Skip to content
Snippets Groups Projects
Commit 04564248 authored by Rafael Guterres Jeffman's avatar Rafael Guterres Jeffman
Browse files

Fixes password behavior on Vault module. 

This patch fixes handling of password and public_key files, parameter
validation depending on vault type, usage of `salt` attribute and data
retrieval.

Tests were updated to reflect the changes.

New example playbooks are added:

    playbooks/vault/vault-is-present-with-password-file.yml
    playbooks/vault/vault-is-present-with-public-key-file.yml
parent ff03b315
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
plugins/modules/ipavault.py
+ 24
29
View file @ 04564248
...@@ -366,7 +366,7 @@ def gen_member_args(args, users, groups, services): ...@@ -366,7 +366,7 @@ def gen_member_args(args, users, groups, services):
def data_storage_args(args, data, password, password_file, private_key, def data_storage_args(args, data, password, password_file, private_key,
private_key_file, retrieve, datafile_in, datafile_out): private_key_file, datafile_in, datafile_out):
_args = {} _args = {}
if 'username' in args: if 'username' in args:
...@@ -407,8 +407,7 @@ def check_parameters(module, state, action, description, username, service, ...@@ -407,8 +407,7 @@ def check_parameters(module, state, action, description, username, service,
shared, users, groups, services, owners, ownergroups, shared, users, groups, services, owners, ownergroups,
ownerservices, vault_type, salt, password, password_file, ownerservices, vault_type, salt, password, password_file,
public_key, public_key_file, private_key, public_key, public_key_file, private_key,
private_key_file, retrieve, vault_data, datafile_in, private_key_file, vault_data, datafile_in, datafile_out):
datafile_out):
invalid = [] invalid = []
if state == "present": if state == "present":
if salt is not None: if salt is not None:
...@@ -423,24 +422,20 @@ def check_parameters(module, state, action, description, username, service, ...@@ -423,24 +422,20 @@ def check_parameters(module, state, action, description, username, service,
if action == "member": if action == "member":
invalid = ['description'] invalid = ['description']
if not retrieve: elif state == "absent":
if datafile_out is not None: invalid = ['description', 'salt', 'vault_type', 'datafile_in',
module.fail_json(
msg="Retrieve must be enabled to use datafile_out.")
if any([private_key, private_key_file]):
module.fail_json(
msg="Attributes private_key and private_key_file can only "
"be used when retrieving data from asymmetric vaults.")
else:
check = ['description', 'salt', 'datafile_in', 'users', 'groups',
'owners', 'ownergroups', 'public_key', 'public_key_file',
'vault_data'] 'vault_data']
for arg in check: if action == "vault":
invalid.extend(['users', 'groups', 'owners', 'ownergroups',
'password', 'password_file', 'public_key',
'public_key_file'])
for arg in invalid:
if vars()[arg] is not None: if vars()[arg] is not None:
module.fail_json( module.fail_json(
msg="`%s` cannot be used with `retrieve`." % arg) msg="Argument '%s' can not be used with state '%s', "
"action '%s'" % (arg, state, action))
elif state == "absent": elif state == "absent":
invalid = ['description', 'salt', 'vault_type', 'private_key', invalid = ['description', 'salt', 'vault_type', 'private_key',
...@@ -461,8 +456,8 @@ def check_parameters(module, state, action, description, username, service, ...@@ -461,8 +456,8 @@ def check_parameters(module, state, action, description, username, service,
def check_encryption_params(module, state, vault_type, salt, password, def check_encryption_params(module, state, vault_type, salt, password,
password_file, public_key, public_key_file, password_file, public_key, public_key_file,
private_key, private_key_file, retrieve, private_key, private_key_file, vault_data,
vault_data, datafile_in, datafile_out, res_find): datafile_in, datafile_out, res_find):
vault_type_invalid = [] vault_type_invalid = []
if state == "present": if state == "present":
if vault_type == "standard": if vault_type == "standard":
...@@ -593,8 +588,6 @@ def main(): ...@@ -593,8 +588,6 @@ def main():
datafile_in = module_params_get(ansible_module, "datafile_in") datafile_in = module_params_get(ansible_module, "datafile_in")
datafile_out = module_params_get(ansible_module, "datafile_out") datafile_out = module_params_get(ansible_module, "datafile_out")
retrieve = module_params_get(ansible_module, "retrieve")
action = module_params_get(ansible_module, "action") action = module_params_get(ansible_module, "action")
state = module_params_get(ansible_module, "state") state = module_params_get(ansible_module, "state")
...@@ -616,8 +609,7 @@ def main(): ...@@ -616,8 +609,7 @@ def main():
service, shared, users, groups, services, owners, service, shared, users, groups, services, owners,
ownergroups, ownerservices, vault_type, salt, password, ownergroups, ownerservices, vault_type, salt, password,
password_file, public_key, public_key_file, private_key, password_file, public_key, public_key_file, private_key,
private_key_file, retrieve, vault_data, datafile_in, private_key_file, vault_data, datafile_in, datafile_out)
datafile_out)
# Init # Init
changed = False changed = False
...@@ -660,7 +652,7 @@ def main(): ...@@ -660,7 +652,7 @@ def main():
check_encryption_params(ansible_module, state, vault_type, salt, check_encryption_params(ansible_module, state, vault_type, salt,
password, password_file, public_key, password, password_file, public_key,
public_key_file, private_key, public_key_file, private_key,
private_key_file, retrieve, vault_data, private_key_file, vault_data,
datafile_in, datafile_out, res_find) datafile_in, datafile_out, res_find)
# Create command # Create command
...@@ -734,6 +726,10 @@ def main(): ...@@ -734,6 +726,10 @@ def main():
and 'ipavaultsalt' not in args: and 'ipavaultsalt' not in args:
args['ipavaultsalt'] = os.urandom(32) args['ipavaultsalt'] = os.urandom(32)
if vault_type == 'symmetric' \
and 'ipavaultsalt' not in args:
args['ipavaultsalt'] = os.urandom(32)
elif action in "member": elif action in "member":
# Add users and groups # Add users and groups
if any([users, groups, services]): if any([users, groups, services]):
...@@ -746,9 +742,8 @@ def main(): ...@@ -746,9 +742,8 @@ def main():
commands.append([name, 'vault_add_owner', owner_args]) commands.append([name, 'vault_add_owner', owner_args])
pwdargs = data_storage_args( pwdargs = data_storage_args(
args, vault_data, password, password_file, args, vault_data, password, password_file, private_key,
private_key, private_key_file, retrieve, datafile_in, private_key_file, datafile_in, datafile_out)
datafile_out)
if any([vault_data, datafile_in]): if any([vault_data, datafile_in]):
commands.append([name, "vault_archive", pwdargs]) commands.append([name, "vault_archive", pwdargs])
if retrieve: if retrieve:
......
tests/vault/test_vault.yml
+ 9
0
View file @ 04564248
...@@ -394,6 +394,15 @@ ...@@ -394,6 +394,15 @@
register: result register: result
failed_when: not result.changed failed_when: not result.changed
- name: Archive data from a file, in standard vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
in: "{{ ansible_env.HOME }}/in.txt"
register: result
failed_when: not result.changed
- name: Retrieve data from standard vault. - name: Retrieve data from standard vault.
ipavault: ipavault:
ipaadmin_password: SomeADMINpassword ipaadmin_password: SomeADMINpassword
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment