Update password_hash.yml

[artificial-intelligence]

add missing bcrypt docs

[bcoca]

i would not add the _crypt versions as explicit options, but update the code to try/retry with non _crypt and _crypt

[artificial-intelligence]

I'm fine either way, can you two then maybe talk about this, because you two are imposing conflicting views on me? I just wanted to fix the missing bcrypt.

[Akasurde]

@artificial-intelligence Please go ahead with @bcoca's review and discard mine.

[artificial-intelligence]

okay, but:

[...]but update the code to try/retry with non _crypt and _crypt

I'm not sure how this should be implemented here, as I'm just a drive by contributor, I'm not deeply familiar with this codebase.

I see no retry logic at all here, could you give me a hint on how this is supposed to look like?

Maybe I also misunderstood this comment.

[bcoca]

to the list, just add bcrypt as you were doing originally,

then in the code we have to do something like:

try:
     function(hashtype)
except ...:
    function(hashtype + '_crypt')

But that might be asking too much of you, just do the first change and we'll add the 2nd

[artificial-intelligence]

I have done so. I'm currently not really finding the place where you would add that try except block - I thought I could give it a try - this doesn't seem to be located in the utils/encrypt.py?

[bcoca]

something liek this (untested):

diff --git a/lib/ansible/plugins/filter/core.py b/lib/ansible/plugins/filter/core.py
index 09820faa7c..f3d700f0a8 100644
--- a/lib/ansible/plugins/filter/core.py
+++ b/lib/ansible/plugins/filter/core.py
@@ -292,16 +292,23 @@ def get_encrypted_password(password, hashtype='sha512', salt=None, salt_size=Non
         )
 
     try:
-        return do_encrypt(password, hashtype, salt=salt, salt_size=salt_size, rounds=rounds, ident=ident)
-    except AnsibleError as e:
-        reraise(AnsibleFilterError, AnsibleFilterError(to_native(e), orig_exc=e), sys.exc_info()[2])
+        try:
+            return do_encrypt(password, hashtype, salt=salt, salt_size=salt_size, rounds=rounds, ident=ident)
+        except AnsibleError as e:
+            reraise(AnsibleFilterError, AnsibleFilterError(to_native(e), orig_exc=e), sys.exc_info()[2])
+        except Exception as e:
+            if unknown_passlib_hashtype and not hashtype.endswith('crypt'):
+                return do_encrypt(password, hashtype + '_crypt', salt=salt, salt_size=salt_size, rounds=rounds, ident=ident)
+            raise
+    except AnsibleError:
+        raise
     except Exception as e:
         if unknown_passlib_hashtype:
             # This can occur if passlib.hash has the hashtype attribute, but it has a different signature than the valid choices.
             # In 2.19 this will replace the deprecation warning above and the extra exception handling can be deleted.
             choices = ', '.join(passlib_mapping)
-            raise AnsibleFilterError(f"{hashtype} is not in the list of supported passlib algorithms: {choices}") from e
-        raise
+                raise AnsibleFilterError(f"{hashtype} is not in the list of supported passlib algorithms: {choices}") from e
+            raise AnsibleFilterError("Could not hash the password", orig_exc=e)
 
 

[bcoca]

actually, just saw easier/better

diff --git a/lib/ansible/plugins/filter/core.py b/lib/ansible/plugins/filter/core.py
index 09820faa7c..e3bbd7e6df 100644
--- a/lib/ansible/plugins/filter/core.py
+++ b/lib/ansible/plugins/filter/core.py
@@ -284,13 +284,21 @@ def get_encrypted_password(password, hashtype='sha512', salt=None, salt_size=Non
 
     unknown_passlib_hashtype = False
     if PASSLIB_AVAILABLE and hashtype not in passlib_mapping and hashtype not in passlib_mapping.values():
-        unknown_passlib_hashtype = True
-        display.deprecated(
-            f"Checking for unsupported password_hash passlib hashtype '{hashtype}'. "
-            "This will be an error in the future as all supported hashtypes must be documented.",
-            version='2.19'
-        )
+        if hashtype.endswith('crypt'):
+            unknown_passlib_hashtype = True
+        else:
+            crypt_hashtype = hashtype + '_crypt'
+            if crypt_hashtype in passlib_mapping or crypt_hashtype in passlib_mapping.values():
+                hashtype = crypt_hashtype
+            else:
+                unknown_passlib_hashtype = True
 
+        if unknown_passlib_hashtype:
+            display.deprecated(
+                f"Checking for unsupported password_hash passlib hashtype '{hashtype}'. "
+                "This will be an error in the future as all supported hashtypes must be documented.",
+                version='2.19'
+            )
     try:
         return do_encrypt(password, hashtype, salt=salt, salt_size=salt_size, rounds=rounds, ident=ident)
     except AnsibleError as e:
@@ -301,7 +309,7 @@ def get_encrypted_password(password, hashtype='sha512', salt=None, salt_size=Non
             # In 2.19 this will replace the deprecation warning above and the extra exception handling can be deleted.
             choices = ', '.join(passlib_mapping)
             raise AnsibleFilterError(f"{hashtype} is not in the list of supported passlib algorithms: {choices}") from e
-        raise
+        raise AnsibleFilterError('Could not hash password', orig_exc=e)

[Akasurde]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).