New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Share the implementation of hashing for both vars_prompt and password_hash #21215
Share the implementation of hashing for both vars_prompt and password_hash #21215
Conversation
CI failure due to unit test errors. Here's one of the errors:
|
36751e8
to
036e006
Compare
0f2e55c
to
1ac23f6
Compare
CI failure in unit tests due to:
The full error is quite long, so I'll just link to the logs here: https://app.shippable.com/runs/589e2dee031d631000bae9d4/2/console |
1ac23f6
to
719aa81
Compare
Thanks mattclay for your input! :) ready_for_review |
Catch and reraise is a better pattern than passing the exception in. Python 2 makes this a pain, though. Ned Batchelder has a good blog post about how to do that right: https://nedbatchelder.com/blog/200711/rethrowing_exceptions_in_python.html passlib changes number of rounds while crypt has a static value. I'm not sure of al the ramifications for that. It would mean that pre and post change, lookup('password_hash'[...]) will return different strings. If rounds is calculated dynamically at runtime, it could mean that when I use a playbook that has lookup('password_hash'[...]) on my low end laptop, I generate a different string than when someone else runs it on their high end workstation. If that's true it leads to non-repeatability of playbook runs. |
As discussed with abadger I will make sure that password_hash returns the same value for both 2.2 and when this commit is merged. Furthermore I will look into allowing a rounds parameter for crypt, for example crypt.crypt('secret', '$6$rounds=656000$abc'). Maybe I will also update the vars_prompt documentation to mention that it makes sense to specify a rounds parameter to ensure replayability. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doc updates are OK. Thanks @mfuchs!
719aa81
to
00e8c2d
Compare
Some tests fail.
This change was implemented to be more consistent overall, thus having consistency between vars_prompt and password_hash (no matter if passlib is installed or not) and not depending on the always changing defaults of passlib. |
Makes sense to me. Go ahead and change the test. |
…_hash. * vars_prompt with encrypt does not require passlib for the algorithms supported by crypt. * Additional checks ensure that there is always a result. This works around issues in the crypt.crypt python function that returns None for algorithms it does not know. Some modules (like user module) interprets None as no password at all, which is misleading. * The password_hash filter supports all parameters of passlib. This allows users to provide a rounds parameter, fixing ansible#15326. * password_hash is not restricted to the subset provided by crypt.crypt, fixing one half of ansible#17266. * Updated documentation fixes other half of ansible#17266. * password_hash does not hard-code the salt-length, which fixes bcrypt in connection with passlib. bcrypt requires a salt with length 22, which fixes ansible#25347 * Salts are only generated by ansible when using crypt.crypt. Otherwise passlib generates them. * Avoids deprecated functionality of passlib with newer library versions. * When no rounds are specified for sha256/sha256_crypt and sha512/sha512_crypt always uses the default values used by crypt, i.e. 5000 rounds. Before when installed passlibs' defaults were used. passlib changes its defaults with newer library versions, leading to non idempotent behavior. NOTE: This will lead to the recalculation of existing hashes generated with passlib and without a rounds parameter. Yet henceforth the hashes will remain the same. No matter the installed passlib version. Making these hashes idempotent. Fixes ansible#15326 Fixes ansible#17266 Fixes ansible#25347 except bcrypt still uses 2a, instead of the suggested 2b.
* random_salt is solely handled by encrypt.py. There is no _random_salt function there anymore. Also the test moved to test_encrypt.py. * Uses pytest.skip when passlib is not available, instead of a silent return. * More checks are executed when passlib is not available.
…ibleError. The password_hash filter then transforms the AnsibleError to an AnsibleFilterError.
When no rounds are provided the defaults of crypt are used. In that case the rounds are not part of the resulting MCF output.
913bbf6
to
e2224ad
Compare
Since the test is rather new I rebased on current devel + adapted the integration test. |
Merged to devel for the 2.7.0 release. Thanks @mfuchs |
awesome |
* devel: (513 commits) Fix systemd service is already masked issue (#44730) fix issue with no_log in py3 modules/terraform: Quote the variable values in the command line (#43493) YUM4/DNF compatibility via yum action plugin (#44322) BOTMETA.yml: remove superfluous labels (#44628) Share the implementation of hashing for both vars_prompt and password_hash (#21215) one_host environment variables, Fixes #44163 (#44568) ec2: add "IAM Role" to instance_profile_name ios_vrf speed fix (#43765) fix typo (#44712) junos cli_config idempotence fix (#44706) Switch to LiteralPath instead of Path. Closes #44508 (#44509) Module win_domain_computer fix delete computer with child (#44500) ACME: improve documentation (#44691) doc: fixed typo (#44685) IPA: Add option to specify timeout (#44572) Added nios_txt_record module (#39264) adds the bigip_cli_script module (#44674) Clean up BOTMETA.yml (#44574) Change validate-modules for removed modules ...
ISSUE TYPE
COMPONENT NAME
vars_prompt
filter
ANSIBLE VERSION
SUMMARY
Shares the implementation of hashing secrets for both vars_prompt and password_hash.
supported by crypt.
This works around issues in the crypt.crypt python function that returns
None for algorithms it does not know.
Some modules (like user module) interprets None as no password at all,
which is misleading.
This allows users to provide a rounds parameter, fixing password_hash/get_encrypted_password uses passlib default of rounds=656000 which is 131 times glibc default #15326.
fixing one half of properly support passlib module in password_hash #17266.
in connection with passlib.
bcrypt requires a salt with length 22.
Otherwise passlib generates them.
Fixes #15326
Fixes #17266