diff --git a/README-vault.md b/README-vault.md
index 91d311da6201f8e3d60cdc74579e65ef7654f31b..e7a31a2e82a0f68a4c17c2af962f2121de9982fe 100644
--- a/README-vault.md
+++ b/README-vault.md
@@ -197,7 +197,7 @@ Example playbook to make sure vault is absent:
state: absent
register: result
- debug:
- msg: "{{ result.data }}"
+ msg: "{{ result.vault.data }}"
```
Variables
diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py
index 6a3c73e8af0b32bf58a01d36d58508c8228e5bba..8060976c2e1531583ebce5750699f9e103fcba78 100644
--- a/plugins/modules/ipavault.py
+++ b/plugins/modules/ipavault.py
@@ -243,7 +243,7 @@ EXAMPLES = """
state: retrieved
register: result
- debug:
- msg: "{{ result.data }}"
+ msg: "{{ result.vault.data }}"
# Change password of a symmetric vault
- ipavault:
@@ -494,8 +494,10 @@ def check_encryption_params(module, state, action, vault_type, salt,
new_password, new_password_file, res_find):
vault_type_invalid = []
- if res_find is not None:
+ if vault_type is None and res_find is not None:
vault_type = res_find['ipavaulttype']
+ if isinstance(vault_type, (tuple, list)):
+ vault_type = vault_type[0]
if vault_type == "standard":
vault_type_invalid = ['public_key', 'public_key_file', 'password',
@@ -515,6 +517,16 @@ def check_encryption_params(module, state, action, vault_type, salt,
module.fail_json(
msg="Cannot modify password of inexistent vault.")
+ if (
+ salt is not None
+ and not(
+ any([password, password_file])
+ and any([new_password, new_password_file])
+ )
+ ):
+ module.fail_json(
+ msg="Vault `salt` can only change when changing the password.")
+
if vault_type == "asymmetric":
vault_type_invalid = [
'password', 'password_file', 'new_password', 'new_password_file'
@@ -766,7 +778,12 @@ def main():
commands.append([name, "vault_mod_internal", args])
else:
+ if vault_type == 'symmetric' \
+ and 'ipavaultsalt' not in args:
+ args['ipavaultsalt'] = os.urandom(32)
+
commands.append([name, "vault_add_internal", args])
+
if vault_type != 'standard' and vault_data is None:
vault_data = ''
@@ -824,14 +841,6 @@ def main():
commands.append(
[name, 'vault_remove_owner', owner_del_args])
- if vault_type == 'symmetric' \
- and 'ipavaultsalt' not in args:
- args['ipavaultsalt'] = os.urandom(32)
-
- if vault_type == 'symmetric' \
- and 'ipavaultsalt' not in args:
- args['ipavaultsalt'] = os.urandom(32)
-
elif action in "member":
# Add users and groups
if any([users, groups, services]):
diff --git a/tests/vault/test_vault_symmetric.yml b/tests/vault/test_vault_symmetric.yml
index bedc221dd7701c69715953215673b987b94d00cd..5394c7104bad4d2bb451be113e6d192796c6a895 100644
--- a/tests/vault/test_vault_symmetric.yml
+++ b/tests/vault/test_vault_symmetric.yml
@@ -178,6 +178,15 @@
register: result
failed_when: result.vault.data != 'Hello World.' or result.changed
+ - name: Retrieve data from symmetric vault, with wrong password.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ password: SomeWRONGpassword
+ state: retrieved
+ register: result
+ failed_when: not result.failed or "Invalid credentials" not in result.msg
+
- name: Change vault password.
ipavault:
ipaadmin_password: SomeADMINpassword
@@ -187,51 +196,79 @@
register: result
failed_when: not result.changed
- - name: Retrieve data from symmetric vault, with wrong password.
+ - name: Retrieve data from symmetric vault, with new password.
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
- password: SomeVAULTpassword
+ password: SomeNEWpassword
state: retrieved
register: result
- failed_when: not result.failed or "Invalid credentials" not in result.msg
+ failed_when: result.vault.data != 'Hello World.' or result.changed
- - name: Change vault password, with wrong `old_password`.
+ - name: Retrieve data from symmetric vault, with old password.
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
password: SomeVAULTpassword
- new_password: SomeNEWpassword
+ state: retrieved
register: result
failed_when: not result.failed or "Invalid credentials" not in result.msg
- - name: Retrieve data from symmetric vault, with new password.
+ - name: Change symmetric vault salt, changing password
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
password: SomeNEWpassword
- state: retrieved
+ new_password: SomeVAULTpassword
+ salt: AAAAAAAAAAAAAAAAAAAAAAA=
register: result
- failed_when: result.vault.data != 'Hello World.' or result.changed
+ failed_when: not result.changed
- - name: Try to add vault with multiple passwords.
+ - name: Change symmetric vault salt, without changing password
ipavault:
ipaadmin_password: SomeADMINpassword
- name: inexistentvault
+ name: symvault
password: SomeVAULTpassword
- password_file: "{{ ansible_env.HOME }}/password.txt"
+ new_password: SomeVAULTpassword
+ salt: MTIzNDU2Nzg5MDEyMzQ1Ngo=
register: result
- failed_when: not result.failed or "parameters are mutually exclusive" not in result.msg
+ failed_when: not result.changed
- - name: Try to add vault with multiple new passwords.
+ - name: Try to change symmetric vault salt, without providing any password
ipavault:
ipaadmin_password: SomeADMINpassword
- name: inexistentvault
- password: SomeVAULTpassword
+ name: symvault
+ salt: MTIzNDU2Nzg5MDEyMzQ1Ngo=
+ register: result
+ failed_when: not result.failed and "Vault `salt` can only change when changing the password." not in result.msg
+
+ - name: Try to change symmetric vault salt, without providing `password`
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ salt: MTIzNDU2Nzg5MDEyMzQ1Ngo=
new_password: SomeVAULTpassword
- new_password_file: "{{ ansible_env.HOME }}/password.txt"
register: result
- failed_when: not result.failed or "parameters are mutually exclusive" not in result.msg
+ failed_when: not result.failed and "Vault `salt` can only change when changing the password." not in result.msg
+
+ - name: Try to change symmetric vault salt, without providing `new_password`
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ salt: MTIzNDU2Nzg5MDEyMzQ1Ngo=
+ password: SomeVAULTpassword
+ register: result
+ failed_when: not result.failed and "Vault `salt` can only change when changing the password." not in result.msg
+
+ - name: Try to change symmetric vault salt, using wrong password.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ password: SomeWRONGpassword
+ new_password: SomeWRONGpassword
+ salt: MDEyMzQ1Njc4OTAxMjM0NQo=
+ register: result
+ failed_when: not result.failed
- name: Ensure symmetric vault is absent
ipavault: