Skip to content
Snippets Groups Projects
Commit 04564248 authored by Rafael Guterres Jeffman's avatar Rafael Guterres Jeffman
Browse files

Fixes password behavior on Vault module. 

This patch fixes handling of password and public_key files, parameter
validation depending on vault type, usage of `salt` attribute and data
retrieval.

Tests were updated to reflect the changes.

New example playbooks are added:

    playbooks/vault/vault-is-present-with-password-file.yml
    playbooks/vault/vault-is-present-with-public-key-file.yml
parent ff03b315
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
plugins/modules/ipavault.py
+ 24
29
View file @ 04564248
......@@ -366,7 +366,7 @@ def gen_member_args(args, users, groups, services):
def data_storage_args(args, data, password, password_file, private_key,
private_key_file, retrieve, datafile_in, datafile_out):
private_key_file, datafile_in, datafile_out):
_args = {}
if 'username' in args:
......@@ -407,8 +407,7 @@ def check_parameters(module, state, action, description, username, service,
shared, users, groups, services, owners, ownergroups,
ownerservices, vault_type, salt, password, password_file,
public_key, public_key_file, private_key,
private_key_file, retrieve, vault_data, datafile_in,
datafile_out):
private_key_file, vault_data, datafile_in, datafile_out):
invalid = []
if state == "present":
if salt is not None:
......@@ -423,24 +422,20 @@ def check_parameters(module, state, action, description, username, service,
if action == "member":
invalid = ['description']
if not retrieve:
if datafile_out is not None:
module.fail_json(
msg="Retrieve must be enabled to use datafile_out.")
elif state == "absent":
invalid = ['description', 'salt', 'vault_type', 'datafile_in',
'vault_data']
if any([private_key, private_key_file]):
module.fail_json(
msg="Attributes private_key and private_key_file can only "
"be used when retrieving data from asymmetric vaults.")
else:
check = ['description', 'salt', 'datafile_in', 'users', 'groups',
'owners', 'ownergroups', 'public_key', 'public_key_file',
'vault_data']
if action == "vault":
invalid.extend(['users', 'groups', 'owners', 'ownergroups',
'password', 'password_file', 'public_key',
'public_key_file'])
for arg in check:
if vars()[arg] is not None:
module.fail_json(
msg="`%s` cannot be used with `retrieve`." % arg)
for arg in invalid:
if vars()[arg] is not None:
module.fail_json(
msg="Argument '%s' can not be used with state '%s', "
"action '%s'" % (arg, state, action))
elif state == "absent":
invalid = ['description', 'salt', 'vault_type', 'private_key',
......@@ -461,8 +456,8 @@ def check_parameters(module, state, action, description, username, service,
def check_encryption_params(module, state, vault_type, salt, password,
password_file, public_key, public_key_file,
private_key, private_key_file, retrieve,
vault_data, datafile_in, datafile_out, res_find):
private_key, private_key_file, vault_data,
datafile_in, datafile_out, res_find):
vault_type_invalid = []
if state == "present":
if vault_type == "standard":
......@@ -593,8 +588,6 @@ def main():
datafile_in = module_params_get(ansible_module, "datafile_in")
datafile_out = module_params_get(ansible_module, "datafile_out")
retrieve = module_params_get(ansible_module, "retrieve")
action = module_params_get(ansible_module, "action")
state = module_params_get(ansible_module, "state")
......@@ -616,8 +609,7 @@ def main():
service, shared, users, groups, services, owners,
ownergroups, ownerservices, vault_type, salt, password,
password_file, public_key, public_key_file, private_key,
private_key_file, retrieve, vault_data, datafile_in,
datafile_out)
private_key_file, vault_data, datafile_in, datafile_out)
# Init
changed = False
......@@ -660,7 +652,7 @@ def main():
check_encryption_params(ansible_module, state, vault_type, salt,
password, password_file, public_key,
public_key_file, private_key,
private_key_file, retrieve, vault_data,
private_key_file, vault_data,
datafile_in, datafile_out, res_find)
# Create command
......@@ -734,6 +726,10 @@ def main():
and 'ipavaultsalt' not in args:
args['ipavaultsalt'] = os.urandom(32)
if vault_type == 'symmetric' \
and 'ipavaultsalt' not in args:
args['ipavaultsalt'] = os.urandom(32)
elif action in "member":
# Add users and groups
if any([users, groups, services]):
......@@ -746,9 +742,8 @@ def main():
commands.append([name, 'vault_add_owner', owner_args])
pwdargs = data_storage_args(
args, vault_data, password, password_file,
private_key, private_key_file, retrieve, datafile_in,
datafile_out)
args, vault_data, password, password_file, private_key,
private_key_file, datafile_in, datafile_out)
if any([vault_data, datafile_in]):
commands.append([name, "vault_archive", pwdargs])
if retrieve:
......
tests/vault/test_vault.yml
+ 9
0
View file @ 04564248
......@@ -394,6 +394,15 @@
register: result
failed_when: not result.changed
- name: Archive data from a file, in standard vault.
ipavault:
ipaadmin_password: SomeADMINpassword
name: stdvault
username: user01
in: "{{ ansible_env.HOME }}/in.txt"
register: result
failed_when: not result.changed
- name: Retrieve data from standard vault.
ipavault:
ipaadmin_password: SomeADMINpassword
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment