|
+++ b/plugins/modules/ipavault.py
|
|
@@ -768,7 +768,12 @@ def main():
|
|
commands.append([name, "vault_mod_internal", args])
|
|
|
|
else:
|
|
+ if vault_type == 'symmetric' \
|
|
+ and 'ipavaultsalt' not in args:
|
|
+ args['ipavaultsalt'] = os.urandom(32)
|
|
+
|
|
commands.append([name, "vault_add_internal", args])
|
|
+
|
|
if vault_type != 'standard' and vault_data is None:
|
|
vault_data = ''
|
|
|
|
@@ -826,14 +831,6 @@ def main():
|
|
commands.append(
|
|
[name, 'vault_remove_owner', owner_del_args])
|
|
|
|
- if vault_type == 'symmetric' \
|
|
- and 'ipavaultsalt' not in args:
|
|
- args['ipavaultsalt'] = os.urandom(32)
|
|
-
|
|
- if vault_type == 'symmetric' \
|
|
- and 'ipavaultsalt' not in args:
|
|
- args['ipavaultsalt'] = os.urandom(32)
|
|
-
|
|
elif action in "member":
|
|
# Add users and groups
|
|
if any([users, groups, services]):
|
|
--
|
|
2.26.2
|
|
|
|
From daee6a6c744a740329ca231a277229567619e10c Mon Sep 17 00:00:00 2001
|
|
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
|
Date: Fri, 31 Jul 2020 11:33:47 -0300
|
|
Subject: [PATCH] Fix verification of parameters for modifying `salt`
|
|
attribute.
|
|
|
|
When modifying an existing vault to change the value of `salt`, the
|
|
password must also change. It is fine to "change" the password to the
|
|
same value, thus only changing the salt value.
|
|
---
|
|
plugins/modules/ipavault.py | 10 ++++++++++
|
|
1 file changed, 10 insertions(+)
|
|
|
|
diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py
|
|
index dffd972..a608e64 100644
|
|
--- a/plugins/modules/ipavault.py
|
|
+++ b/plugins/modules/ipavault.py
|
|
@@ -517,6 +517,16 @@ def check_encryption_params(module, state, action, vault_type, salt,
|
|
module.fail_json(
|
|
msg="Cannot modify password of inexistent vault.")
|
|
|
|
+ if (
|
|
+ salt is not None
|
|
+ and not(
|
|
+ any([password, password_file])
|
|
+ and any([new_password, new_password_file])
|
|
+ )
|
|
+ ):
|
|
+ module.fail_json(
|
|
+ msg="Vault `salt` can only change when changing the password.")
|
|
+
|
|
if vault_type == "asymmetric":
|
|
vault_type_invalid = [
|
|
'password', 'password_file', 'new_password', 'new_password_file'
|
|
--
|
|
2.26.2
|
|
|
|
From 4ef4e706b79fdbb43e462b1a7130fc2cad5894b2 Mon Sep 17 00:00:00 2001
|
|
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
|
Date: Fri, 31 Jul 2020 11:42:13 -0300
|
|
Subject: [PATCH] Modify tests to verify password was changed correctly.
|
|
|
|
Modify and add tests to verify that a password change has the correct
|
|
effect on ipavault.
|
|
---
|
|
tests/vault/test_vault_symmetric.yml | 36 ++++++++++++++++++----------
|
|
1 file changed, 23 insertions(+), 13 deletions(-)
|
|
|
|
diff --git a/tests/vault/test_vault_symmetric.yml b/tests/vault/test_vault_symmetric.yml
|
|
index bedc221..9294331 100644
|
|
--- a/tests/vault/test_vault_symmetric.yml
|
|
+++ b/tests/vault/test_vault_symmetric.yml
|
|
@@ -178,6 +178,15 @@
|
|
register: result
|
|
failed_when: result.vault.data != 'Hello World.' or result.changed
|
|
|
|
+ - name: Retrieve data from symmetric vault, with wrong password.
|
|
+ ipavault:
|
|
+ ipaadmin_password: SomeADMINpassword
|
|
+ name: symvault
|
|
+ password: SomeWRONGpassword
|
|
+ state: retrieved
|
|
+ register: result
|
|
+ failed_when: not result.failed or "Invalid credentials" not in result.msg
|
|
+
|
|
- name: Change vault password.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
@@ -187,43 +196,44 @@
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
- - name: Retrieve data from symmetric vault, with wrong password.
|
|
+ - name: Retrieve data from symmetric vault, with new password.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
- password: SomeVAULTpassword
|
|
+ password: SomeNEWpassword
|
|
state: retrieved
|
|
register: result
|
|
- failed_when: not result.failed or "Invalid credentials" not in result.msg
|
|
+ failed_when: result.data != 'Hello World.' or result.changed
|
|
|
|
- - name: Change vault password, with wrong `old_password`.
|
|
+ - name: Retrieve data from symmetric vault, with old password.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
password: SomeVAULTpassword
|
|
- new_password: SomeNEWpassword
|
|
+ state: retrieved
|
|
register: result
|
|
failed_when: not result.failed or "Invalid credentials" not in result.msg
|
|
|
|
- - name: Retrieve data from symmetric vault, with new password.
|
|
+ - name: Change symmetric vault salt, changing password
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: symvault
|
|
password: SomeNEWpassword
|
|
- state: retrieved
|
|
+ new_password: SomeVAULTpassword
|
|
+ salt: AAAAAAAAAAAAAAAAAAAAAAA=
|
|
register: result
|
|
- failed_when: result.vault.data != 'Hello World.' or result.changed
|
|
+ failed_when: not result.changed
|
|
|
|
- - name: Try to add vault with multiple passwords.
|
|
+ - name: Change symmetric vault salt, without changing password
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
- name: inexistentvault
|
|
+ name: symvault
|
|
password: SomeVAULTpassword
|
|
- password_file: "{{ ansible_env.HOME }}/password.txt"
|
|
+ new_password: SomeVAULTpassword
|
|
+ salt: MTIzNDU2Nzg5MDEyMzQ1Ngo=
|
|
register: result
|
|
- failed_when: not result.failed or "parameters are mutually exclusive" not in result.msg
|
|
+ failed_when: not result.changed
|
|
|
|
- - name: Try to add vault with multiple new passwords.
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: inexistentvault
|
|
--
|
|
2.26.2
|
|
|
|
From 8ca282e276477b52d0850d4c01feb3d8e7a5be6d Mon Sep 17 00:00:00 2001
|
|
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
|
Date: Fri, 31 Jul 2020 11:44:33 -0300
|
|
Subject: [PATCH] Modified and added tests to verify correct `salt` update
|
|
behavior.
|
|
|
|
---
|
|
tests/vault/test_vault_symmetric.yml | 35 ++++++++++++++++++++++++----
|
|
1 file changed, 31 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/tests/vault/test_vault_symmetric.yml b/tests/vault/test_vault_symmetric.yml
|
|
index 9294331..1604a01 100644
|
|
--- a/tests/vault/test_vault_symmetric.yml
|
|
+++ b/tests/vault/test_vault_symmetric.yml
|
|
@@ -234,14 +234,41 @@
|
|
register: result
|
|
failed_when: not result.changed
|
|
|
|
+ - name: Try to change symmetric vault salt, without providing any password
|
|
ipavault:
|
|
ipaadmin_password: SomeADMINpassword
|
|
- name: inexistentvault
|
|
- password: SomeVAULTpassword
|
|
+ name: symvault
|
|
+ salt: MTIzNDU2Nzg5MDEyMzQ1Ngo=
|
|
+ register: result
|
|
+ failed_when: not result.failed and "Vault `salt` can only change when changing the password." not in result.msg
|
|
+
|
|
+ - name: Try to change symmetric vault salt, without providing `password`
|
|
+ ipavault:
|
|
+ ipaadmin_password: SomeADMINpassword
|
|
+ name: symvault
|
|
+ salt: MTIzNDU2Nzg5MDEyMzQ1Ngo=
|
|
new_password: SomeVAULTpassword
|
|
- new_password_file: "{{ ansible_env.HOME }}/password.txt"
|
|
register: result
|
|
- failed_when: not result.failed or "parameters are mutually exclusive" not in result.msg
|
|
+ failed_when: not result.failed and "Vault `salt` can only change when changing the password." not in result.msg
|
|
+
|
|
+ - name: Try to change symmetric vault salt, without providing `new_password`
|
|
+ ipavault:
|
|
+ ipaadmin_password: SomeADMINpassword
|
|
+ name: symvault
|
|
+ salt: MTIzNDU2Nzg5MDEyMzQ1Ngo=
|
|
+ password: SomeVAULTpassword
|
|
+ register: result
|
|
+ failed_when: not result.failed and "Vault `salt` can only change when changing the password." not in result.msg
|
|
+
|
|
+ - name: Try to change symmetric vault salt, using wrong password.
|
|
+ ipavault:
|
|
+ ipaadmin_password: SomeADMINpassword
|
|
+ name: symvault
|
|
+ password: SomeWRONGpassword
|
|
+ new_password: SomeWRONGpassword
|
|
+ salt: MDEyMzQ1Njc4OTAxMjM0NQo=
|
|
+ register: result
|
|
+ failed_when: not result.failed
|
|
|
|
- name: Ensure symmetric vault is absent
|
|
ipavault:
|
|
--
|
|
2.26.2
|
|
|
|
From 3c2700f68beade3513e0e44415d8eb4fb23026e8 Mon Sep 17 00:00:00 2001
|
|
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
|
Date: Fri, 14 Aug 2020 10:43:30 -0300
|
|
Subject: [PATCH] Fixed Vault return value usage from `data` to `vault.data`.
|
|
|
|
A test was failing due to use of old ipavault module return structure
|
|
and some places on the documentation were alse referring to it. All
|
|
ocurrences were fixed.
|
|
---
|
|
README-vault.md | 2 +-
|
|
plugins/modules/ipavault.py | 2 +-
|
|
tests/vault/test_vault_symmetric.yml | 2 +-
|
|
3 files changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/README-vault.md b/README-vault.md
|
|
index 91d311d..e7a31a2 100644
|
|
--- a/README-vault.md
|
|
+++ b/README-vault.md
|
|
@@ -197,7 +197,7 @@ Example playbook to make sure vault is absent:
|
|
state: absent
|
|
register: result
|
|
- debug:
|
|
- msg: "{{ result.data }}"
|
|
+ msg: "{{ result.vault.data }}"
|
|
```
|
|
|
|
Variables
|
|
diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py
|
|
index a608e64..8060976 100644
|
|
--- a/plugins/modules/ipavault.py
|
|
+++ b/plugins/modules/ipavault.py
|
|
@@ -243,7 +243,7 @@ EXAMPLES = """
|
|
state: retrieved
|
|
register: result
|
|
- debug:
|
|
- msg: "{{ result.data }}"
|
|
+ msg: "{{ result.vault.data }}"
|
|
|
|
# Change password of a symmetric vault
|
|
- ipavault:
|
|
diff --git a/tests/vault/test_vault_symmetric.yml b/tests/vault/test_vault_symmetric.yml
|
|
index 1604a01..5394c71 100644
|
|
--- a/tests/vault/test_vault_symmetric.yml
|
|
+++ b/tests/vault/test_vault_symmetric.yml
|
|
@@ -203,7 +203,7 @@
|
|
password: SomeNEWpassword
|
|
state: retrieved
|
|
register: result
|
|
- failed_when: result.data != 'Hello World.' or result.changed
|
|
+ failed_when: result.vault.data != 'Hello World.' or result.changed
|
|
|
|
- name: Retrieve data from symmetric vault, with old password.
|
|
ipavault:
|
|
--
|
|
2.26.2
|
|
|