From 04564248213135333bc1d0fa82edb9c70c02c3ad Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Mon, 4 May 2020 20:48:48 -0300
Subject: [PATCH] Fixes password behavior on Vault module.
This patch fixes handling of password and public_key files, parameter
validation depending on vault type, usage of `salt` attribute and data
retrieval.
Tests were updated to reflect the changes.
New example playbooks are added:
playbooks/vault/vault-is-present-with-password-file.yml
playbooks/vault/vault-is-present-with-public-key-file.yml
---
plugins/modules/ipavault.py | 53 +++++++++++++++++--------------------
tests/vault/test_vault.yml | 9 +++++++
2 files changed, 33 insertions(+), 29 deletions(-)
diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py
index dc59d4be..d97c022c 100644
--- a/plugins/modules/ipavault.py
+++ b/plugins/modules/ipavault.py
@@ -366,7 +366,7 @@ def gen_member_args(args, users, groups, services):
def data_storage_args(args, data, password, password_file, private_key,
- private_key_file, retrieve, datafile_in, datafile_out):
+ private_key_file, datafile_in, datafile_out):
_args = {}
if 'username' in args:
@@ -407,8 +407,7 @@ def check_parameters(module, state, action, description, username, service,
shared, users, groups, services, owners, ownergroups,
ownerservices, vault_type, salt, password, password_file,
public_key, public_key_file, private_key,
- private_key_file, retrieve, vault_data, datafile_in,
- datafile_out):
+ private_key_file, vault_data, datafile_in, datafile_out):
invalid = []
if state == "present":
if salt is not None:
@@ -423,24 +422,20 @@ def check_parameters(module, state, action, description, username, service,
if action == "member":
invalid = ['description']
- if not retrieve:
- if datafile_out is not None:
- module.fail_json(
- msg="Retrieve must be enabled to use datafile_out.")
+ elif state == "absent":
+ invalid = ['description', 'salt', 'vault_type', 'datafile_in',
+ 'vault_data']
- if any([private_key, private_key_file]):
- module.fail_json(
- msg="Attributes private_key and private_key_file can only "
- "be used when retrieving data from asymmetric vaults.")
- else:
- check = ['description', 'salt', 'datafile_in', 'users', 'groups',
- 'owners', 'ownergroups', 'public_key', 'public_key_file',
- 'vault_data']
+ if action == "vault":
+ invalid.extend(['users', 'groups', 'owners', 'ownergroups',
+ 'password', 'password_file', 'public_key',
+ 'public_key_file'])
- for arg in check:
- if vars()[arg] is not None:
- module.fail_json(
- msg="`%s` cannot be used with `retrieve`." % arg)
+ for arg in invalid:
+ if vars()[arg] is not None:
+ module.fail_json(
+ msg="Argument '%s' can not be used with state '%s', "
+ "action '%s'" % (arg, state, action))
elif state == "absent":
invalid = ['description', 'salt', 'vault_type', 'private_key',
@@ -461,8 +456,8 @@ def check_parameters(module, state, action, description, username, service,
def check_encryption_params(module, state, vault_type, salt, password,
password_file, public_key, public_key_file,
- private_key, private_key_file, retrieve,
- vault_data, datafile_in, datafile_out, res_find):
+ private_key, private_key_file, vault_data,
+ datafile_in, datafile_out, res_find):
vault_type_invalid = []
if state == "present":
if vault_type == "standard":
@@ -593,8 +588,6 @@ def main():
datafile_in = module_params_get(ansible_module, "datafile_in")
datafile_out = module_params_get(ansible_module, "datafile_out")
- retrieve = module_params_get(ansible_module, "retrieve")
-
action = module_params_get(ansible_module, "action")
state = module_params_get(ansible_module, "state")
@@ -616,8 +609,7 @@ def main():
service, shared, users, groups, services, owners,
ownergroups, ownerservices, vault_type, salt, password,
password_file, public_key, public_key_file, private_key,
- private_key_file, retrieve, vault_data, datafile_in,
- datafile_out)
+ private_key_file, vault_data, datafile_in, datafile_out)
# Init
changed = False
@@ -660,7 +652,7 @@ def main():
check_encryption_params(ansible_module, state, vault_type, salt,
password, password_file, public_key,
public_key_file, private_key,
- private_key_file, retrieve, vault_data,
+ private_key_file, vault_data,
datafile_in, datafile_out, res_find)
# Create command
@@ -734,6 +726,10 @@ def main():
and 'ipavaultsalt' not in args:
args['ipavaultsalt'] = os.urandom(32)
+ if vault_type == 'symmetric' \
+ and 'ipavaultsalt' not in args:
+ args['ipavaultsalt'] = os.urandom(32)
+
elif action in "member":
# Add users and groups
if any([users, groups, services]):
@@ -746,9 +742,8 @@ def main():
commands.append([name, 'vault_add_owner', owner_args])
pwdargs = data_storage_args(
- args, vault_data, password, password_file,
- private_key, private_key_file, retrieve, datafile_in,
- datafile_out)
+ args, vault_data, password, password_file, private_key,
+ private_key_file, datafile_in, datafile_out)
if any([vault_data, datafile_in]):
commands.append([name, "vault_archive", pwdargs])
if retrieve:
diff --git a/tests/vault/test_vault.yml b/tests/vault/test_vault.yml
index c0af2700..6211c8d9 100644
--- a/tests/vault/test_vault.yml
+++ b/tests/vault/test_vault.yml
@@ -394,6 +394,15 @@
register: result
failed_when: not result.changed
+ - name: Archive data from a file, in standard vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ in: "{{ ansible_env.HOME }}/in.txt"
+ register: result
+ failed_when: not result.changed
+
- name: Retrieve data from standard vault.
ipavault:
ipaadmin_password: SomeADMINpassword
--
GitLab