postgresql_user: use standard module hashlib instead of passlib #23686
Conversation
ansibot
added
affects_2.4
|
The test |
ansibot
added
needs_revision
pilou-
force-pushed
the
postgresql_user_use_hashlib
branch
2 times, most recently
from
7f5c54b
to
b35c107
Compare
gundalow
added
ci_verified
ansibot
added
the
stale_ci
| @@ -52,8 +52,8 @@ | |||
| - > | |||
| When passing an encrypted password, the encrypted parameter must also be true, and it must be generated with the format | |||
| C('str[\\"md5\\"] + md5[ password + username ]'), resulting in a total of 35 characters. An easy way to do this is: | |||
| C(echo \\"md5`echo -n \\"verysecretpasswordJOE\\" | md5`\\"). Note that if encrypted is set, the stored password will be hashed whether or not | |||
| it is pre-encrypted. | |||
| C(echo \\"md5`echo -n \\"verysecretpasswordJOE\\" | md5`\\"). Note that if the presented password string is already in | |||
There was a problem hiding this comment.
I think "presented password string" is not correct, shouldn't it be "provided password string" ?
| C(echo \\"md5`echo -n \\"verysecretpasswordJOE\\" | md5`\\"). Note that if encrypted is set, the stored password will be hashed whether or not | ||
| it is pre-encrypted. | ||
| C(echo \\"md5`echo -n \\"verysecretpasswordJOE\\" | md5`\\"). Note that if the presented password string is already in | ||
| MD5-encrypted format, then it is used as-is, regardless of encrypted parameter. |
There was a problem hiding this comment.
I think that's "MD5-hashed", crypto people tend to complain about it.
| db_password1: '{{ item.password }}' | ||
| with_items: | ||
| - encrypted: 'yes' | ||
| password: 'secretù' |
There was a problem hiding this comment.
Can you add a comment about ù not being a typo, and being used for Unicode testing ?
| <<: *task_parameters | ||
| postgresql_user: *parameters | ||
|
|
||
| - name: Check that ansible reports they were created |
There was a problem hiding this comment.
I think that should be "it was created"
There was a problem hiding this comment.
Done (3 occurrences updated).
| - include: test_user.yml | ||
| vars: | ||
| encrypted: '{{ item.encrypted }}' | ||
| db_password1: '{{ item.password }}' |
There was a problem hiding this comment.
Since the value do not change in the loop, wouldn't it be clearer to directly put the password here directly ?
| # Cannot check if passlib is not installed, so assume password is different | ||
| pwchanging = True | ||
| else: | ||
| if ((password.startswith('md5') and len(password) == 32+3) or encrypted == 'UNENCRYPTED'): |
There was a problem hiding this comment.
I would document why 32+3 (md5 hash + size of 'MD5').
| if password != current_role_attrs['rolpassword']: | ||
| pwchanging = True | ||
|
|
||
| if not pwchanging and encrypted == 'ENCRYPTED': | ||
| if md5(to_bytes(password) + to_bytes(user)).hexdigest() != current_role_attrs['rolpassword']: |
There was a problem hiding this comment.
So, if the password start by 'md5', this trigger a special case (that's the whole point of the PR). but why do we compare the md5 of the password + user with current_role_attrs['rolpassword'], since current_role_attrs['rolpassword'] will be prefixed with 'md5' ? (ie, this would always change the password)
There was a problem hiding this comment.
You're right. I reworked the whole pull-request (the next condition was wrong too) and improved the tests.
pilou-
force-pushed
the
postgresql_user_use_hashlib
branch
from
b35c107
to
6fe3064
Compare
ansibot
removed
ci_verified
pilou-
force-pushed
the
postgresql_user_use_hashlib
branch
2 times, most recently
from
fa12292
to
065a296
Compare
|
CI failure due to traceback during integration tests on python 3: |
|
My guess is that the change in the test cases (maybe because the new password is now non-ascii?) is revealing a bug in a different part of hte code. |
|
It seems the second shippable pass with Using locally a Xenial LXC container ( Using docker, I encountered a problem using so I added do you known how to disable coverage ? |
|
I'm guessing the maximum verbosity passing is not due to the verbosity, but the fact that the test is being run a second time. |
|
Coverage is off by default. The error you're getting indicates the interpreter interception script used by ansible-test is not executable, which is an error I haven't seen before. Is your Regarding the docker error, what are you using for your docker host (platform and docker version)? |
|
If you don't mind running the tests without docker, you could try this on a system with python 3.5:
|
|
I can duplicate the exception with the following command from this branch: When the except is encountered the following variables are in play (with postgresql_user.py modified to display the following): This relates to: |
|
waiting_on: maintainer |
ansibot
added
the
stale_ci
When an unchanged MD5-hashed password was used and passlib was unavailable, an useless 'ALTER USER' query was executed. Once this useless query avoided, the last 'SELECT' query becomes useless too.
This task is only executed when the playbook has already been executed once, for example using 'ansible-test integration' with '--retry-error' switch when the first run fails. This modification allows to recreate default databases (postgres, template0 and template1) using the same encoding that the one used by the Debian package. Default encoding is 'SQL_ASCII' when default locale is not set in /etc/default/locale.
By default, client encoding is determined either from the LANG_*/LC_* environment variables or using encoding of the database. Containers used in the CI don't define a default locale, then encoding of default databases was SQL_ASCII.
pilou-
force-pushed
the
postgresql_user_use_hashlib
branch
from
d7d9579
to
114888d
Compare
ansibot
added
community_review
|
Rebased |
ansibot
removed
the
needs_ci
|
shipit |
2 similar comments
|
shipit |
|
shipit |
ansibot
added
shipit
|
bot_status |
|
waiting_on: maintainer |
|
shipit |
|
This has gotten enough shipits from various people since the last real change. Merging. |
|
merged to devel. |
ansibot
added
bug
SUMMARY
When
passlibisn't available, an uselessalter rolequery is executed.ISSUE TYPE
COMPONENT NAME
postgresql_user
ANSIBLE VERSION